NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
iPhone 7 generating UPnP set event: set & del_nat_rule, DoS Attack: ARP Attack
Orbi RBK22, hot-fix firmware V2.3.5.36 current as of 2019.11.27
Looking at the log, my wife's iPhone (I and others have them too, no issues from them) generates occasional (4-10 times a day) entries like:
[UPnP set event: del_nat_rule] from source 192.168.0.206, Wednesday, November 27, 2019 13:26:59
[UPnP set event: add_nat_rule] from source 192.168.0.206, Wednesday, November 27, 2019 13:26:21
[DoS Attack: ARP Attack] from source: 192.168.0.206, Wednesday, November 27, 2019 11:25:23
I of course get the expected DHCP and daily time sync entries and occasional out-of-network nasties like [DoS Attack: ACK Scan] from source: 17.57.144.150, port 5223; I'm not addressing those.
What are the causes of the UPnP and ARP attacks, and how can I eliminate them?
Thanks!
gbynum wrote:.......
The last 4 days, there have been 4 iPhones (2 iPhone 7 which is causing the log entry, same carrier, same firmware) on my network. Only 1 is doing this.
......
It's an app on your wife's iPhone that's causing the UPnP and the ARP requests, which seem then to be considered as ARP attacks from the phone.
I remember that I also saw the same UPnP messages repeatedly and frequently in the log for my wife's iPhone some time ago! :) and I identified the app at that time, but I don't recall which app it was.
It must be an app that only wives use! ;)
5 Replies
Just guessing: this IP address is from the iPhone?
When I Google for UPnP "set event: del_nat_rule", there are tons of posts, going back to at least 2010 on all sorts of routers. My own Orbi has the UPnP box checked (on the Advanced Tab->Advanced Settings->UPnP) and I do not recall ever seeing one of these messages in my Orbi logs.
Is UPnP on your Orbi allowed or not allowed?
Why yes, the iPhone generating the log entries is an iPhone <grin). UPnP is on (checked).
The last 4 days, there have been 4 iPhones (2 iPhone 7 which is causing the log entry, same carrier, same firmware) on my network. Only 1 is doing this.
But frankly, the UPnP entries bother me far less than th DoS ARP entry. I used Google and search here, and see many reports of this happening, but no cause or suggested solutions.
I'd LOVE suggestions.
Thanks!
gbynum wrote:.......
The last 4 days, there have been 4 iPhones (2 iPhone 7 which is causing the log entry, same carrier, same firmware) on my network. Only 1 is doing this.
......
It's an app on your wife's iPhone that's causing the UPnP and the ARP requests, which seem then to be considered as ARP attacks from the phone.
I remember that I also saw the same UPnP messages repeatedly and frequently in the log for my wife's iPhone some time ago! :) and I identified the app at that time, but I don't recall which app it was.
It must be an app that only wives use! ;)
