Getting DHCP BAD_ADDRESS on Windows DHCP

bbigford

I bet someone plugged in a wireless router thinking "well we needed an unmanaged switch for these few devices... what's the big deal?"

scottalanmiller

@bbigford said in Getting DHCP BAD_ADDRESS on Windows DHCP:

Break out Wireshark yet?

yeah, but that doesn't help since the MACs are bad.

scottalanmiller

We just found a rogue lightbulb. Not the issue, but an interesting find.

bbigford

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@bbigford said in Getting DHCP BAD_ADDRESS on Windows DHCP:

Break out Wireshark yet?

yeah, but that doesn't help since the MACs are bad.

I believe in Hyper-V that you can mess with MACs to where they aren't standard. Any chance this is a VM and was mistakenly set?

scottalanmiller

Appeared to be something in wireless. Unplugged the AP and it stopped.

bbigford

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

Appeared to be something in wireless. Unplugged the AP and it stopped.

Hah, called it!

scottalanmiller

Base problem now.... whatever device this is keeps trying to connect and fills up the DHCP range quickly causing issues.

bbigford

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

Base problem now.... whatever device this is keeps trying to connect and fills up the DHCP range quickly causing issues.

What is the make and model?

scottalanmiller

@bbigford said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

Base problem now.... whatever device this is keeps trying to connect and fills up the DHCP range quickly causing issues.

What is the make and model?

Don't know.

jt1001001

I saw this once, this is far fetched but any wireless devices like clocks, iot or ip phones? We had a sapling wifi clock reacking havoc on our Network once. I also have seen this when a firewall was plugged in that had proxy arp turned on on the inside interface.

1337

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

Base problem now.... whatever device this is keeps trying to connect and fills up the DHCP range quickly causing issues.

That's sounds exactly like a DHCP starvation attack! Intruder alert!

scottalanmiller

@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

Base problem now.... whatever device this is keeps trying to connect and fills up the DHCP range quickly causing issues.

That's sounds like a DHCP starvation attack!

It ends up being that way, but we don't think it is intentional.

1337

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

Base problem now.... whatever device this is keeps trying to connect and fills up the DHCP range quickly causing issues.

That's sounds like a DHCP starvation attack!

It ends up being that way, but we don't think it is intentional.

But what could possibly make the mac address change for each request? Or you think some hardware is broken?

scottalanmiller

@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

Base problem now.... whatever device this is keeps trying to connect and fills up the DHCP range quickly causing issues.

That's sounds like a DHCP starvation attack!

It ends up being that way, but we don't think it is intentional.

But what could possibly make the mac address change for each request?

The MAC address is gibberish, so our guess is a broken device (either end point or AP.)

1337

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

Base problem now.... whatever device this is keeps trying to connect and fills up the DHCP range quickly causing issues.

That's sounds like a DHCP starvation attack!

It ends up being that way, but we don't think it is intentional.

But what could possibly make the mac address change for each request?

The MAC address is gibberish, so our guess is a broken device (either end point or AP.)

How fast are the requests showing up? Maybe that would determine if it's malicious or not?

scottalanmiller

@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

Base problem now.... whatever device this is keeps trying to connect and fills up the DHCP range quickly causing issues.

That's sounds like a DHCP starvation attack!

It ends up being that way, but we don't think it is intentional.

But what could possibly make the mac address change for each request?

The MAC address is gibberish, so our guess is a broken device (either end point or AP.)

How fast are the requests showing up? Maybe that would determine if it's malicious or not?

Very fast. Maybe every 10 seconds.

CCWTech

Since unplugging the AP we haven't had any pop up again. Either a bad AP or bad client of the AP.

1337

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

Base problem now.... whatever device this is keeps trying to connect and fills up the DHCP range quickly causing issues.

That's sounds like a DHCP starvation attack!

It ends up being that way, but we don't think it is intentional.

But what could possibly make the mac address change for each request?

The MAC address is gibberish, so our guess is a broken device (either end point or AP.)

How fast are the requests showing up? Maybe that would determine if it's malicious or not?

Very fast. Maybe every 10 seconds.

Maybe you can find it by working with the switches. First finding from which switch it comes and then from what port.

scottalanmiller

@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

Base problem now.... whatever device this is keeps trying to connect and fills up the DHCP range quickly causing issues.

That's sounds like a DHCP starvation attack!

It ends up being that way, but we don't think it is intentional.

But what could possibly make the mac address change for each request?

The MAC address is gibberish, so our guess is a broken device (either end point or AP.)

How fast are the requests showing up? Maybe that would determine if it's malicious or not?

Very fast. Maybe every 10 seconds.

Maybe you can find it by working with the switches. First finding from which switch it comes and then from what port.

Weve isolated to one AP.

1337

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

Base problem now.... whatever device this is keeps trying to connect and fills up the DHCP range quickly causing issues.

That's sounds like a DHCP starvation attack!

It ends up being that way, but we don't think it is intentional.

But what could possibly make the mac address change for each request?

The MAC address is gibberish, so our guess is a broken device (either end point or AP.)

How fast are the requests showing up? Maybe that would determine if it's malicious or not?

Very fast. Maybe every 10 seconds.

Maybe you can find it by working with the switches. First finding from which switch it comes and then from what port.

Weve isolated to one AP.

Ahh, well I don't know what to do then.