×

Introducing the Orbi 970 Series Mesh System with WiFi 7(BE) technology. For more information visit the NETGEAR Press Room.

Orbi WiFi 7 RBE973
Reply

iPhone 7 generating UPnP set event: set & del_nat_rule, DoS Attack: ARP Attack

gbynum
Aspirant

iPhone 7 generating UPnP set event: set & del_nat_rule, DoS Attack: ARP Attack

Orbi RBK22, hot-fix firmware V2.3.5.36 current as of 2019.11.27

 

Looking at the log, my wife's iPhone (I and others have them too, no issues from them) generates occasional (4-10 times a day) entries like:

 

[UPnP set event: del_nat_rule] from source 192.168.0.206, Wednesday, November 27, 2019 13:26:59
[UPnP set event: add_nat_rule] from source 192.168.0.206, Wednesday, November 27, 2019 13:26:21
[DoS Attack: ARP Attack] from source: 192.168.0.206, Wednesday, November 27, 2019 11:25:23

 

I of course get the expected DHCP and daily time sync entries and occasional out-of-network nasties like [DoS Attack: ACK Scan] from source: 17.57.144.150, port 5223; I'm not addressing those.

 

What are the causes of the UPnP and ARP attacks, and how can I eliminate them?

 

Thanks!

Message 1 of 6

Accepted Solutions
ekhalil
Master

Re: iPhone 7 generating UPnP set event: set & del_nat_rule, DoS Attack: ARP Attack


@gbynum wrote:

.......

The last 4 days, there have been 4 iPhones (2 iPhone 7 which is causing the log entry, same carrier, same firmware) on my network.  Only 1 is doing this.

......


It's an app on your wife's iPhone that's causing the UPnP and the ARP requests, which seem then to be considered as ARP attacks from the phone.

I remember that I also saw the same UPnP messages repeatedly and frequently in the log for my wife's iPhone some time ago! 🙂 and I identified the app at that time, but I don't recall which app it was.

It must be an app that only wives use! 😉 

View solution in original post

Message 4 of 6

All Replies
CrimpOn
Guru

Re: iPhone 7 generating UPnP set event: set & del_nat_rule, DoS Attack: ARP Attack

Just guessing: this IP address is from the iPhone?

 

When I Google for UPnP "set event: del_nat_rule", there are tons of posts, going back to at least 2010 on all sorts of routers.  My own Orbi has the UPnP box checked (on the Advanced Tab->Advanced Settings->UPnP) and I do not recall ever seeing one of these messages in my Orbi logs.

Is UPnP on your Orbi allowed or not allowed?

Message 2 of 6
gbynum
Aspirant

Re: iPhone 7 generating UPnP set event: set & del_nat_rule, DoS Attack: ARP Attack

Why yes, the iPhone generating the log entries is an iPhone <grin).  UPnP is on (checked).

 

The last 4 days, there have been 4 iPhones (2 iPhone 7 which is causing the log entry, same carrier, same firmware) on my network.  Only 1 is doing this.

 

But frankly, the UPnP entries bother me far less than th DoS ARP entry.  I used Google and search here, and see many reports of this happening, but no cause or suggested solutions.

 

I'd LOVE suggestions.

 

Thanks!

Message 3 of 6
ekhalil
Master

Re: iPhone 7 generating UPnP set event: set & del_nat_rule, DoS Attack: ARP Attack


@gbynum wrote:

.......

The last 4 days, there have been 4 iPhones (2 iPhone 7 which is causing the log entry, same carrier, same firmware) on my network.  Only 1 is doing this.

......


It's an app on your wife's iPhone that's causing the UPnP and the ARP requests, which seem then to be considered as ARP attacks from the phone.

I remember that I also saw the same UPnP messages repeatedly and frequently in the log for my wife's iPhone some time ago! 🙂 and I identified the app at that time, but I don't recall which app it was.

It must be an app that only wives use! 😉 

Message 4 of 6
gbynum
Aspirant

Re: iPhone 7 generating UPnP set event: set & del_nat_rule, DoS Attack: ARP Attack

So from this, I gather that it is not (likely) a malicious app.  Being not malicious, she wouldn't take kindly to my deleting an app for a day to see if it mattered ... only to reinstall anyway since it is not malicious.

 

OK, at what point should I worry, hundreds or thousands of incidents a day instead of 2-10?

 

I still would like a non-destructive way to identify it, but I'll mark this solved.  

 

Thanks!

Message 5 of 6
ekhalil
Master

Re: iPhone 7 generating UPnP set event: set & del_nat_rule, DoS Attack: ARP Attack


@gbynum wrote:

.......

OK, at what point should I worry, hundreds or thousands of incidents a day instead of 2-10?

......


As long as you trust the app I don't think you need to worry, regardless of the number of incidents.

Message 6 of 6
Top Contributors
Discussion stats
  • 5 replies
  • 2956 views
  • 0 kudos
  • 3 in conversation
Announcements

Orbi WiFi 7