DHCPDISCOVER from ff:ff:ff:ff:ff:ff MAC Address

Merton Campbell Crockett m.c.crockett at roadrunner.com
Wed Nov 25 04:06:44 UTC 2009

I was investigating some errors being reported by our IPAM system involving discrepancies between it's database and the /etc/dhcpd.conf files that were actually being used on the systems running ISC DHCP.  Most of these involved host declarations that fail inside a range declaration.

Given the way ISC DHCP behaves, the host declarations are not needed if the system is actively renewing its lease.  While scanning /var/log/dhcpd.log to verify that the systems identified in host declarations were actively renewing their leases, I noticed that there were DHCPDISCOVER requests purportedly sent from ff:ff:ff:ff:ff:ff MAC address.

At the first site where I found this occurring, the log would indicate that the request was refused.  At the first site, I would see these events occurring up to three times a day.  It piqued my curiosity I began looking at other sites for similar incidents.

I discovered that this wasn't, necessarily, unique to the site were I first noticed this.  What was unique to the first site was the DHCPDISCOVER request being refused.  At other sites where I checked, I saw a DHCPOFFER response being returned containing an address from the last range declaration in the /etc/dhcpd.conf file.

At one site that I looked at, I found over 2400 log entries of these DHCPDISCOVER requests and DHCPOFFER responses being generated in the first 4 minutes of a day.  This type of incident will occur more than once a day but not with the same severity.

So, the question to this forum is:  "Has anyone seen this type of behavior recorded in their /etc/log/dhcpd.log file and do you know what may be triggering these events?"

Merton Campbell Crockett
m.c.crockett at roadrunner.com

More information about the dhcp-users mailing list