Rule_id=2 from WLAN to Any, [type=IP-Decoder(4043309091)] ip-spoof Action: Drop Packet
ZCNE Certified
Hello, I have noticed that several mobile phones connected to my wlan interface is generating IP spoof packet warnings in large numbers. Has anyone else seen this issue?
Warning message is posted from ADP: Rule_id=2 from WLAN to Any, [type=IP-Decoder(4043309091)] ip-spoof Action: Drop Packet
Firewall i question: USG310 V4.35(AAPJ.0).
When I started to investigate this, it seems to be only Iphones that originates this isssue,
Any help/ideas is appreciated.
Accepted Solution
-
Hi @Carlsap,
When packets go into internal type of interface(ex. lan1, lan2), they will be detected as IP spoof if the source IP address does not belong to the subnet of interface(ex. lan1, lan2).
In the default ADP Profile, (ip_decoder) ip-spoof ATTACK is inactivated.
If you'd like to activate it and see log of ip-spoof attack without blocking, modify the Action as none.
Go to CONFIGURATION > Security Policy > ADP > Profile, click on the profile of WLAN zone and go to Protocol Anomaly.
(ip_decoder) ip-spoof ATTACK is enabled. Log is log alert and action is drop.
(ip_decoder) ip-spoof ATTACK is enabled. Log is log alert and action is none.
5
Zyxel Employee
All Replies
-
It seems that it's related to IOS behavior. you may confirm with Apple tech support.
1 -
Seems you add a new ADP profile for WLAN zone and the rule (ip_decoder) ip-spoof ATTACK is enabled.
When packets from iphone match the policy, packets will be dropped.
Maybe you should check with these iphone users what Apps/websites they used on iphone.
0 -
As far as I recall the ADP profile is default from Zyxel and should not be altered since its a security feature built in the Zyxel USG device. But as time progresses there is always something that changes in behaviour, In this case it seems to be the Iphones. Why the ADP feature trigger on this is beyond my knowledge, but if it is a real IP-spoofing attack from the Iphone clients in my wifi network it may be a serious problem.
But first I have to figure out if this is a false positive or a real problem. The very reason behind this question.?️
0 -
Hi @Carlsap,
When packets go into internal type of interface(ex. lan1, lan2), they will be detected as IP spoof if the source IP address does not belong to the subnet of interface(ex. lan1, lan2).
In the default ADP Profile, (ip_decoder) ip-spoof ATTACK is inactivated.
If you'd like to activate it and see log of ip-spoof attack without blocking, modify the Action as none.
Go to CONFIGURATION > Security Policy > ADP > Profile, click on the profile of WLAN zone and go to Protocol Anomaly.
(ip_decoder) ip-spoof ATTACK is enabled. Log is log alert and action is drop.
(ip_decoder) ip-spoof ATTACK is enabled. Log is log alert and action is none.
5 -
Thanks for the explanation Emily.
Best regards from Arild
0
Ally Member
Master Member
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 145 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 239 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
