Request for dhcp from strange address?



  • Found an odd entry in my firewall log.  "Whois" sez the IP belongs to the Dept of Defense - huh??

    Nov 20 12:48:38 WAN 30.85.128.1:67 255.255.255.255:68 UDP
    allow dhcp client out WAN (1000001591)

    Anyone have an idea why this shows up in my log?  My ISP serves up dhcp from 71.94.x.x



  • That's the standard reply from the DHCP server to a DHCP client after client has made the request for a lease in the case there are no existing leases for the client. If you ignore the "strange" looking source address there's nothing out of the ordinary in it.

    http://www.linklogger.com/UDP67_68.htm

    Why that address is another matter. Maybe your ISP has acquired some unused subnet from the Dept. of Defense and have taken it into use. Remember that your WAN network can have multiple DHCP servers (which is the exact reason for the broadcast addresses used, unicasts wouldn't work in the initial lease negotiation) as your ISP sees fit for redundancy, each of them with slightly different settings for IP address range and gateways.



  • Thank you for the link.  It did have some info I was unaware of.

    I know that the log entry shows the standard dhcp server/client transaction.  It was the odd IP that concerned me.  It only shows in the firewall log, not in the dhcp log.

    Everytime my wan lease is renewed (4 hrs) I've been getting messages in dhcp log that there are 2 servers.  I blocked the offending 'DoD' IP and now I am not getting messages about 2 servers.  But now I'm also not getting other msgs that I'm used to seeing.  I usually see "bound to My_Wan_IP" and the time remaining on the lease.  Since blocking that odd IP I don't see that anymore but the Wan lease does renew.

    My ISP is Charter Communications so I don't know if they would be using a subnet registered to someone else.


  • Rebel Alliance Global Moderator

    Here is the thing, just because IP range is owned by company xyz.. Doesn't mean its really them.. There are lots and lots of people that use IP address they pull out of thin are with no concern to actually owns it.

    If you have concerns contact your ISP..  But more than likely its some idiot..  Here is the the thing traffic from that box can not go anywhere other than the local layer 2 its on..



  • It only shows in the firewall log, not in the dhcp log.

    That only shows the firewall is doing it's job.  It shouldn't be allowing DHCP requests from the WAN.



  • I'd like to thank everyone for their responses here.  They were very helpful.

    Even tho I have maintained a connection on my WAN with the strange IP that I had blocked, once I unblocked it, pfSense immediately issued a DHCPREQUEST to a different Charter Communications server than it usually sends to (not the same subnet that was blocked).

    So I'll accept it as it is, I don't understand how it is all interconnected, the fact that that IP was owned by the DoD had me scratching my head.  It all seems to be working so I'll leave well enough alone.



  • Given that the Internet started as a Dept of Defense research project, a lot of addresses were "owned" by the DoD.  When it first started, the 'net was used only by military contractors and researchers, including some universities.

    https://en.wikipedia.org/wiki/History_of_the_Internet



  • I would think that ARIN WHOIS data is relatively up to date.  Maybe I expect too much ::)



  • Hmmm…

    Whatismyipaddress.com shows it's DoD, located in Utah.  Maybe it has something to do with Area 51.  ;-)

    https://en.wikipedia.org/wiki/Dugway_Proving_Ground#UFO_speculation


  • Rebel Alliance Global Moderator

    Area 51 is in Nevada ;)  Groom Lake!

    Yeah ARIN is pretty up to date.. Not sure they would have a wrong listing for 30 address..  Are you saying you got your dhcp IP from this IP address??  I am confused on what this address has to do with anything to be honest?  Or what does it matter?  Maybe the dod uses your same ISP??  And they are running multiple layer 3 networks on the same layer 2 ;)

    What that looks like is a dhcpack.. So your saying that is what is giving you your IP??  Then either your ISP is the DOD ;)  Or what is more likely is they are using IPs that are not theirs because they don't think anyone will be talking to those IPs..  While its BAD practice, it is common practice..  Again its BAD practice.. but happens more than you think.. Companies to lazy to do proper IPAM or subnetting or natting when required..  Hey lets grab these /8's that are owned by DOD - nobody is going to be going there ;)



  • Area 51 is in Nevada ;)  Groom Lake!

    From the article "[Dugway is] the new Area 51. And probably the new military spaceport.".  ;)

    Or what is more likely is they are using IPs that are not theirs because they don't think anyone will be talking to those IPs..

