Strange Issue with Linksys routers

Ben Wiechman benw at
Sat May 16 22:21:05 UTC 2009

This doesn't appear to be an issue that is specific to ISC, but since this
is most readily visible in the dhcp logs maybe someone else here has seen or
is seeing this issue as well.

We have a number of subscribers on our network (75-100 - possibly more) that
are running WRT54G/GS routers with older firmware (1.00.6/7, etc.) with
ethernet controllers that appear to lock up. When the router is power cycled
they tend to work properly for several hours and then the ethernet
controller appears to lock up again. This keeps repeating. 

When the condition exists any computers attached to the wired interfaces
will eventually report limited or no connectivity. Any traffic sent to the
router on the LAN ports receives no response. However it is possible to
connect to the routers using the wireless interface and access the web
management interface. With remote management enabled and pings allowed they
will not respond on the WAN interface when this condition exists. We have
done packet captures to verify that the icmp/ip packets are being delivered
to the WAN interface, however the router generates no response.

This is where it gets weird. The router will continue to send
DHCPREQUEST/DHCPOFFER packets but does not appear to receive the response.
This is how we initially noticed the issue. Large numbers of routers were
hammering our dhcp server hundreds of times every hour with DHCPDISCOVER

When the router is power cycled it will broadcast a DHCPDISCOVER packet to
the dhcp server, receive the offer, broadcast the request and receive the
ack. Our default lease time is 12 hours. Normally the router would send a
unicast DHCPREQUEST to the server half way through the lease time and
receives a unicast DHCPACK. Under normal conditions this would simply
repeat. Here the ethernet controller appears to lock up at some point. So
the router will send the DHCPREQUEST packet at the midway point, then with
increasing frequency as the end of the lease period nears. Doing a packet
capture will show the DHCPACK is received at the WAN interface of the
router. In the last couple of minutes before the lease expires the router
will broadcast a series of DHCPREQUEST packets and receive broadcast
responses from the server. Once the dhcp lease expires the router will
continue to broadcast a series of DHCPDISCOVER messages every minute or so
and receives the DHCPOFFERs in return. This will repeat until the router is
power cycled. Even if the ethernet ports are disconnected the lost link is
not detected.

The dicover/offer cycle can be tripped by logging into the router via the
wireless interface and changing the hostname. This causes the router to send
a DHCPRELEASE request, followed by a DHCPDISCOVER. It receives a DHCPOFFER,
however does not appear to process the offer and once again enters a loop
where it continues to broadcast a series of DHCPDISCOVER packets every
minute or so. 

We have not seen this on WRT54GL routers to this point. It appears to have
begun at a very defined point on Monday 5/11. Is this some new exploit? We
have yet to track down anything that appears to trigger this condition. 

Has anyone seen anything like this in the past?

Ben Wiechman
Network Administrator
Wisper High Speed Internet

More information about the dhcp-users mailing list