Request for dhcp from strange address?
-
Found an odd entry in my firewall log. "Whois" sez the IP belongs to the Dept of Defense - huh??
Nov 20 12:48:38 WAN 30.85.128.1:67 255.255.255.255:68 UDP
allow dhcp client out WAN (1000001591)Anyone have an idea why this shows up in my log? My ISP serves up dhcp from 71.94.x.x
-
That's the standard reply from the DHCP server to a DHCP client after client has made the request for a lease in the case there are no existing leases for the client. If you ignore the "strange" looking source address there's nothing out of the ordinary in it.
http://www.linklogger.com/UDP67_68.htm
Why that address is another matter. Maybe your ISP has acquired some unused subnet from the Dept. of Defense and have taken it into use. Remember that your WAN network can have multiple DHCP servers (which is the exact reason for the broadcast addresses used, unicasts wouldn't work in the initial lease negotiation) as your ISP sees fit for redundancy, each of them with slightly different settings for IP address range and gateways.
-
Thank you for the link. It did have some info I was unaware of.
I know that the log entry shows the standard dhcp server/client transaction. It was the odd IP that concerned me. It only shows in the firewall log, not in the dhcp log.
Everytime my wan lease is renewed (4 hrs) I've been getting messages in dhcp log that there are 2 servers. I blocked the offending 'DoD' IP and now I am not getting messages about 2 servers. But now I'm also not getting other msgs that I'm used to seeing. I usually see "bound to My_Wan_IP" and the time remaining on the lease. Since blocking that odd IP I don't see that anymore but the Wan lease does renew.
My ISP is Charter Communications so I don't know if they would be using a subnet registered to someone else.
-
Here is the thing, just because IP range is owned by company xyz.. Doesn't mean its really them.. There are lots and lots of people that use IP address they pull out of thin are with no concern to actually owns it.
If you have concerns contact your ISP.. But more than likely its some idiot.. Here is the the thing traffic from that box can not go anywhere other than the local layer 2 its on..
-
It only shows in the firewall log, not in the dhcp log.
That only shows the firewall is doing it's job. It shouldn't be allowing DHCP requests from the WAN.
-
I'd like to thank everyone for their responses here. They were very helpful.
Even tho I have maintained a connection on my WAN with the strange IP that I had blocked, once I unblocked it, pfSense immediately issued a DHCPREQUEST to a different Charter Communications server than it usually sends to (not the same subnet that was blocked).
So I'll accept it as it is, I don't understand how it is all interconnected, the fact that that IP was owned by the DoD had me scratching my head. It all seems to be working so I'll leave well enough alone.
-
Given that the Internet started as a Dept of Defense research project, a lot of addresses were "owned" by the DoD. When it first started, the 'net was used only by military contractors and researchers, including some universities.
-
I would think that ARIN WHOIS data is relatively up to date. Maybe I expect too much ::)
-
Hmmm…
Whatismyipaddress.com shows it's DoD, located in Utah. Maybe it has something to do with Area 51. ;-)
https://en.wikipedia.org/wiki/Dugway_Proving_Ground#UFO_speculation
-
Area 51 is in Nevada ;) Groom Lake!
Yeah ARIN is pretty up to date.. Not sure they would have a wrong listing for 30 address.. Are you saying you got your dhcp IP from this IP address?? I am confused on what this address has to do with anything to be honest? Or what does it matter? Maybe the dod uses your same ISP?? And they are running multiple layer 3 networks on the same layer 2 ;)
What that looks like is a dhcpack.. So your saying that is what is giving you your IP?? Then either your ISP is the DOD ;) Or what is more likely is they are using IPs that are not theirs because they don't think anyone will be talking to those IPs.. While its BAD practice, it is common practice.. Again its BAD practice.. but happens more than you think.. Companies to lazy to do proper IPAM or subnetting or natting when required.. Hey lets grab these /8's that are owned by DOD - nobody is going to be going there ;)
-
Area 51 is in Nevada ;) Groom Lake!
From the article "[Dugway is] the new Area 51. And probably the new military spaceport.". ;)
Or what is more likely is they are using IPs that are not theirs because they don't think anyone will be talking to those IPs..
