Requests from 172.18.240.1 on WAN - private IP



  • Hi,

    I am using pfSense 2.0.1 on a business cable line with a static, public IP (my own /30 net).
    For some days now, there are thousands of blocked requests (~1,8gb) from IP 172.18.240.1:67 to 255.255.255.255:68

    Is there somebody flooding the network with DHCP offers?
    Does the provider distribute IPs now?
    Why would somebody send dozens of DHCP offers per second?

    Chris
    ![Bildschirmfoto 2012-02-19 um 23.20.38.png](/public/imported_attachments/1/Bildschirmfoto 2012-02-19 um 23.20.38.png)
    ![Bildschirmfoto 2012-02-19 um 23.20.38.png_thumb](/public/imported_attachments/1/Bildschirmfoto 2012-02-19 um 23.20.38.png_thumb)



  • On cable you're on a gigantic broadcast domain so you see thousands of hosts' DHCP traffic. Just add a rule on WAN to block it without logging enabled so your firewall rules aren't filled with junk.


  • LAYER 8 Global Moderator

    The built in block private networks option should be blocking that traffic and not logging it.  You shouldn't have to create a special rule - just turn that on.



  • The built-in rule is turned on but it seems to be logging it anyway.

    I am just wondering why there's two gig of blocked traffic in one week compared to 100mb over the last 5 months.
    Somebody accidentally flooding the network?


  • LAYER 8 Global Moderator

    how exactly are you calculating 1.8GB?

    I would capture a few of them and look to see is it all for same host?  then contact your ISP about it.

    But as stated your going to see those if you don't have a rule not to log them.  Its broadcast traffic so kind of hard not to see it, but if after looking at the packets and you see it repeated to the same client, etc.  Then yeah report it to your ISP.

    If you think dhcp packets are bad – take a look at the amount of arp traffic ;)



  • The 1.8gb are shown at the RRD graphs - screenshot attached.

    All of the packets are like the ones on the screenshot at the first posts.
    Or do you think I should use packet capturing?

    ![Bildschirmfoto 2012-02-20 um 15.38.44.png](/public/imported_attachments/1/Bildschirmfoto 2012-02-20 um 15.38.44.png)
    ![Bildschirmfoto 2012-02-20 um 15.38.44.png_thumb](/public/imported_attachments/1/Bildschirmfoto 2012-02-20 um 15.38.44.png_thumb)


  • LAYER 8 Global Moderator

    I would grab some packets - so you can see the details of what are in them.

    For example - see below, I captured a couple my pfsense is seeing, but not logging.  You shouldn't really be logging noise like broadcast dhcp traffic.

    but if you see its all really to one or 2 clients - you can bring this to your ISP attention that there is something wrong.  But if its all different clients, what are the leases being handed out.. Are they for like 1 minute or something..

    The more info you can give your ISP the better.  Maybe they just have a LARGE broadcast domain, if they would lower that you would see less traffic.  Or maybe its a problem with a client that is requesting and never accepting, etc..

    What graph are you looking at, day, month – so for last month I see the attached.  Then see the oldest that shows a total of 36GB..  But that is not just broadcast traffic, etc..  So how do you know that 1.8GB is just from this storm.. How long has the dhcp storm been running.  And what period graph are you looking at?








  • @johnpoz:

    I would grab some packets - so you can see the details of what are in them.

    done, you can see the results attached.

    @johnpoz:

    but if you see its all really to one or 2 clients - you can bring this to your ISP attention that there is something wrong.  But if its all different clients, what are the leases being handed out.. Are they for like 1 minute or something..
    The more info you can give your ISP the better.  Maybe they just have a LARGE broadcast domain, if they would lower that you would see less traffic.  Or maybe its a problem with a client that is requesting and never accepting, etc..

    yeah, I wanted to gather some information before talking to my ISP

    @johnpoz:

    What graph are you looking at, day, month – so for last month I see the attached.  Then see the oldest that shows a total of 36GB..  But that is not just broadcast traffic, etc..   So how do you know that 1.8GB is just from this storm.. How long has the dhcp storm been running.  And what period graph are you looking at?

    this was a weekly graph.
    the storm started one week ago. before the storm, there was max 1mb blocked traffic/day, now it's 400mb/day!
    looking at the logiles and the packet capture I can't think of any other source causing the enormous traffic amount.

