Weird Traffic

lmsaeb · ‎11-05-2020

Hi All,

Wondering if you can help me understand why I am this traffic in my reports. The 94.232.46.50 is the source and the 71.181.13.87 is the destination. This traffic was blocked by the Fortigate and I see it tried numerous TCP ports. Below is one line of the log but there are many. The thing is that 71.181.13.87 is not us...I have no idea what that address is? The source was the WAN and the destination was the WAN? Almost as if they were bouncing off our connection to hit another? Anyone have any insight into this? Thanks.

16:14:29(-0500) notice deny 94.232.46.50 71.181.13.87 tcp/40155 0 B/0 B Blocked Connection Attempts Source Device Name FGT80E4Q17014622 Source Country

Bulgaria Source 94.232.46.50 Source Interface wan1 Source Port 44397 Source Interface Role wan Destination Destination Country

United States Destination 71.181.13.87 Destination Interface wan1 Destination Port 40155 Destination Interface Role wan

sw2090 · ‎11-05-2020

looks like some kind of attack maybe.

Is it always on the same port? Is there any service reachable via your FGT on that port?

If so it could be bruteforce attack.

Otherwise could be some portscan or something like that. Or just trying to connect to some ports blindly.

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

lmsaeb · ‎11-06-2020

The thing is why would they hit our WAN interface to scan another entity. The destination IP is not ours.

boneyard · ‎11-06-2020

is it from your ISP or close at least? they might have setup wrong routing then.

have you done a packet capture to see what kind of traffic it really is, might be encapsulated or such and the fortigate reports it wrong.