My cell carrier did that prior to switching over to IPv6. I'd get an address in the 25 block, IIRC, which NATed to the 24 block. Now my phone is IPv6 only and uses 464XLAT to provide IPv4 access.
https://en.wikipedia.org/wiki/IPv6_transition_mechanism#464XLAT
-
Oh you meant R-6413 ;) Yeah that is in Utah…
-
Yeah ARIN is pretty up to date.. Not sure they would have a wrong listing for 30 address.. Are you saying you got your dhcp IP from this IP address?? I am confused on what this address has to do with anything to be honest? Or what does it matter? Maybe the dod uses your same ISP?? And they are running multiple layer 3 networks on the same layer 2 ;)
I'm confused too, that is why I posted here looking for suggestions. My logs have wrapped around since I started this so I don't have documentation now.
This is a typical entry from dhcp log. I do note the acknowledging server is from a different IP than yesterday but this IP is registered to my ISP, which is the cable company Charter Communications. My connection is via cable modem.
Nov 21 04:07:42 dhclient 27954 DHCPREQUEST on igb0 to 68.114.36.9 port 67 Nov 21 04:07:42 dhclient 27954 DHCPACK from 68.114.36.9 Nov 21 04:07:42 dhclient RENEW Nov 21 04:07:42 dhclient Creating resolv.conf Nov 21 04:07:42 dhclient 27954 bound to x.x.x.x -- renewal in 12752 seconds. Nov 21 04:41:30 dhcpd Wrote 0 deleted host decls to leases file. Nov 21 04:41:30 dhcpd Wrote 0 new dynamic host decls to leases file. Nov 21 04:41:30 dhcpd Wrote 16 leases to leases file.
What that looks like is a dhcpack.. So your saying that is what is giving you your IP?? Then either your ISP is the DOD ;) Or what is more likely is they are using IPs that are not theirs because they don't think anyone will be talking to those IPs.. While its BAD practice, it is common practice.. Again its BAD practice.. but happens more than you think.. Companies to lazy to do proper IPAM or subnetting or natting when required.. Hey lets grab these /8's that are owned by DOD - nobody is going to be going there ;)
Or for the really paranoid, it's the NSC's backdoor into a large US customer base.
I cannot say that 30.85.128.1 is giving me my IP. For the last month or so I've noticed everytime my lease was renewed there is a message in the log that there are 2 dhcp servers. That is news to me. But now that I have found this DoD server maybe that is the cause of that message.
I can only say that this IP is in my firewall log. My dhcp log shows my request being ack by Charter's IP. I first discovered this when I did a halt on pfSense so I could relocate the SG2440. I then looked at the logs after restarting, I had never done a cold startup since putting it into service. I found that odd IP in the firewall log about the same point in time that my DHCP request was being ACK. I didn't recognize it and did a whois. That started this thread. I blocked that IP and it continued to hammer 2x every 10 minutes throughout the night. I recently unblocked that rule.
Now that I've been through this discussion and looked at the logs for awhile, I'd have to repeat that cold startup and capture the logs to review. I think it's pretty crazy.
-
Hey lets grab these /8's that are owned by DOD - nobody is going to be going there
Except aliens. ;)
-
I don't see how its crazy.. Since this is broadcast traffic and can only be on layer 2, which is your ISP.. Contact your ISP if your curious/concerned. But going to say this yet again. Just because the IP is registered to the DOD doesn't mean its not your ISP using it, or could just be some idiot down the street running a dhcp server on his wan and he is using dod address space..
-
-
^ heheh exactly!!! So see if they plugged that interface into their isp device the wrong way.. Big Bang Zoom there you go a dod address space dhcp server on some ISP layer 2 network. Where all the users on that network could see the traffic.. Hopefully they don't get an IP from it ;) You would HOPE!!!! That the isp is running stuff to prevent unauthorized dhcp servers on the layer 2 between them and their customers. But you never know….
So what I would do is email your isp support, showing them dhcp traffic and the IP and asking if that is them... Or one of their other idiot users..
Whats the mac address coming from that 30 address? We can look it up and see what kind of hardware it is, or the maker of it..
-
Whats the mac address coming from that 30 address? We can look it up and see what kind of hardware it is, or the maker of it..
So I would need to have a packet trace running at the moment in time that the misconfigured device makes a request? Or is there another way that I am not thinking about?
-
ARP table, it's there exactly for the purpose of seeing the MAC addresses of network peers on the same network segment.
-
^^^^
An arp cache has a limited lifetime, so he'd have to check it within a short period of time. However, if he can ping that address and get a response, the arp cache would have the MAC. Failing that, just let the packet capture run, filtering on that IP address.