Getting DHCP BAD_ADDRESS on Windows DHCP
-
@bbigford said in Getting DHCP BAD_ADDRESS on Windows DHCP:
Break out Wireshark yet?
yeah, but that doesn't help since the MACs are bad.
-
We just found a rogue lightbulb. Not the issue, but an interesting find.
-
@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:
@bbigford said in Getting DHCP BAD_ADDRESS on Windows DHCP:
Break out Wireshark yet?
yeah, but that doesn't help since the MACs are bad.
I believe in Hyper-V that you can mess with MACs to where they aren't standard. Any chance this is a VM and was mistakenly set?
-
Appeared to be something in wireless. Unplugged the AP and it stopped.
-
@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:
Appeared to be something in wireless. Unplugged the AP and it stopped.
Hah, called it!
-
Base problem now.... whatever device this is keeps trying to connect and fills up the DHCP range quickly causing issues.
-
@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:
Base problem now.... whatever device this is keeps trying to connect and fills up the DHCP range quickly causing issues.
What is the make and model?
-
@bbigford said in Getting DHCP BAD_ADDRESS on Windows DHCP:
@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:
Base problem now.... whatever device this is keeps trying to connect and fills up the DHCP range quickly causing issues.
What is the make and model?
Don't know.
-
I saw this once, this is far fetched but any wireless devices like clocks, iot or ip phones? We had a sapling wifi clock reacking havoc on our Network once. I also have seen this when a firewall was plugged in that had proxy arp turned on on the inside interface.
-
@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:
Base problem now.... whatever device this is keeps trying to connect and fills up the DHCP range quickly causing issues.
That's sounds exactly like a DHCP starvation attack! Intruder alert!
-
@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:
@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:
Base problem now.... whatever device this is keeps trying to connect and fills up the DHCP range quickly causing issues.
That's sounds like a DHCP starvation attack!
It ends up being that way, but we don't think it is intentional.
-
@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:
@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:
@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:
Base problem now.... whatever device this is keeps trying to connect and fills up the DHCP range quickly causing issues.
That's sounds like a DHCP starvation attack!
It ends up being that way, but we don't think it is intentional.
But what could possibly make the mac address change for each request? Or you think some hardware is broken?
-
@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:
@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:
@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:
@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:
Base problem now.... whatever device this is keeps trying to connect and fills up the DHCP range quickly causing issues.
That's sounds like a DHCP starvation attack!
It ends up being that way, but we don't think it is intentional.
But what could possibly make the mac address change for each request?
The MAC address is gibberish, so our guess is a broken device (either end point or AP.)
-
@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:
@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:
@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:
@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:
@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:
Base problem now.... whatever device this is keeps trying to connect and fills up the DHCP range quickly causing issues.
That's sounds like a DHCP starvation attack!
It ends up being that way, but we don't think it is intentional.
But what could possibly make the mac address change for each request?
The MAC address is gibberish, so our guess is a broken device (either end point or AP.)
How fast are the requests showing up? Maybe that would determine if it's malicious or not?
-
@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:
@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:
@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:
@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:
@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:
@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:
Base problem now.... whatever device this is keeps trying to connect and fills up the DHCP range quickly causing issues.
That's sounds like a DHCP starvation attack!
It ends up being that way, but we don't think it is intentional.
But what could possibly make the mac address change for each request?
The MAC address is gibberish, so our guess is a broken device (either end point or AP.)
How fast are the requests showing up? Maybe that would determine if it's malicious or not?
Very fast. Maybe every 10 seconds.
-
Since unplugging the AP we haven't had any pop up again. Either a bad AP or bad client of the AP.
-
@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:
@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:
@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:
@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:
@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:
@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:
@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:
Base problem now.... whatever device this is keeps trying to connect and fills up the DHCP range quickly causing issues.
That's sounds like a DHCP starvation attack!
It ends up being that way, but we don't think it is intentional.
But what could possibly make the mac address change for each request?
The MAC address is gibberish, so our guess is a broken device (either end point or AP.)
How fast are the requests showing up? Maybe that would determine if it's malicious or not?
Very fast. Maybe every 10 seconds.
Maybe you can find it by working with the switches. First finding from which switch it comes and then from what port.
-
@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:
@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:
@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:
@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:
@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:
@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:
@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:
@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:
Base problem now.... whatever device this is keeps trying to connect and fills up the DHCP range quickly causing issues.
That's sounds like a DHCP starvation attack!
It ends up being that way, but we don't think it is intentional.
But what could possibly make the mac address change for each request?
The MAC address is gibberish, so our guess is a broken device (either end point or AP.)
How fast are the requests showing up? Maybe that would determine if it's malicious or not?
Very fast. Maybe every 10 seconds.
Maybe you can find it by working with the switches. First finding from which switch it comes and then from what port.
Weve isolated to one AP.
-
@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:
@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:
@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:
@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:
@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:
@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:
@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:
@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:
@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:
Base problem now.... whatever device this is keeps trying to connect and fills up the DHCP range quickly causing issues.
That's sounds like a DHCP starvation attack!
It ends up being that way, but we don't think it is intentional.
But what could possibly make the mac address change for each request?
The MAC address is gibberish, so our guess is a broken device (either end point or AP.)
How fast are the requests showing up? Maybe that would determine if it's malicious or not?
Very fast. Maybe every 10 seconds.
Maybe you can find it by working with the switches. First finding from which switch it comes and then from what port.
Weve isolated to one AP.
Ahh, well I don't know what to do then.
-
@pete-s We are going to change the PW on the AP so no clients can connect. It could be the AP itself. Then we gradually bring clients back on to see which one is the problem.