Spoofing Dos email IP spoofing

m440 v12.3.1
We're getting a lot of spoofing_dos email IP spoofing and IP spoofing from a particular ip address like 169.254.x.x What could be the cause or how do we solve it? If anybody can help I appreciate it.


  • Options
    edited January 2020

    Spoofing indicates that XTM got a packet on on interface from an IP addr which is not defined to or expected from that interface.

    169.254.x.x usually results when a device, especially Windows, can't get a DHCP IP addr.

    DOS usually means Denial of Service, so spoofing_dos could be a result of the Default Packet Handling DOS settings.

    Care to post a sample Traffic Monitor showing this log message?

  • Options

    Hi Bruce,

    We're getting a lot of logs, Below is the info:

    2020-01-16 20:57:25 spoofing_dos email IP spoofing: Traffic detected from to proc_id="firewall" time="Thu Jan 16 20:57:25 2020 (PST)" msg_id="3000-0169" Alarm
    2020-01-16 20:57:25 Deny snmp/udp 60496 161 2-Trusted Firebox ip spoofing sites 106 128 (Internal Policy) proc_id="firewall" rc="101" msg_id="3000-0148" Traffic

  • Options

    Some device on 2-Trusted has IP and is sending out packets, which is causing these log messages.

    It is hard to find such a device if you don't have managed switches.
    If you do, you can set up port mirroring of the port which goes to the firewall and do a packet capture to see the MAC addr of
    Then you can look up the manufacturer of that MAC addr which may help identify the device. There are a number of sites on the Internet which can do this.
    And on your managed switches, you can search for the switch port which has that MAC addr.

    If you just want to stop the logging from, add as a Secondary on 2-Trusted.
    After that, you also could add an Any policy From: To: Any, set to Denied, on Logging uncheck "Send a log message". Move this policy to the top of your policy list.

  • Options
    Thank Bruce!
  • Options
    Bruce one last question what would this mean. “ spoofing_dos email IP spoofing: ” it’s coming from the same device.
  • Options

    I'm not sure.
    The Log Catalog does not explain this one

    Do you have "Send notification" selected on Default Packet Handling -> Logging -> IP Spoofing Attacks ?

  • Options
    I do have the send notifications selected
  • Options
    I want to say Thank you again for helping with my questions.
Sign In to comment.