    My cell carrier did that prior to switching over to IPv6.  I'd get an address in the 25 block, IIRC, which NATed to the 24 block.  Now my phone is IPv6 only and uses 464XLAT to provide IPv4 access.

    https://en.wikipedia.org/wiki/IPv6_transition_mechanism#464XLAT


  • Rebel Alliance Global Moderator

    Oh you meant R-6413 ;)  Yeah that is in Utah…



  • @johnpoz:

    Yeah ARIN is pretty up to date.. Not sure they would have a wrong listing for 30 address..  Are you saying you got your dhcp IP from this IP address??  I am confused on what this address has to do with anything to be honest?  Or what does it matter?  Maybe the dod uses your same ISP??  And they are running multiple layer 3 networks on the same layer 2 ;)

    I'm confused too, that is why I posted here looking for suggestions.  My logs have wrapped around since I started this so I don't have documentation now.

    This is a typical entry from dhcp log.  I do note the acknowledging server is from a different IP than yesterday but this IP is registered to my ISP, which is the cable company Charter Communications.  My connection is via cable modem.

    Nov 21 04:07:42 	dhclient 	27954 	DHCPREQUEST on igb0 to 68.114.36.9 port 67
    Nov 21 04:07:42 	dhclient 	27954 	DHCPACK from 68.114.36.9
    Nov 21 04:07:42 	dhclient 		RENEW
    Nov 21 04:07:42 	dhclient 		Creating resolv.conf
    Nov 21 04:07:42 	dhclient 	27954 	bound to x.x.x.x -- renewal in 12752 seconds.
    Nov 21 04:41:30 	dhcpd 		Wrote 0 deleted host decls to leases file.
    Nov 21 04:41:30 	dhcpd 		Wrote 0 new dynamic host decls to leases file.
    Nov 21 04:41:30 	dhcpd 		Wrote 16 leases to leases file. 
    

    What that looks like is a dhcpack.. So your saying that is what is giving you your IP??  Then either your ISP is the DOD ;)  Or what is more likely is they are using IPs that are not theirs because they don't think anyone will be talking to those IPs..  While its BAD practice, it is common practice..  Again its BAD practice.. but happens more than you think.. Companies to lazy to do proper IPAM or subnetting or natting when required..  Hey lets grab these /8's that are owned by DOD - nobody is going to be going there ;)

    Or for the really paranoid, it's the NSC's backdoor into a large US customer base.

    I cannot say that 30.85.128.1 is giving me my IP.  For the last month or so I've noticed everytime my lease was renewed there is a message in the log that there are 2 dhcp servers.  That is news to me.  But now that I have found this DoD server maybe that is the cause of that message.

    I can only say that this IP is in my firewall log.  My dhcp log shows my request being ack by Charter's IP.  I first discovered this when I did a halt on pfSense so I could relocate the SG2440.  I then looked at the logs after restarting, I had never done a cold startup since putting it into service.  I found that odd IP in the firewall log about the same point in time that my DHCP request was being ACK.  I didn't recognize it and did a whois.  That started this thread.  I blocked that IP and it continued to hammer 2x every 10 minutes throughout the night.  I recently unblocked that rule.

    Now that I've been through this discussion and looked at the logs for awhile, I'd have to repeat that cold startup and capture the logs to review.  I think it's pretty crazy.



  • Hey lets grab these /8's that are owned by DOD - nobody is going to be going there

    Except aliens.  ;)


  • Rebel Alliance Global Moderator

    I don't see how its crazy.. Since this is broadcast traffic and can only be on layer 2, which is your ISP.. Contact your ISP if your curious/concerned.  But going to say this yet again.  Just because the IP is registered to the DOD doesn't mean its not your ISP using it, or could just be some idiot down the street running a dhcp server on his wan and he is using dod address space..


  • Banned

    @johnpoz:

    could just be some idiot down the street running a dhcp server on his wan and he is using dod address space..

    One, two, three of them just here on the forum…

    ;D ;D ;D


  • Rebel Alliance Global Moderator

    ^ heheh exactly!!!  So see if they plugged that interface into their isp device the wrong way.. Big Bang Zoom there you go a dod address space dhcp server on some ISP layer 2 network.  Where all the users on that network could see the traffic..  Hopefully they don't get an IP from it ;)  You would HOPE!!!! That the isp is running stuff to prevent unauthorized dhcp servers on the layer 2 between them and their customers.  But you never know….

    So what I would do is email your isp support, showing them dhcp traffic and the IP and asking if that is them...  Or one of their other idiot users..

    Whats the mac address coming from that 30 address?  We can look it up and see what kind of hardware it is, or the maker of it..



