Request for dhcp from strange address?
-
I'd like to thank everyone for their responses here. They were very helpful.
Even tho I have maintained a connection on my WAN with the strange IP that I had blocked, once I unblocked it, pfSense immediately issued a DHCPREQUEST to a different Charter Communications server than it usually sends to (not the same subnet that was blocked).
So I'll accept it as it is, I don't understand how it is all interconnected, the fact that that IP was owned by the DoD had me scratching my head. It all seems to be working so I'll leave well enough alone.
-
Given that the Internet started as a Dept of Defense research project, a lot of addresses were "owned" by the DoD. When it first started, the 'net was used only by military contractors and researchers, including some universities.
-
I would think that ARIN WHOIS data is relatively up to date. Maybe I expect too much ::)
-
Hmmm…
Whatismyipaddress.com shows it's DoD, located in Utah. Maybe it has something to do with Area 51. ;-)
https://en.wikipedia.org/wiki/Dugway_Proving_Ground#UFO_speculation
-
Area 51 is in Nevada ;) Groom Lake!
Yeah ARIN is pretty up to date.. Not sure they would have a wrong listing for 30 address.. Are you saying you got your dhcp IP from this IP address?? I am confused on what this address has to do with anything to be honest? Or what does it matter? Maybe the dod uses your same ISP?? And they are running multiple layer 3 networks on the same layer 2 ;)
What that looks like is a dhcpack.. So your saying that is what is giving you your IP?? Then either your ISP is the DOD ;) Or what is more likely is they are using IPs that are not theirs because they don't think anyone will be talking to those IPs.. While its BAD practice, it is common practice.. Again its BAD practice.. but happens more than you think.. Companies to lazy to do proper IPAM or subnetting or natting when required.. Hey lets grab these /8's that are owned by DOD - nobody is going to be going there ;)
-
Area 51 is in Nevada ;) Groom Lake!
From the article "[Dugway is] the new Area 51. And probably the new military spaceport.". ;)
Or what is more likely is they are using IPs that are not theirs because they don't think anyone will be talking to those IPs..
My cell carrier did that prior to switching over to IPv6. I'd get an address in the 25 block, IIRC, which NATed to the 24 block. Now my phone is IPv6 only and uses 464XLAT to provide IPv4 access.
https://en.wikipedia.org/wiki/IPv6_transition_mechanism#464XLAT
-
Oh you meant R-6413 ;) Yeah that is in Utah…
-
Yeah ARIN is pretty up to date.. Not sure they would have a wrong listing for 30 address.. Are you saying you got your dhcp IP from this IP address?? I am confused on what this address has to do with anything to be honest? Or what does it matter? Maybe the dod uses your same ISP?? And they are running multiple layer 3 networks on the same layer 2 ;)
I'm confused too, that is why I posted here looking for suggestions. My logs have wrapped around since I started this so I don't have documentation now.
This is a typical entry from dhcp log. I do note the acknowledging server is from a different IP than yesterday but this IP is registered to my ISP, which is the cable company Charter Communications. My connection is via cable modem.
Nov 21 04:07:42 dhclient 27954 DHCPREQUEST on igb0 to 68.114.36.9 port 67 Nov 21 04:07:42 dhclient 27954 DHCPACK from 68.114.36.9 Nov 21 04:07:42 dhclient RENEW Nov 21 04:07:42 dhclient Creating resolv.conf Nov 21 04:07:42 dhclient 27954 bound to x.x.x.x -- renewal in 12752 seconds. Nov 21 04:41:30 dhcpd Wrote 0 deleted host decls to leases file. Nov 21 04:41:30 dhcpd Wrote 0 new dynamic host decls to leases file. Nov 21 04:41:30 dhcpd Wrote 16 leases to leases file.
What that looks like is a dhcpack.. So your saying that is what is giving you your IP?? Then either your ISP is the DOD ;) Or what is more likely is they are using IPs that are not theirs because they don't think anyone will be talking to those IPs.. While its BAD practice, it is common practice.. Again its BAD practice.. but happens more than you think.. Companies to lazy to do proper IPAM or subnetting or natting when required.. Hey lets grab these /8's that are owned by DOD - nobody is going to be going there ;)
Or for the really paranoid, it's the NSC's backdoor into a large US customer base.
I cannot say that 30.85.128.1 is giving me my IP. For the last month or so I've noticed everytime my lease was renewed there is a message in the log that there are 2 dhcp servers. That is news to me. But now that I have found this DoD server maybe that is the cause of that message.
