Wildly excessive DHCPREQUESTs

Wed Feb 20 22:11:40 UTC 2008

> How did you notice this problem?
> Is there any monitoring tool that can help with this kind of observance?

I'm just post-processing the syslog file each night.
Something like this:

#!/bin/sh
THRESHOLD=1000
INPUT=/var/log/messages.0.gz
NRROOT=/var/netreg
NRLIB=${NRROOT}/lib
DHCPIGS=${NRLIB}/dhcpigs

zcat ${INPUT} | \
 grep -E "dhcpd: DHCP(DISCOVER|REQUEST|RELEASE)" | \
 sed 's/^.*dhcpd: DHCP//;s/ (.*)//;s/ via .*$//;s/ [of][fo].* [0-9]*\.[0-9]*\.[0-9]*\.[0-9]*//' | \
 awk '$0 ~ ":" {print $3,$1}' | \
 sort | \
 uniq -c | \
 sort -nr | \
 (
        echo "# `date`"
        awk "\$1 >= ${THRESHOLD} {print}"
 ) >> ${DHCPIGS}

> 
> Thanks,
> Damjan Stulic
> IS Security
> Edward Jones=20
> 
> 
> =20
>  If you are not the intended recipient of this message (including =
> attachments), or if you have received this message in error, immediately =
> notify us and delete it and any attachments.  If you no longer wish to =
> receive e-mail from Edward Jones, please send this request to =
> messages at edwardjones.com.  You must include the e-mail address that you =
> wish not to receive e-mail communications.  For important additional =
> information related to this e-mail, visit =
> www.edwardjones.com/US_email_disclosure
> =20
> -----Original Message-----
> =20
> 
> From: dhcp-users-bounce at isc.org [mailto:dhcp-users-bounce at isc.org] On
> Behalf Of John Hascall
> Sent: Tuesday, February 19, 2008 4:13 PM
> To: dhcp-users at isc.org
> Subject: Wildly excessive DHCPREQUESTs
> 
> 
> We have a number of machines here which are making a stupidly high
> number of DHCPREQUESTS (and DISCOVERS in some cases).
> 
> For example, we have a few dozen machines making in excess of
> 1000 REQUESTs per day.   The worst seems to be an XP box making
> about 11,000/day.  Does anyone have any idea what might make a box do a
> DHCPREQUEST/ACK cycle about every five seconds all day, day after day
> (despite getting a 4 day lease)?
> 
> John
> 