  • @johnpoz:

    Whats the mac address coming from that 30 address?  We can look it up and see what kind of hardware it is, or the maker of it..

    So I would need to have a packet trace running at the moment in time that the misconfigured device makes a request?  Or is there another way that I am not thinking about?



  • ARP table, it's there exactly for the purpose of seeing the MAC addresses of network peers on the same network segment.



  • ^^^^
    An arp cache has a limited lifetime, so he'd have to check it within a short period of time.  However, if he can ping that address and get a response, the arp cache would have the MAC.  Failing that, just let the packet capture run, filtering on that IP address.



  • The IP does not respond to a ping.  But my ISP's dhcp does respond to a ping.

    I think the only option is a packet capture.  Not sure I want to leave it running for an extended period of time.



  • @johnpoz:

    ^ heheh exactly!!!

    +1

    Had a large fire agency in my county trying to hand out DHCP to cable system customers for almost two weeks till the techs paid them a visit.  ;D ::)



  • At least my ISP is sneaky enough to isolate its clients from each other:

    
    $ ifconfig em1
    em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic>ether 00:1b:21:14:ca:5e
            inet6 fe80::21b:21ff:fe14:ca5e%em1 prefixlen 64 scopeid 0x3
            inet 88.xxx.yyy.181 netmask 0xffffe000 broadcast 88.xxx.zzz.255
            inet 192.168.1.200 netmask 0xffffff00 broadcast 192.168.1.255
            nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (100baseTX <full-duplex>)
            status: active
    
    $ ping 88.xxx.yyy.182
    PING 88.xxx.yyy.182 (88.xxx.yyy.182): 56 data bytes
    ^C
    --- 88.xxx.yyy.182 ping statistics ---
    1 packets transmitted, 0 packets received, 100.0% packet loss
    
    $ arp -an
    ...
    ? (88.xxx.yyy.182) at 00:0b:45:b6:ef:c0 on em1 expires in 1058 seconds [ethernet]
    ? (88.xxx.yyy.181) at 00:1b:21:14:ca:5e on em1 permanent [ethernet]
    ? (88.xxx.yyy.1) at 00:0b:45:b6:ef:c0 on em1 expires in 90 seconds [ethernet]
    ...</full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic></up,broadcast,running,simplex,multicast> 
    

    The .181 is my current IP address and the .1 address is the gateway on the WAN network and it (or more likely some equipment between me and the gateway device) seems to just proxy ARP every single IP address of the WAN network that is not assigned to you.



  • ^^^^
    Are you on a cable modem?  I am and can see the arp requests for others, including on other subnets.  However, I can't see any traffic from the others, as cable modems have separate channels for each direction.



  • @JKnott:

    ^^^^
    Are you on a cable modem?  I am and can see the arp requests for others, including on other subnets.  However, I can't see any traffic from the others, as cable modems have separate channels for each direction.

    I can see every one of the cable modems via their local maintenance IP address on my system.

    The reason you don't see their traffic is because the system acts like a switch and not a hub. They do block network shares however.



  • I'm on (A)DSL of a type that encapsulates ethernet frames into ATM, no PPPo(E|A). This type of connection would normally allow client to client traffic because it's just standard ethernet by all means, I've seen it working on a similar ADSL connection from my previous ISP many years ago but my current one (Sonera) seems to have other ideas.

    Oh and of course we are only talking about layer 2 isolation here to disable broadcast based services such as DHCP, IP level connections such as SSH will still get trough.



  • @JKnott:

    ^^^^
    Are you on a cable modem?  I am and can see the arp requests for others, including on other subnets.  However, I can't see any traffic from the others, as cable modems have separate channels for each direction.

    Yes, cable modem.  I do not see anything beyond my gateway.  Since I am using an SG2440 I cannot start a packet trace in time to catch it.  I'll keep watching for it, last week I had it blocked by a rule and it kept trying ever so often for hours.  Today, I had it unblocked, trying to catch it's MAC and it only hit a few times.

    I'm now thinking that I'll shutdown & restart while that IP is blocked, start packet trace, then disable the rule and see it it hits me.