I can only say that this IP is in my firewall log. My dhcp log shows my request being ack by Charter's IP. I first discovered this when I did a halt on pfSense so I could relocate the SG2440. I then looked at the logs after restarting, I had never done a cold startup since putting it into service. I found that odd IP in the firewall log about the same point in time that my DHCP request was being ACK. I didn't recognize it and did a whois. That started this thread. I blocked that IP and it continued to hammer 2x every 10 minutes throughout the night. I recently unblocked that rule.
Now that I've been through this discussion and looked at the logs for awhile, I'd have to repeat that cold startup and capture the logs to review. I think it's pretty crazy.
-
Hey lets grab these /8's that are owned by DOD - nobody is going to be going there
Except aliens. ;)
-
I don't see how its crazy.. Since this is broadcast traffic and can only be on layer 2, which is your ISP.. Contact your ISP if your curious/concerned. But going to say this yet again. Just because the IP is registered to the DOD doesn't mean its not your ISP using it, or could just be some idiot down the street running a dhcp server on his wan and he is using dod address space..
-
-
^ heheh exactly!!! So see if they plugged that interface into their isp device the wrong way.. Big Bang Zoom there you go a dod address space dhcp server on some ISP layer 2 network. Where all the users on that network could see the traffic.. Hopefully they don't get an IP from it ;) You would HOPE!!!! That the isp is running stuff to prevent unauthorized dhcp servers on the layer 2 between them and their customers. But you never know….
So what I would do is email your isp support, showing them dhcp traffic and the IP and asking if that is them... Or one of their other idiot users..
Whats the mac address coming from that 30 address? We can look it up and see what kind of hardware it is, or the maker of it..
-
Whats the mac address coming from that 30 address? We can look it up and see what kind of hardware it is, or the maker of it..
So I would need to have a packet trace running at the moment in time that the misconfigured device makes a request? Or is there another way that I am not thinking about?
-
ARP table, it's there exactly for the purpose of seeing the MAC addresses of network peers on the same network segment.
-
^^^^
An arp cache has a limited lifetime, so he'd have to check it within a short period of time. However, if he can ping that address and get a response, the arp cache would have the MAC. Failing that, just let the packet capture run, filtering on that IP address. -
The IP does not respond to a ping. But my ISP's dhcp does respond to a ping.
I think the only option is a packet capture. Not sure I want to leave it running for an extended period of time.
-
^ heheh exactly!!!
+1
Had a large fire agency in my county trying to hand out DHCP to cable system customers for almost two weeks till the techs paid them a visit. ;D ::)
-
At least my ISP is sneaky enough to isolate its clients from each other:
$ ifconfig em1 em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic>ether 00:1b:21:14:ca:5e inet6 fe80::21b:21ff:fe14:ca5e%em1 prefixlen 64 scopeid 0x3 inet 88.xxx.yyy.181 netmask 0xffffe000 broadcast 88.xxx.zzz.255 inet 192.168.1.200 netmask 0xffffff00 broadcast 192.168.1.255 nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (100baseTX <full-duplex>) status: active $ ping 88.xxx.yyy.182 PING 88.xxx.yyy.182 (88.xxx.yyy.182): 56 data bytes ^C --- 88.xxx.yyy.182 ping statistics --- 1 packets transmitted, 0 packets received, 100.0% packet loss $ arp -an ... ? (88.xxx.yyy.182) at 00:0b:45:b6:ef:c0 on em1 expires in 1058 seconds [ethernet] ? (88.xxx.yyy.181) at 00:1b:21:14:ca:5e on em1 permanent [ethernet] ? (88.xxx.yyy.1) at 00:0b:45:b6:ef:c0 on em1 expires in 90 seconds [ethernet] ...</full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic></up,broadcast,running,simplex,multicast>
The .181 is my current IP address and the .1 address is the gateway on the WAN network and it (or more likely some equipment between me and the gateway device) seems to just proxy ARP every single IP address of the WAN network that is not assigned to you.
-
^^^^
Are you on a cable modem? I am and can see the arp requests for others, including on other subnets. However, I can't see any traffic from the others, as cable modems have separate channels for each direction. -
^^^^
Are you on a cable modem? I am and can see the arp requests for others, including on other subnets. However, I can't see any traffic from the others, as cable modems have separate channels for each direction.I can see every one of the cable modems via their local maintenance IP address on my system.
The reason you don't see their traffic is because the system acts like a switch and not a hub. They do block network shares however.