I asked this here, it was requested that I move it to this forum instead.
I have a question that I need some counsel on concerning DHCP and what may happen in a certain situation.
I have a case where a DHCP server started handing out IP addresses to devices that had reservations otherwise, ignoring the fact that the reservations where there.
Server is an x64 2008R2 Standard install, serving as a domain controller.
When it would hand out an IP, I would see that the "Unique ID" was the same MAC address for which I had a reservation configured, and the end device would get the IP it showed coming from my dynamic pool, not the one reserved.
Rebooting the Server cleared this condition and all reservations worked properly afterward.
Having never seen this type of behavior, in this network or any other, I started trying to figure out what may have caused it to begin with, software error, incorrect configuration, etc?
Then it occurred to me I had been working on some IP phones not long before it happened, two of which have incurred some sort of internal failure that resulted in their MAC address being set to FF:FF:FF:FF:FF:FF.
These devices would have requested an IP with both a source and destination address of the same thing, and that address it the network broadcast.
They did not successfully pull an IP address, and reported DHCP failure, so I set a static IP on one, scanned it with NMAP to see if it was up, and than is when I noticed it report its MAC as FF:FF:FF:FF:FF:FF (Unknown), I repeated the process with the second dead device, received the same results, and had not considered what the affects could potentially have been on the network when it was attached.
So to make a short story long, what would the affect be in that environment of requesting an IP for a broadcast address, would it have send out DHCP offers to anything listening? Could it have freaked out the database that managed the pool?
Did I shoot myself in the foot, or was this looking for a problem to fit the symptom?
It would seem that if this would cause the mayhem I saw, that it would be a glaring DOS attack vector, and I cannot be the first one to have crossed it or have asked how to protect against it.
I had also considered what happens if the server was responding to the request trying to tell FF:FF:FF:FF:FF:Ff that is IP was x.x.x.x, and the next one requesting may have intercepted the incorrect message, in some sort of race condition, believing it was receiving a solicited response? (Is that even possible)
0 Answers