- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
iPhone 7 generating UPnP set event: set & del_nat_rule, DoS Attack: ARP Attack
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Orbi RBK22, hot-fix firmware V2.3.5.36 current as of 2019.11.27
Looking at the log, my wife's iPhone (I and others have them too, no issues from them) generates occasional (4-10 times a day) entries like:
[UPnP set event: del_nat_rule] from source 192.168.0.206, Wednesday, November 27, 2019 13:26:59
[UPnP set event: add_nat_rule] from source 192.168.0.206, Wednesday, November 27, 2019 13:26:21
[DoS Attack: ARP Attack] from source: 192.168.0.206, Wednesday, November 27, 2019 11:25:23
I of course get the expected DHCP and daily time sync entries and occasional out-of-network nasties like [DoS Attack: ACK Scan] from source: 17.57.144.150, port 5223; I'm not addressing those.
What are the causes of the UPnP and ARP attacks, and how can I eliminate them?
Thanks!
Solved! Go to Solution.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@gbynum wrote:.......
The last 4 days, there have been 4 iPhones (2 iPhone 7 which is causing the log entry, same carrier, same firmware) on my network. Only 1 is doing this.
......
It's an app on your wife's iPhone that's causing the UPnP and the ARP requests, which seem then to be considered as ARP attacks from the phone.
I remember that I also saw the same UPnP messages repeatedly and frequently in the log for my wife's iPhone some time ago! 🙂 and I identified the app at that time, but I don't recall which app it was.
It must be an app that only wives use! 😉
All Replies
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: iPhone 7 generating UPnP set event: set & del_nat_rule, DoS Attack: ARP Attack
Just guessing: this IP address is from the iPhone?
When I Google for UPnP "set event: del_nat_rule", there are tons of posts, going back to at least 2010 on all sorts of routers. My own Orbi has the UPnP box checked (on the Advanced Tab->Advanced Settings->UPnP) and I do not recall ever seeing one of these messages in my Orbi logs.
Is UPnP on your Orbi allowed or not allowed?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: iPhone 7 generating UPnP set event: set & del_nat_rule, DoS Attack: ARP Attack
Why yes, the iPhone generating the log entries is an iPhone <grin). UPnP is on (checked).
The last 4 days, there have been 4 iPhones (2 iPhone 7 which is causing the log entry, same carrier, same firmware) on my network. Only 1 is doing this.
But frankly, the UPnP entries bother me far less than th DoS ARP entry. I used Google and search here, and see many reports of this happening, but no cause or suggested solutions.
I'd LOVE suggestions.
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@gbynum wrote:.......
The last 4 days, there have been 4 iPhones (2 iPhone 7 which is causing the log entry, same carrier, same firmware) on my network. Only 1 is doing this.
......
It's an app on your wife's iPhone that's causing the UPnP and the ARP requests, which seem then to be considered as ARP attacks from the phone.
I remember that I also saw the same UPnP messages repeatedly and frequently in the log for my wife's iPhone some time ago! 🙂 and I identified the app at that time, but I don't recall which app it was.
It must be an app that only wives use! 😉
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: iPhone 7 generating UPnP set event: set & del_nat_rule, DoS Attack: ARP Attack
So from this, I gather that it is not (likely) a malicious app. Being not malicious, she wouldn't take kindly to my deleting an app for a day to see if it mattered ... only to reinstall anyway since it is not malicious.
OK, at what point should I worry, hundreds or thousands of incidents a day instead of 2-10?
I still would like a non-destructive way to identify it, but I'll mark this solved.
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: iPhone 7 generating UPnP set event: set & del_nat_rule, DoS Attack: ARP Attack
@gbynum wrote:.......
OK, at what point should I worry, hundreds or thousands of incidents a day instead of 2-10?
......
As long as you trust the app I don't think you need to worry, regardless of the number of incidents.
• What is the difference between WiFi 6 and WiFi 7?
• Yes! WiFi 7 is backwards compatible with other Wifi devices? Learn more