Spoofing Dos email IP spoofing

m440 v12.3.1
We're getting a lot of spoofing_dos email IP spoofing and IP spoofing from a particular ip address like 169.254.x.x What could be the cause or how do we solve it? If anybody can help I appreciate it.
Thanks.

Comments

  • edited January 2020

    Spoofing indicates that XTM got a packet on on interface from an IP addr which is not defined to or expected from that interface.

    169.254.x.x usually results when a device, especially Windows, can't get a DHCP IP addr.

    DOS usually means Denial of Service, so spoofing_dos could be a result of the Default Packet Handling DOS settings.

    Care to post a sample Traffic Monitor showing this log message?

  • Hi Bruce,

    We're getting a lot of logs, Below is the info:

    2020-01-16 20:57:25 spoofing_dos email IP spoofing: Traffic detected from 169.254.217.5 to 192.168.1.100 proc_id="firewall" time="Thu Jan 16 20:57:25 2020 (PST)" msg_id="3000-0169" Alarm
    2020-01-16 20:57:25 Deny 169.254.217.5 192.168.1.50 snmp/udp 60496 161 2-Trusted Firebox ip spoofing sites 106 128 (Internal Policy) proc_id="firewall" rc="101" msg_id="3000-0148" Traffic

  • Some device on 2-Trusted has IP 169.254.217.5 and is sending out packets, which is causing these log messages.

    It is hard to find such a device if you don't have managed switches.
    If you do, you can set up port mirroring of the port which goes to the firewall and do a packet capture to see the MAC addr of 169.254.217.5.
    Then you can look up the manufacturer of that MAC addr which may help identify the device. There are a number of sites on the Internet which can do this.
    And on your managed switches, you can search for the switch port which has that MAC addr.

    If you just want to stop the logging from 169.254.217.5, add 169.254.217.1/24 as a Secondary on 2-Trusted.
    After that, you also could add an Any policy From: 169.254.217.5 To: Any, set to Denied, on Logging uncheck "Send a log message". Move this policy to the top of your policy list.

  • Thank Bruce!
  • Bruce one last question what would this mean. “ spoofing_dos email IP spoofing: ” it’s coming from the same device.
  • I'm not sure.
    The Log Catalog does not explain this one
    https://www.watchguard.com/help/docs/fireware/12/en-US/log_catalog/Log-Catalog_v12_5.pdf

    Do you have "Send notification" selected on Default Packet Handling -> Logging -> IP Spoofing Attacks ?

  • I do have the send notifications selected
  • I want to say Thank you again for helping with my questions.
Sign In to comment.