    
    Shell Output - arp -an
    
    ? (192.168.1.41) at 10:bf:48:x:x:x on igb1 expires in 586 seconds [ethernet]
    ? (192.168.1.8) at 90:b1:1c:x:x:x on igb1 expires in 1061 seconds [ethernet]
    ? (192.168.1.43) at 78:31:c1:x:x:x on igb1 expires in 584 seconds [ethernet]
    ? (192.168.1.107) at 70:48:0f:x:x:x on igb1 expires in 1196 seconds [ethernet]
    ? (192.168.1.10) at e0:3f:49:x:x:x on igb1 expires in 755 seconds [ethernet]
    ? (192.168.1.109) at 00:11:d9:x:x:x on igb1 expires in 1000 seconds [ethernet]
    ? (192.168.1.1) at 00:08:a2:x:x:x on igb1 permanent [ethernet]               <---- LAN IP
    ? (192.168.1.125) at 70:14:a6:x:x:x on igb1 expires in 1187 seconds [ethernet]
    ? (192.168.1.30) at 00:1c:2a:x:x:x on igb1 expires in 614 seconds [ethernet]
    ? (192.168.1.126) at 48:e9:f1:x:x:x on igb1 expires in 1169 seconds [ethernet]
    ? (192.168.1.20) at c0:56:e3:x:x:x on igb1 expires in 1178 seconds [ethernet]
    ? (192.168.1.151) at 00:11:d9:x:x:x on igb1 expires in 1187 seconds [ethernet]
    ? (96.38.x.x) at 00:01:5c:x:x:x on igb0 expires in 884 seconds [ethernet]    <---upstream gateway
    ? (96.38.x.x) at 00:08:a2:x:x:x on igb0 permanent [ethernet]                     <--- WAN IP
    
    

    I don't know how many users are on my subnet, I know that I'm the last drop on the line. 
    I'm locked out of the cable modem, I can only see the up/down SNR & power level.
    Also, it may be worth noting the the cable modem is at the standard 192.168.100.1 and will toss out a dhcpack when the upstream sync is lost.  I have that IP blocked.



  • I don't understand your problem with using packet capture.  Just configure it to capture only that IP address and let it run as long as it takes.  It won't hurt anything.  The hardware shouldn't make any difference for this.  I run pfSense on a refurb computer.

    I just fired up the packet capture for a few seconds and caught this:

    09:15:43.648284 ARP, Request who-has 45.2.75.30 tell 45.2.75.1, length 46
    09:15:43.675278 ARP, Request who-has 216.58.58.117 tell 216.58.58.97, length 46
    09:15:43.764767 ARP, Request who-has 45.2.73.243 tell 45.2.73.129, length 46
    09:15:43.810850 ARP, Request who-has 99.250.252.189 tell 99.250.240.1, length 46
    09:15:43.875635 ARP, Request who-has 216.181.152.74 tell 216.181.152.1, length 46

    Once you've captured the traffic, you can download it and open the file with Wireshark, to better examine it, including reading the MAC address.  Or you can just increase the detail level to display the full capture, including MAC addresses.

    Incidentally, my preferred way to capture network traffic is with Wireshark, but since pfSense won't run it, I bought a small managed switch, which I configured for port mirroring.  I then run Wireshark on my notebook computer, plugged into the monitoring port.

    BTW, notice all the different subnets in that capture.  My ISP has different subnets for customers and also carries traffic for a 3rd party ISP.  There is also their home phone service in there, but I don't know what subnet it's on.



  • I guess I should have looked harder at the pfSense packet capture.  I haven't gotten to that part of the pfSense book yet so I did not realize I could filter to capture only certain packets.

    In other situations I've captured all and then filtered with wireshark after downloading.  Great capability that capture can be fine tuned like that.

    I'm using an unmanaged switch so no way to port mirror AFAIK.

    I'll play around with this and see if I have any luck.
    Thanks!!



  • While the packet capture in pfSense is useful, I find Wireshark to be far more capable.  For example, it supports filtering on the MAC address, which I don't see in packet capture.  It also supports complex filters and has both capture and display filters.  In addition, you can watch the captures in real time.  For those reasons and more, I recently bought a cheap 5 port gigabit managed switch, so I could monitor in situations where Wireshark wouldn't be otherwise available.

    In your case, just set packet capture to filter on that IP address and let it run for a while.



  • Yep, thanks for switch info.  I just bought a 2nd unmanaged switch so am not very inclined to buy yet another.
    But putting info into packet capture did the trick, after unblocking the IP I got it within 15 minutes.



  • @johnpoz:

    Whats the mac address coming from that 30 address?  We can look it up and see what kind of hardware it is, or the maker of it..

