[c-nsp] DHCP Binding Expiration

Lamar Owen lowen at pari.edu
Mon Feb 9 20:22:14 EST 2009


On Monday 09 February 2009 12:50:54 Justin Shore wrote:
> Manaf Al Oqlah wrote:
> > The problem is that I still can see  some
> > clients IP addresses lease expiration are Infinite in the DHCP binding!
> > what could be the reason for this behavior and could be this some sort of
> > attack!!
>
> I get them too.  I never have figured out what causes them.  So far it
> hasn't been a big deal for me.

BOOTP.

BOOTP clients can bring any DHCP server to its knees, especially if the BOOTP 
client is badly coded.  For instance, I run a Smoothwall Advanced Firewall 
here in a testing mode (I'm tech support for the local reseller), and I 
started noticing all of the sudden that ALL of the leases were taken, and most 
were clients with an UNKNOWN expiry.  I looked closely, and the MAC addresses 
were sequential, and there were right at 100 of them.

Tracked it down to, believe it or not, a Catalyst 8540MSR switch, which was 
requesting via BOOTP for every single one of its MACs.


More information about the cisco-nsp mailing list