Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Receiving IP Spoof alarms



Article ID: KB5780 KB Last Updated: 22 Jun 2010Version: 4.0
Receiving IP Spoof alarms on firewall
  • Receiving IP Spoof alarms
  • Alarm event logs show IP Spoof message
  • Alarm event message: ATTACK ALARM:  IP Spoof from x.x.x.x/xx to x.x.x.x/xxxx protocol TCP (trust) (xx/xx/xx xx:xx:xx)

An IP Spoof from the trust side is typically a misconfigured system.  The firewall sees an IP address that is already has in its ARP table or is not found in its route table and reports an IP Spoof. 
Determine if there is a PC with a misconfigured NIC, and change this to reflect the correct network address.

If the message says it's coming from untrust, then it is a legitimate IP Spoof from someone on the outside.  The firewall would detect this, and drop it.  Here's an example of someone trying to spoof from the outside:

05/30/2002 12:43:14 ATTACK ALARM:  IP Spoof from to prot UDP (untrust)

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search