Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

IP Spoofing

What this Session (writted down) means?: udp from 127.0.0.1:1033 to 127.0.0.1:162 I think it is IP Spoofing using SNMP but I don´t understand why Fortinet uses that. Fortinet is taking out information from my Private Network?
5 REPLIES 5
Not applicable

This is what my Firewall is reporting using Alert mail... attack_id=109 src=127.0.0.1 dst=201.129.206.7 src_port=80 dst_port=1339 interface=external status=dropped proto=6 service=1339/tcp msg=" IP spoofing [Reference: http://www.fortinet.com/ids/ID109]"
smardak
New Contributor

Have you checked IDS for all Interfaces? If you have only checked the external interface, then you miss the attacks that origin from your internal lan (infected PC?). Perhaps one of your own PCs sends messages with 127.0.0.1 as source ip? Stefan
Not applicable

hi, i have the same message from logging, somone outside the lan is scanning all ports. I asked my isp for having confirmation, he say thats effectively someone with 127.0.0.1 is trying to connect in my wan. What can i do in order to have is true adress, in order to stop him. Thanks a lot.
Not applicable

You might be able to sniff the packet and track it down via MAC address. IMO it wouldn' t be worth the time. The FG is dropping the spoofed packets, so no worries.
pace
New Contributor

hallo everybody, i have seen this 127.0.0.1 based ids warnings on a customer fgt (MR6) they where caused by a old " forgotten" workstation which was previous infected by a Blaster virus the workstation AV program has not removed the whole virus, so the virus starts to scan random ip ranges to distribute itself :) fgt ids detects this distribution attempt i used the fgt sniffer (GREAT tool) to find out the MAC address of the workstation ! we located the system and cleaned it successfully... effect -> no more 127.0.0.1 ids warnings ! greetings
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors