[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#743335: debian-installer: udhcpc coping with rogue DHCP servers

On Mon, Sep 14, 2015 at 04:04:56PM +0200, Oliver Kopp wrote:
> 
> dhclient gives following output
> --cut--
> Internet Systems Consortium DHCP Client 4.2.4
> DHCPREQUEST of 10.0.1.27 on eth0 to 255.255.255.255 port 67 (xid=0x58dd7a8a)
> DHCPNAK from 10.0.1.1 (xid=0xf89915c)
> DHCPNAK from 10.0.1.1 (xid=0xf89915c)
> --end--
> 
> > My advice to Oliver: Check your LAN and search for 10.0.1.1. That 10.0.1.1. is from
> >> Sep 14 12:25:53 iaas2 dhcpd: DHCPREQUEST for 10.0.1.28 (10.0.1.1) from 00:50:56:85:c2:a2 via eth0
> 
> Yeah, I'm trying to find that host. As I don't have access to the
> routers for myself, I have to rely on other guys.

What my approach would be:
(summary: go with a MAC-address to network admins)

 * bring the system (again) to a state where I can use dhclient
 * install my favorite network sniffer ( e.g. tcpdump, tshark, wireshark )
 * set network traffic capture on eth0 for ports 67 and 68 (BOOTP (DHCP))
 * activate dhclient, wait for DHCP packet in the 10.0.1.x network
 * stopping the network capture
 * analyze the network capture, filter out the MAC-adress of 10.0.1.1
 * contact network administrators and ask them which switch-port has
   the MAC-adres that was found in previous step
 * asking the network administrators which host is at the switch-port
   that was found in the previous step
 * finding the owner of the host that was found in the previous step
 * not being surprised when the host does virtualization ...


Groeten
Geert Stappers
-- 
Leven en laten leven
Reply to: