At wit's end....(can't find dhcp leases)

Glenn Satchell Glenn.Satchell at uniq.com.au
Fri Sep 14 14:48:02 UTC 2007 

You could try using shorter lease times, then you'd have more frequent
ack messages in the logs.

Unfortunately, dhcp is not a security tool. For example if someone
manually configures an IP address on their client, there's nothing to
be found in the leases of log files as dhcp didn't allocate that
address.

regards,
-glenn

>Date: Fri, 14 Sep 2007 10:38:13 -0400
>From: "Brian Johnson" <voyager.106 at gmail.com>
>To: dhcp-users at isc.org
>Subject: Re: At wit's end....(can't find dhcp leases)
>
>Thank you to the two people who've responded. I appreciate your taking the 
time.
>
>I'd actually started writing the email a few days ago and didn't get
>to finish it till this morning, as I waited for my English Muffin to
>toast. In doing so, I actually left out an important detail I'd
>initially meant to include.
>
>As was mentioned in the below email, we use our logs quite a bit for
>finding information on ip addresses. We keep approximately 2 weeks
>worth of logs. The problem we're having is, we have neither lease NOR
>log information on some ip addresses at a given time they're
>supposedly on the network. For example, we might be told that an ip
>address 10.1.1.100 was doing something bad on 09/13/2007 17:00:00 EDT.
>Then we go looking in the leases file  and find out that the closest
>lease for that ip address on that day ended at 19:45:00 GMT (15:45:00
>EDT) and the next lease for it didn't start until 22:30:00 GMT
>(18:30:00 EDT). So, given the lack of valid lease information for that
>ip address at that time, we will then go to the log files to see what
>we can find. Often times we can find dhcpacks for the user prior to
>the timestamp of the infraction, and dhcpacks for the user after the
>infraction, which gives reason to believe the person had the ip
>address at the time of the infraction, but leaves reasonable doubt.
>Obviously, if we accuse someone of wrongdoing, we need to make sure
>that all of our ducks in a row and we should be able to show exactly
>why we believe what we do....
>
>Brian
>
>Looking in the log files, we're seeing information consistent with
>what we're seeing in the leases file --
>
>On 9/14/07, Bruce Hudson <Bruce.Hudson at dal.ca> wrote:
>>
>> > My problem is this, and it's driving me crazy. Occasionally, we have
>> > reason to go back and identify the mac address of a particular ip
>> > address at a specific time. The obvious place to find this information
>> > is in the leases file. However, it seems more and more often, we're
>> > unable to find a lease for a particular ip address at the given time.
>> > So, my question is twofold -- is anyone else seeing this particular
>> > issue? And if so, are there any ideas why we might be seeing it? I
>> > have some theories, but can't find anything on the internet to support
>> > them.
>>
>>     The lease file only holds the information the server needs to do its
>> job consistently across program restarts. It records active leases and it
>> remembers the last IP address given to each identifier so that the server
>> can give clients a consistent address if possible but this information is
>> lost as soon as somebody else is given that address.
>>
>>     In addition, because the lease file is a text file with an "append
>> and periodic rewrite", it does contain short-term historical information
>> until its rewritten.
>>
>>     We, as I suspect most people do, scrape historical information out
>> of the log files and store it.
>> --
>> Bruce A. Hudson                         | Bruce.Hudson at Dal.CA
>> UCIS, Networks and Systems              |
>> Dalhousie University                    |
>> Halifax, Nova Scotia, Canada            | (902) 494-3405
>>
>>
>
>
>-- 
>Brian Johnson
>"And I will be even more undignified than this, and will be humble in
>my own sight." (2 Samuel 6:22)
>

More information about the dhcp-users mailing list