From owner-freebsd-questions Thu Apr 25 13:52: 3 2002 Delivered-To: freebsd-questions@freebsd.org Received: from infinity.aesredfish.net (ns1.aesredfish.net [65.168.0.12]) by hub.freebsd.org (Postfix) with ESMTP id 9647E37B404 for ; Thu, 25 Apr 2002 13:51:55 -0700 (PDT) Received: from potentialtech.com (mhope-dhcp-65-168-1-181.dashfast.com [65.168.1.181]) by infinity.aesredfish.net (8.11.6/8.11.0) with ESMTP id g3PKpVm20514; Thu, 25 Apr 2002 16:51:32 -0400 Message-ID: <3CC86D86.7060100@potentialtech.com> Date: Thu, 25 Apr 2002 16:56:38 -0400 From: Bill Moran Organization: Potential Technologies User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.3) Gecko/20010914 X-Accept-Language: en-us MIME-Version: 1.0 To: gabriel_ambuehl@buz.ch Cc: questions@freebsd.org Subject: Re: dhclient going crazy... References: <1965488492.20020424150235@buz.ch> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Gabriel Ambuehl wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > Hello, > I'd very much like to hear explanations for the following incident > which left me with a blocked cable modem (and thus complete lack of > broadband and high telephone bills because of all the support calls > this required, nice, uuh) as the ISP feels I've been running DoS > attacks > against its DHCP servers: Sure sounds like bullsh*t to me. From the looks of the arp messages below, it doesn't look like you're the one changing MAC addresses. > Apr 22 19:02:45 delta dhclient: New Network Number: 217.162.128.0 > Apr 22 19:02:45 delta dhclient: New Broadcast Address: > 255.255.255.255 > Apr 22 19:02:45 delta dhclient: New IP Address (rl0): 217.162.129.1 > Apr 22 19:02:45 delta dhclient: New Subnet Mask (rl0): 255.255.248.0 > Apr 22 19:02:45 delta dhclient: New Broadcast Address (rl0): > 255.255.255.255 > Apr 22 19:02:45 delta dhclient: New Routers: 217.162.128.1 > Apr 22 19:05:22 delta /kernel: arp: 217.162.128.1 moved from > 00:30:94:06:12:a8 to 00:30:94:06:12:54 on rl0 > Apr 22 19:08:11 delta dhclient: New Network Number: 217.162.128.0 > Apr 22 19:08:11 delta dhclient: New Broadcast Address: > 255.255.255.255 > Apr 22 19:08:11 delta dhclient: New IP Address (rl0): 217.162.130.62 > Apr 22 19:08:11 delta dhclient: New Subnet Mask (rl0): 255.255.248.0 > Apr 22 19:08:11 delta dhclient: New Broadcast Address (rl0): > 255.255.255.255 > Apr 22 19:08:12 delta dhclient: New Routers: 217.162.128.1 > This went one for some more minutes, then stopped and restarted about > one hour later, went on for about ten minuted and stopped, the whole > cycle was repeated for several hours from 17:00 to 23:XX. What is > happening here? And how can I prevent it from happening again? It really looks to me like your ISPs DHCP server is whacked. Maybe it's giving out incredibly short lease times, requiring you to renew your lease often. Check /var/db/dhclient.leases to see what the DHCP server has been up to. > The ISP suggests I was running some MAC address faking script that > would > continously regenerate MAC addresses which I sure as hell didn't and > I'm 99.9% sure that the box didn't got cracked, but the other > interface in it (its primary job is running ipnat for the LAN behind > it) (dc0) was experiencing weird problem (watchdog timeouts...). Could be other problems on your end perhaps? Have you monitored your MAC address while this was happening (via ifconfig) to see if it was changing? I'm making some guesses here, Gabe, because I've never seen anything like this before. Sure looks weird, you'll have to let us know when you figure it out. -- Bill Moran Potential Technology http://www.potentialtech.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message