DHCPDISCOVER from ff:ff:ff:ff:ff:ff MAC Address
Merton Campbell Crockett
m.c.crockett at roadrunner.com
Wed Nov 25 04:06:44 UTC 2009
I was investigating some errors being reported by our IPAM system involving discrepancies between it's database and the /etc/dhcpd.conf files that were actually being used on the systems running ISC DHCP. Most of these involved host declarations that fail inside a range declaration.
Given the way ISC DHCP behaves, the host declarations are not needed if the system is actively renewing its lease. While scanning /var/log/dhcpd.log to verify that the systems identified in host declarations were actively renewing their leases, I noticed that there were DHCPDISCOVER requests purportedly sent from ff:ff:ff:ff:ff:ff MAC address.
At the first site where I found this occurring, the log would indicate that the request was refused. At the first site, I would see these events occurring up to three times a day. It piqued my curiosity I began looking at other sites for similar incidents.
I discovered that this wasn't, necessarily, unique to the site were I first noticed this. What was unique to the first site was the DHCPDISCOVER request being refused. At other sites where I checked, I saw a DHCPOFFER response being returned containing an address from the last range declaration in the /etc/dhcpd.conf file.
At one site that I looked at, I found over 2400 log entries of these DHCPDISCOVER requests and DHCPOFFER responses being generated in the first 4 minutes of a day. This type of incident will occur more than once a day but not with the same severity.
So, the question to this forum is: "Has anyone seen this type of behavior recorded in their /etc/log/dhcpd.log file and do you know what may be triggering these events?"
Merton Campbell Crockett
m.c.crockett at roadrunner.com
More information about the dhcp-users
mailing list