    attached, there is a part of the packet capture.
    the other packets all look the same.
    (same offered IP, same lease time, …)

    ![Bildschirmfoto 2012-02-20 um 19.54.44.png](/public/imported_attachments/1/Bildschirmfoto 2012-02-20 um 19.54.44.png)
    ![Bildschirmfoto 2012-02-20 um 19.54.44.png_thumb](/public/imported_attachments/1/Bildschirmfoto 2012-02-20 um 19.54.44.png_thumb)
    ![Bildschirmfoto 2012-02-20 um 19.55.07.png](/public/imported_attachments/1/Bildschirmfoto 2012-02-20 um 19.55.07.png)
    ![Bildschirmfoto 2012-02-20 um 19.55.07.png_thumb](/public/imported_attachments/1/Bildschirmfoto 2012-02-20 um 19.55.07.png_thumb)



  • Cable companies generally assign private space IPs to the cable modem itself for administration from their people. If you were to do a ping of say /24 you would probably see a multitude of addresses live in that subnet. Some of them will have the same web gui available at their address that you can access at 192.168.100.1 …  That server also gives out your public IP to the client side of the modem. Either the router in the modem (if its a gateway) or the client device behind the modem.

    I get the same from 10.28.0.1 here.


  • LAYER 8 Global Moderator

    so that is an offer and not an ack.

    Same client mac address in every packet?  I tried looking up 08-10-75 can not find what company owns that?

    So for example in the packets I saw the client was a SMC device
    http://www.coffer.com/mac_find/?string=0013f7

    Are you seeing the discover packets as well.  If its all the same client getting the offer - you could have a problem a client that is just not accepting the IP being offered and keeps sending the discover, so the server just keeps sending more offers.



  • Oh, yeah the default block private networks rule logs, you have to create your own block private networks rule and block the DHCP above that without logging and disable the default block private networks to not log that traffic.



  • A few dozen MB a day is all that's normal and typical for the DHCP noise, maybe up to 100-200 MB on ISPs with short lease lengths and large broadcast domains. Multiple GB not likely to be all DHCP noise, something else getting blocked too.



  • @johnpoz:

    so that is an offer and not an ack.

    found some acks now too.

    @johnpoz:

    Same client mac address in every packet?  I tried looking up 08-10-75 can not find what company owns that?

    yes, same client mac in all offers and acks.
    I already tried looking up the mac … no success.
    The cable company uses Arris modems - they're on the list.

    @johnpoz:

    Are you seeing the discover packets as well.  If its all the same client getting the offer - you could have a problem a client that is just not accepting the IP being offered and keeps sending the discover, so the server just keeps sending more offers.

    no discover and no request packets.

    @chpalmer:

    Cable companies generally assign private space IPs to the cable modem itself for administration from their people. If you were to do a ping of say /24 you would probably see a multitude of addresses live in that subnet. Some of them will have the same web gui available at their address that you can access at 192.168.100.1 …  That server also gives out your public IP to the client side of the modem. Either the router in the modem (if its a gateway) or the client device behind the modem.

    As i have my own /30 subnet my modem got a public IP too. I can reach the admin interface there.
    I don't know how this is handled at domestic lines.

    @cmb:

    A few dozen MB a day is all that's normal and typical for the DHCP noise, maybe up to 100-200 MB on ISPs with short lease lengths and large broadcast domains. Multiple GB not likely to be all DHCP noise, something else getting blocked too.

    I already double-checked the values. The blocked traffic is DHCP only!

    Overall I think that's irregular behaviour as the mac addresses are always the same ones.
    I'll send the data to the ISP - looking forward to the result  :)



  • As i have my own /30 subnet my modem got a public IP too. I can reach the admin interface there.
    I don't know how this is handled at domestic lines.

    You probably have a "gateway" style modem then (one that has its own router)?  Your modem will still have a hidden private address for use by the cable company. Its how they would restart your modem remotely, among other things…

    If you look at that subnet (the 172.x.x.x) you will probably find multiple clients that you can reach and see all your neighbors web gui's on their modems as well as yours.

    Its the network that the modem goes out on to get its config file, ect...  Since its a shared network, you will see all kinds of multicast traffic.

    Im betting here I see 2 or more gbytes of traffic monthly just from Asia that gets blocked...


Log in to reply