1

My Windows server (2012R2) hosted at GoDaddy, has one internet IP address (192.169.xxx.xxx).

In the Windows Firewall log I see lots of RECEIVE entries with 'destination ip' other than 192.169.xxx.xxx (e.g. 224.0.0.252). How can this be?

examples:

2016-09-14 08:44:40 DROP UDP 192.169.137.207 224.0.0.252 65535 5355 61 - - - - - - - RECEIVE
2016-09-14 08:44:40 DROP UDP 192.169.137.207 224.0.0.252 54848 5355 61 - - - - - - - RECEIVE
2016-09-14 08:44:41 DROP UDP 192.169.137.207 224.0.0.252 55090 5355 61 - - - - - - - RECEIVE

Note - the 192.169.137.207 shown as the source in the listing above is not my IP address.

techraf
  • 4,243
  • 8
  • 29
  • 44
PW911
  • 13
  • 1
  • 3

1 Answers1

2

224.0.0.252 is a multicast ip address. Traffic for multicast addresses in the range 224.0.0.0 to 224.0.0.255 is meant for the local network. All hosts listen for and accept traffic destined for multicast addresses and decide whether or not they're "interested" in the multicast traffic and then process that traffic or not.

224.0.0.252 is specifically used for Link Local Multicast Name Resolution (LLMNR) and as such, this traffic is perfectly normal.

https://en.wikipedia.org/wiki/Multicast_address

https://www.ietf.org/assignments/multicast-addresses/multicast-addresses.xml

https://en.wikipedia.org/wiki/Link-Local_Multicast_Name_Resolution

https://www.rfc-editor.org/rfc/rfc4795

Community
  • 1
joeqwerty
  • 109,901
  • 6
  • 81
  • 172