Skip to main content
lmsaeb
lmsaeb
New Member
November 5, 2020
Question

Weird Traffic

  • November 5, 2020
  • 1 reply
  • 3079 views

Hi All,

Wondering if you can help me understand why I am this traffic in my reports. The 94.232.46.50 is the source and the 71.181.13.87 is the destination. This traffic was blocked by the Fortigate and I see it tried numerous TCP ports. Below is one line of the log but there are many. The thing is that 71.181.13.87 is not us...I have no idea what that address is? The source was the WAN and the destination was the WAN? Almost as if they were bouncing off our connection to hit another? Anyone have any insight into this? Thanks.

 

16:14:29(-0500) notice deny  94.232.46.50 71.181.13.87 tcp/40155 0 B/0 B  Blocked Connection Attempts Source  Device Name FGT80E4Q17014622  Source Country Bulgaria  Source 94.232.46.50  Source Interface wan1  Source Port 44397  Source Interface Role wan  Destination  Destination Country United States  Destination 71.181.13.87  Destination Interface wan1  Destination Port 40155  Destination Interface Role wan

 

 

 

 

 

    1 reply

    sw2090
    SuperUser
    sw2090
    SuperUser
    November 6, 2020

    looks like some kind of attack maybe.

     

    Is it always on the same port? Is there any service reachable via your FGT on that port?

    If so it could be bruteforce attack.

    Otherwise could be some portscan or something like that. Or just trying to connect to some ports blindly.

    lmsaeb
    lmsaebAuthor
    New Member
    November 6, 2020

    The thing is why would they hit our WAN interface to scan another entity. The destination IP is not ours.

    boneyard
    boneyard
    Valued Contributor
    November 7, 2020

    is it from your ISP or close at least? they might have setup wrong routing then.

     

    have you done a packet capture to see what kind of traffic it really is, might be encapsulated or such and the fortigate reports it wrong.

    Terms & ConditionsAccessibility statement