Rule_id=2 from WLAN to Any, [type=IP-Decoder(4043309091)] ip-spoof Action: Drop Packet

Carlsap
Carlsap Posts: 23  ZCNE Certified
First Comment Sixth Anniversary ZCNE Security Level 1 Certification - 2019 ZCNE Nebula Level 1 Certification - 2019
edited April 2021 in Security

Hello, I have noticed that several mobile phones connected to my wlan interface is generating IP spoof packet warnings in large numbers. Has anyone else seen this issue?

Warning message is posted from ADP: Rule_id=2 from WLAN to Any, [type=IP-Decoder(4043309091)] ip-spoof Action: Drop Packet

Firewall i question: USG310 V4.35(AAPJ.0).

When I started to investigate this, it seems to be only Iphones that originates this isssue,

Any help/ideas is appreciated.

Accepted Solution

All Replies

  • lalaland
    lalaland Posts: 91  Ally Member
    First Answer First Comment Friend Collector Sixth Anniversary

    It seems that it's related to IOS behavior. you may confirm with Apple tech support.

  • jasailafan
    jasailafan Posts: 193  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary

    Seems you add a new ADP profile for WLAN zone and the rule (ip_decoder) ip-spoof ATTACK is enabled.

    When packets from iphone match the policy, packets will be dropped.

    Maybe you should check with these iphone users what Apps/websites they used on iphone.

  • Carlsap
    Carlsap Posts: 23  ZCNE Certified
    First Comment Sixth Anniversary ZCNE Security Level 1 Certification - 2019 ZCNE Nebula Level 1 Certification - 2019

    As far as I recall the ADP profile is default from Zyxel and should not be altered since its a security feature built in the Zyxel USG device. But as time progresses there is always something that changes in behaviour, In this case it seems to be the Iphones. Why the ADP feature trigger on this is beyond my knowledge, but if it is a real IP-spoofing attack from the Iphone clients in my wifi network it may be a serious problem.

    But first I have to figure out if this is a false positive or a real problem. The very reason behind this question.?️

  • Carlsap
    Carlsap Posts: 23  ZCNE Certified
    First Comment Sixth Anniversary ZCNE Security Level 1 Certification - 2019 ZCNE Nebula Level 1 Certification - 2019

    Thanks for the explanation Emily.

    Best regards from Arild

Security Highlight