Under attack by 18.104.22.168
Updated: Apr 20, 2020
I received a question from a client who had recently installed Norton Anti-Virus and wanted to know why they kept having to approve requests from some strange IP looking IP addresses on their Macbook. The specific addresses in question were 22.214.171.124 and ff02::fb.
What exactly are these addresses? 224.* and ff00 are the reserved portions of the IPv4 and IPv6 space for multicast IP. Okay, next obvious question from the client...wtf is multicast?
It is a little difficult to explain what multicast is in layman terms, but, in essence, it is a different way of communicating using the Internet Protocol. Most Internet traffic uses unicast (uni or single). There is one single sender/source (e.g. 126.96.36.199) and one single receiver/destination (e.g. 188.8.131.52). In Multicast there is one sender (e.g. 184.108.40.206) and many receivers and the routers in the Internet duplicate multicast packets as they are forwarded onto the necessary links. It is a much more efficient way of delivering certain kinds of services (think Live TV) as a unicast method duplicates the exact same traffic on network links once for each receiver, where as multicast does not). See the link below for more information on multicast address space.
Now, to the question, I see the same message on my Mac and I also have Norton installed. The source of the message is the service from Apple called bonjour, which is installed on every Mac for device discovery on the local network, and is enabled/disabled in the System Preferences by turning sharing on/off.
See the wiki link below on bonjour and note in the first paragraph that it uses multicast DNS.
https://en.wikipedia.org/wiki/Bonjour_(software), as well as the following reference at Apple https://support.apple.com/en-kw/HT205195.
In short, the traffic is a normal part of the operation of your system and nothing to be concerned about when you are at home on your private network. If you are on a public wifi network, be aware that your system will broadcast any shared services you have enabled to others on the network. While this shouldn't pose much of a problem if your shared services require password authentication in order to use them, it is not a good practice to do so from a security perspective.
Hope this helps answer your question.