NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
iPhone 7 generating UPnP set event: set & del_nat_rule, DoS Attack: ARP Attack
Orbi RBK22, hot-fix firmware V2.3.5.36 current as of 2019.11.27 Looking at the log, my wife's iPhone (I and others have them too, no issues from them) generates occasional (4-10 times a day) entr...
gbynum wrote:.......
The last 4 days, there have been 4 iPhones (2 iPhone 7 which is causing the log entry, same carrier, same firmware) on my network. Only 1 is doing this.
......
It's an app on your wife's iPhone that's causing the UPnP and the ARP requests, which seem then to be considered as ARP attacks from the phone.
I remember that I also saw the same UPnP messages repeatedly and frequently in the log for my wife's iPhone some time ago! :) and I identified the app at that time, but I don't recall which app it was.
It must be an app that only wives use! ;)
Just guessing: this IP address is from the iPhone?
When I Google for UPnP "set event: del_nat_rule", there are tons of posts, going back to at least 2010 on all sorts of routers. My own Orbi has the UPnP box checked (on the Advanced Tab->Advanced Settings->UPnP) and I do not recall ever seeing one of these messages in my Orbi logs.
Is UPnP on your Orbi allowed or not allowed?
Why yes, the iPhone generating the log entries is an iPhone <grin). UPnP is on (checked).
The last 4 days, there have been 4 iPhones (2 iPhone 7 which is causing the log entry, same carrier, same firmware) on my network. Only 1 is doing this.
But frankly, the UPnP entries bother me far less than th DoS ARP entry. I used Google and search here, and see many reports of this happening, but no cause or suggested solutions.
I'd LOVE suggestions.
Thanks!
gbynum wrote:.......
The last 4 days, there have been 4 iPhones (2 iPhone 7 which is causing the log entry, same carrier, same firmware) on my network. Only 1 is doing this.
......
It's an app on your wife's iPhone that's causing the UPnP and the ARP requests, which seem then to be considered as ARP attacks from the phone.
I remember that I also saw the same UPnP messages repeatedly and frequently in the log for my wife's iPhone some time ago! :) and I identified the app at that time, but I don't recall which app it was.
It must be an app that only wives use! ;)
So from this, I gather that it is not (likely) a malicious app. Being not malicious, she wouldn't take kindly to my deleting an app for a day to see if it mattered ... only to reinstall anyway since it is not malicious.
OK, at what point should I worry, hundreds or thousands of incidents a day instead of 2-10?
I still would like a non-destructive way to identify it, but I'll mark this solved.
Thanks!