    00-01-5C-66-C0-04 CADANT INC., USA



  • And a couple of seconds of hard googling turns up this:

    https://www.dslreports.com/forum/r25953464-TWC-Cadant-CMTS-wtf-Hudson-Valley-NY


  • Rebel Alliance Global Moderator

    Yeah cadant is cable modem. ..  You can validate its not coming from our gateway mac and just something on the transit network that is your ISP connection to customers devices.  If that is where the dhcp stuff is coming from - its most likely an idiot end user..



  • ^^^^
    He shouldn't be seeing anything from other users.  Cable modem systems have separate upload and download channels and are not configured to allow direct access between users.


  • Rebel Alliance Global Moderator

    But clearly his is..  So again he should bring this up to his ISP..

    I see dhcp stuff on my wan for stuff that is clearly not me nor my modem..

    None of these mac's in the sniff are mine or my modems.. I can view my modem macs on its config page..  And they don't match up to any of the ones listed in this sniff.  My IP is a 24.13 address - not the 69.243 in this sniff.  But atleast 69.243 is owned by comcast.




  • You're showing DHCP offer and ACK, which come from the server, not a client.  As I showed in my capture, there are several subnets used (in fact, mine wasn't even listed in that capture).  My ISP has multiple subnets for it's own customers and when I enabled IPv6, my IPv4 subnet changed.  As I mentioned, my ISP also has a VoIP service, which likely has it's own subnet and they also carry a 3rd party ISP, which would have it's own subnet(s).  So, don't assume that DHCP traffic from other than your subnet is a customer doing something wrong.  There are very likely multiple subnets on your cable that belong there.



  • Here is another capture, showing MAC addresses:
    11:13:45.500356 00:17:10:91:04:1f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 216.181.149.59 tell 216.181.149.1, length 46
    11:13:45.592614 00:17:10:91:04:1f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 104.234.121.179 tell 104.234.121.129, length 46
    11:13:45.641095 00:17:10:91:04:1f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 108.162.159.209 tell 108.162.159.193, length 46
    11:13:45.695279 00:17:10:91:04:1f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 216.181.149.55 tell 216.181.149.1, length 46
    11:13:45.747911 00:17:10:91:04:1f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 72.53.68.56 tell 72.53.68.33, length 46
    11:13:45.862704 00:17:10:91:04:1f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 174.112.15.15 tell 174.112.14.1, length 46
    11:13:45.910888 00:17:10:91:04:1f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 99.250.254.122 tell 99.250.240.1, length 46
    11:13:45.987876 00:17:10:91:04:1f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 104.204.120.177 tell 104.204.120.129, length 46
    11:13:46.031307 00:17:10:91:04:1f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 99.250.255.115 tell 99.250.240.1, length 46
    11:13:46.090016 00:17:10:91:04:1f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 23.248.49.10 tell 23.248.49.1, length 46
    11:13:46.143425 00:17:10:91:04:1f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 209.141.165.126 tell 209.141.165.97, length 46
    11:13:46.206859 00:17:10:91:04:1f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 72.53.67.101 tell 72.53.67.97, length 46
    11:13:46.274995 00:17:10:91:04:1f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 107.150.250.245 tell 107.150.250.129, length 46
    11:13:46.393292 00:17:10:91:04:1f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 72.53.68.53 tell 72.53.68.33, length 46
    11:13:46.397089 00:17:10:91:04:1f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 198.16.252.96 tell 198.16.252.97, length 46

    Notice that there are several subnets, but all the requests come from the same MAC address.  Also, the link I found earlier says that company makes CMTS equipment, of the type used by the ISP.  The cable modems tend to come from other companies.  For example, mine is from Hitron, but Wireshark shows the DHCP server's MAC address is from "Casa", whoever that is.



  • It was never my intention to get this deep into why I was getting a request from a strange dhcp server.  It's been interesting tho and I have learned a few things.

    Regarding my ISP provided cable modem and other customers on the same subnet, my ISP upgraded my modem about a month ago, it has more channels.  I have 8 bonded downstream channels and 4 upstream, 3 of which are bonded.  I have no access to the other features in the modem except to see the status page.

    In the past, I did see other customers, I cannot see them now.  One item shown on status page which may explain this is "DOCSIS Privacy = Enabled".  I have not attempted to find out what that means but assume it explains why I don't see others on the subnet.  I do not recall if the privacy option was on my prior modem or not.

    Since obtaining the MAC of the stray dhcp server, I can add this to the discussion.
    The stray MAC is:  00:01:5c:66:c0:04
    The MAC of my upstream gateway is:  00:01:5c:66:c0:46

    Since the equipment of the upstream gateway is only 66d difference in MAC address I assume that the device that is giving me the stray dhcp offer belongs to my ISP.