1

Something weird happened today. We have a TP-LINK wifi router in our office distributing a pool of IPs 192.168.80-200. There are some windows and some linux boxes.

One of the linux boxes (CentOS) today booted up with IP 192.168.25.X.

I tried renewing the lease on my PC (Ubuntu) expecting to get 192.168.1.X, but here is what happened:

$ sudo dhclient r
$ sudo dhclient eth0
(long wait)
$ ifconfig eth0
inet addr:192.168.25.251

After a few minutes I renewed it again and it came with correct 192.168.1.81 (and from that point for now it is staying correct in every re-newal)
Where from that another network came up?
Later I remembered I could add -v to dhclient to see some more verbose info especially which DHCP server is responded to my request.

Could it be another DHCP server in our network I'm not aware of? I tried looking in /var/lib/dhcp leases but couldn't find traces of the 25th network.

It seems the windows PCs are not affected, only the linux boxes.

Ivan Petrushev
  • 163
  • 4
  • Addition: It seems the DHCP server started serving only correct IPs after its setting for "SPI firewall" has been turned off. Could it be TP-LINK related issue? – Ivan Petrushev Feb 26 '13 at 08:26
  • 4
    release your lease, run a `tcpdump port 67 or port 68`, start dhclient again and see if an unexpected server is answering your DHCP DISCOVER requests with DHCP OFFER responses and an address from the 192.168.25.0/24 network. The reason why it *normally* works could be because your TP-LINK rotuer usually responds faster but failed to do so at one time or the other. – the-wabbit Feb 26 '13 at 08:34
  • This is a very good idea. Currently I can't see anything other than the TP-LINK answering with DHCP OFFER. Maybe the hypothetical rogue server is turned off right now. If the situations arise once more I will try your suggestion. Add it as an answer and I will accept it. – Ivan Petrushev Feb 26 '13 at 12:52

2 Answers2

1

For Windows hosts, you could try the DHCPloc utility which is also available as part of the Support Tools package from the Windows installation CD/DVD:

This utility also serves as a great security application as it can detect the presence of unauthorized DHCP servers on your network. This is a great way of eliminating rogue routers and access points that may be sourcing DCHP packets.

Syntax : 

dhcploc /p /a:"AlertNameList" /i:AlertInterval ComputerIPAddress [ValidDHCPServerList]

then you'll know.

the-wabbit
  • 40,737
  • 13
  • 111
  • 174
Grizly
  • 2,063
  • 15
  • 21
  • Although I see you run Linux, this is an under rated tool. Do the tcpdump method in the comments above. – Grizly Feb 26 '13 at 09:59
0

The reason why your hosts normally get addresses from the correct scope and only occasionally from the rogue scope could be because your TP-LINK rotuer usually responds faster but failed to do so at one time or the other.

To locate rogue servers you could:

  1. release the client lease
  2. run a tcpdump port 67 or port 68 at the client side
  3. start dhclient again and see if an unexpected server is answering your DHCP DISCOVER requests with DHCP OFFER responses and an address from the 192.168.25.0/24 network
  4. note this server's MAC address and locate the switch port connecting it using the FDB / MAC address table lookup from your switches' management interface
the-wabbit
  • 40,737
  • 13
  • 111
  • 174