From owner-freebsd-stable Thu Jan 16 7: 7: 8 2003 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CDAD237B401 for ; Thu, 16 Jan 2003 07:07:05 -0800 (PST) Received: from skyweb.ca (smtp-2.vancouver.ipapp.com [216.152.192.208]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3BB5143EB2 for ; Thu, 16 Jan 2003 07:07:05 -0800 (PST) (envelope-from mjohnston@skyweb.ca) Received: from mjohnston ([209.5.243.50]) by smtp-2.vancouver.ipapp.com ; Thu, 16 Jan 2003 07:06:59 -0800 From: "Mark Johnston" To: Cc: Subject: RE: Freebsd 4.7.2 DHCP Spamming Date: Thu, 16 Jan 2003 09:11:15 -0600 Message-ID: <004e01c2bd71$84213c80$690fa8c0@MJOHNSTON> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal In-Reply-To: <2W5ZNJANISMB91VMJPMIG4XD83XPN71.3e25f76b@Jeff> x-mimeole: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG lewwid@telusplanet.net wrote: > Has anyone heard of an issue where a freebsd box can rack up > multiple ips over the course > of ~2 days? There should only be 1 ip address allocated to my box. > > For some reason on Dec 2nd, Dec 30th, and Jan 14th my box > decided to keep requesting IPs, thus > racking up ~100 before they shut me off each time. Why would > they keep permitting ip requests > above the 2 allowed ips? DOCSIS modems (at least the older ones that I'm familiar with) can be configured to limit the total number of MAC addresses or of IPs. Perhaps they're limiting MACs and you're getting a bunch of leases assigned to the same MAC ID. Another possibility is that their IP cap may only limit the number of IPs you can use, not the number you can request. If you are using xDSL, I'm not familiar with the modems involved, but the filters are probably similar. > I'm running a GENERIC kernel, all source updated and > installed from cvsup3.freebsd.org. Only ssh > listening. > > They say that, either I'm doing it on purpose, I'm exploited, > or there's a problem with the dhclient. You could also be having a packet filtering problem. When dhclient tries to get an IP and has none, it uses a broadcast request from 0.0.0.0 (aka DHCPDISCOVER.) The server will respond with a broadcast (a DHCPOFFER) to offer you the IP, then you will request it (with a DHCPREQUEST) and the server will acknowledge you (by sending a DHCPACK.) All of this is carried out in broadcast packets. When it comes time to renew, you will send a unicast request to the server and it will respond in kind. If this unicast can't make it through (due to packet filtering), you will only be able to get an IP when your lease has expired, not renew an existing one. Strange of their server to give you a different one each time though. Here's a remote possibility: Are you using any kind of automatic ipfw or ipf tie-in IDS? Sometimes ISPs will do foolish things, like performing diagnostic work from an important server. If that sets off an alarm and you block it, so much for DHCP renewals. If someone who thinks they're funny decides to spoof you a packet purporting to be from the DHCP server, and it upsets your IDS, you'll be in the same boat. > I was monitoring the box using tcpdump + dhcpdump to watch > the requests. Unfortunately I rebooted after about > 5 days (Jan 7th ish). I thought the problem was resolved. I > asked them for logs but they can't provide any. Having tcpdump output to a file with something like "udp port 67 or udp port 68" would provide the most detailed logs from your end, although checking what dhclient has logged to syslog would help too. > Could they changed something near the end of November, or the > start of December as this problem has > not happened *ever* in 6 years before this. > > *** Somehow I'm supposed to solve this problem without logs. > Hopefully someone has run into this > problem in the past and knows a solution. It's to never > happen again or > they will cancel my account. At this point, you are better safe than sorry. Buy a cheap Linksys broadband router, put it in between the modem and your PC, and troubleshoot your original issue at your leisure. It will protect you from your ISP's wrath until you have found the cause of the problem. Mark note - I am stuck with Outlook at work. Apologies if it destroys the formatting of this message. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message