Thursday 3 May 2018

security - dhcp.lease showing strange entries 



lease 172.16.0.174 {
  starts 2 2011/11/22 10:23:11;
  ends 3 2011/11/23 10:23:11;
  binding state active;
  next binding state free;
  hardware ethernet 6c:50:4d:0e:c8:c0;
  uid "\000cisco-6c50.4d0e.c8c0-Vl1";
  client-hostname "Switch";
}
 cat /var/lib/dhcpd/dhcpd.leases | grep cisco -A 3 -B 6 | grep lease | wc
   1190    3570   24990


Found some very strange entries in our dhcpd.leses file. All form the same mac address. It queries for all available ips. It's will get a new lease every second. It has now done the same thing 4 times on the network. As you can see from the cat entry that is 1190 entries all linked to the same mac address, all since 9:30am this morning.


I expect our network is being scanned. For available ips.



  • What can I do to find out where this device is and what it is doing.

  • Does any body know of some venerability scanners that would do this.

  • Does any body know of a way to track this device.

  • To see traffic coming to or from that device.

  • A way to block that mac address on our network.


I cleaned out the lease file and restated the dhcpd server, with in 20 minutes we had another 120 entries.



Answer



To track this down, check your switches. Start with the switch the dhcp server is attached to. If you are using Cisco switches, then do


show mac-address-table | inc 6c:50:4d:0e:c8:c0

This will display the ports that the mac address has been seen on. If it is a straight switch port, then find out what is plugged into it.


If it is a trunk port, or otherwise connected to another switch, then go to that switch and repeat the process. Eventually you will find the device issuing the dhcp requests.


The rogue switch idea is a possibility. If you are using ip helper (dhcp relay) on a vlan, and the switch is incorrectly substituting its own mac address in the dhcp payload (not the ethernet header) then it would look exactly like this. However, given that you have blocked the mac in iptables, if this was the case, you would have a whole segment of your network unable to get ip addresses. You'd probably know about it by now.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Where does Skype save my contact's avatars in Linux?

I'm using Skype on Linux. Where can I find images cached by skype of my contact's avatars? Answer I wanted to get those Skype avat...