Unusual DHCPD startup function.



  • Hi All,

    My company experienced an unusual occurrence last night.

    Upon failure of a routing component provided by our data centre, our network administrator logged on to our rack firewall (also functions as a gateway) suspecting this to be the issue .

    Upon logging on he noticed an unusually high cpu load, as well as some 'unusual' logged activity which can be seen in the attached image.

    Our primary concern is if this DHCPD initialisation is a legitimate firewall action, and if so why would it happen?

    Relevant Notes

    • Firewall Wan and Lan both using static IP
    • The WAN and LAN interfaces are bridged
    • DHCP is disabled in the firewall GUI (we do not assign LAN addresses from this device)
    • Cisco router that pfsense box connected to had a brief outage
    • The firewall did not restart
    • We spotted a /tmp/dhcpd.sh and tcpdump running at the same time of all this.

    If anyone has 5 minutes to rack their brains over this it would be much appreciated :)

    Thanks folks.

    ![Screen Shot 2012-08-23 at 10.50.45.png](/public/imported_attachments/1/Screen Shot 2012-08-23 at 10.50.45.png)
    ![Screen Shot 2012-08-23 at 10.50.45.png_thumb](/public/imported_attachments/1/Screen Shot 2012-08-23 at 10.50.45.png_thumb)


  • Rebel Alliance Developer Netgate



  • checked a clean VM install:
    /tmp/dhcpd.sh on my system looks exactly like "the unusual activity" and tcpdump is also running (on pflog0 interface)

    don't know what your looking for but did you actually see dhcpd started? where did you see this unusual activity?



  • Thanks for the feedback guys, it's much appreciated.

    The confusion over this comes from the fact that all DHCP services were disabled within the GUI, which raises the question why is dhcpd being initialised?

    Evidence of this happening was found within a dhcpd log sitting within the firewalls tmp directory. The timestamp attached to the dhcpd startup in the logs coincided with the high CPU load discovered on the firewall.


Locked