Getting DHCP BAD_ADDRESS on Windows DHCP

scottalanmiller

Have a DHCP server that is getting something trying to register to it with a BAD_ADDRESS. Obviously, we can't just look up the MAC address and track it down, because the MAC we get is bad.

We've got one new switch that went in about the time that the issue started, but we think that that is off of the network now, and the issue continues. There are loads of new web cams on the network, but they seem to all be working fine.

Any guesses on tracking down the issue?

bbigford

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

Have a DHCP server that is getting something trying to register to it with a BAD_ADDRESS. Obviously, we can't just look up the MAC address and track it down, because the MAC we get is bad.

We've got one new switch that went in about the time that the issue started, but we think that that is off of the network now, and the issue continues. There are loads of new web cams on the network, but they seem to all be working fine.

Any guesses on tracking down the issue?

Any time I've ran into this issue, it was because either someone statically assigned an address which resides in the DHCP scope (rather than doing a reservation, or using a different range). The other thing I've noticed is two devices, unaware of eachother, serving DHCP requests; such as a Windows Server with a DHCP role, and a Cisco router, both doing DHCP in the same range (human error obviously).

bbigford

@bbigford said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

Have a DHCP server that is getting something trying to register to it with a BAD_ADDRESS. Obviously, we can't just look up the MAC address and track it down, because the MAC we get is bad.

We've got one new switch that went in about the time that the issue started, but we think that that is off of the network now, and the issue continues. There are loads of new web cams on the network, but they seem to all be working fine.

Any guesses on tracking down the issue?

Any time I've ran into this issue, it was because either someone statically assigned an address which resides in the DHCP scope (rather than doing a reservation, or using a different range). The other thing I've noticed is two devices, unaware of eachother, serving DHCP requests; such as a Windows Server with a DHCP role, and a Cisco router, both doing DHCP in the same range (human error obviously).

I also went through a few forums and the two conflicting devices is what I've found to be the most common. One case I found was nefarious, so they had to configure dhcp-snooping on their networking device(s).

scottalanmiller

@bbigford said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

Have a DHCP server that is getting something trying to register to it with a BAD_ADDRESS. Obviously, we can't just look up the MAC address and track it down, because the MAC we get is bad.

We've got one new switch that went in about the time that the issue started, but we think that that is off of the network now, and the issue continues. There are loads of new web cams on the network, but they seem to all be working fine.

Any guesses on tracking down the issue?

Any time I've ran into this issue, it was because either someone statically assigned an address which resides in the DHCP scope (rather than doing a reservation, or using a different range). The other thing I've noticed is two devices, unaware of eachother, serving DHCP requests; such as a Windows Server with a DHCP role, and a Cisco router, both doing DHCP in the same range (human error obviously).

In this case, we are getting a gibberish MAC address with it.

scottalanmiller

We are looking for rogue DHCP servers now, but dont' know of where one might be hiding. We've ensure all of the network gear does not have one.

bbigford

I wonder what your DHCP leases are set to. I just remembered a case where the lease times were set to a ridiculously high 30 days. They ran out of IPs and got a flood of BAD_ADDRESS notifications; normally the clients would just get 169.254.x.x but lower the lease timer to 8 hours resolved it.

scottalanmiller

@bbigford said in Getting DHCP BAD_ADDRESS on Windows DHCP:

I wonder what your DHCP leases are set to. I just remembered a case where the lease times were set to a ridiculously high 30 days. They ran out of IPs and got a flood of BAD_ADDRESS notifications; normally the clients would just get 169.254.x.x but lower the lease timer to 8 hours resolved it.

Pool has plenty available. Just checked.

bbigford

Break out Wireshark yet?

Donahue

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

We are looking for rogue DHCP servers now, but dont' know of where one might be hiding. We've ensure all of the network gear does not have one.

turn off the DHCP you know of and see if you still have DHCP being served. That will easily tell you if you have a rouge DHCP server somewhere.

bbigford

I bet someone plugged in a wireless router thinking "well we needed an unmanaged switch for these few devices... what's the big deal?"

scottalanmiller

@bbigford said in Getting DHCP BAD_ADDRESS on Windows DHCP:

Break out Wireshark yet?

yeah, but that doesn't help since the MACs are bad.

scottalanmiller

We just found a rogue lightbulb. Not the issue, but an interesting find.

bbigford

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@bbigford said in Getting DHCP BAD_ADDRESS on Windows DHCP:

Break out Wireshark yet?

yeah, but that doesn't help since the MACs are bad.

I believe in Hyper-V that you can mess with MACs to where they aren't standard. Any chance this is a VM and was mistakenly set?

scottalanmiller

Appeared to be something in wireless. Unplugged the AP and it stopped.

bbigford

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

Appeared to be something in wireless. Unplugged the AP and it stopped.

Hah, called it!

scottalanmiller

Base problem now.... whatever device this is keeps trying to connect and fills up the DHCP range quickly causing issues.

bbigford

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

Base problem now.... whatever device this is keeps trying to connect and fills up the DHCP range quickly causing issues.

What is the make and model?

scottalanmiller

@bbigford said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

Base problem now.... whatever device this is keeps trying to connect and fills up the DHCP range quickly causing issues.

What is the make and model?

Don't know.

jt1001001

I saw this once, this is far fetched but any wireless devices like clocks, iot or ip phones? We had a sapling wifi clock reacking havoc on our Network once. I also have seen this when a firewall was plugged in that had proxy arp turned on on the inside interface.

1337

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

Base problem now.... whatever device this is keeps trying to connect and fills up the DHCP range quickly causing issues.

That's sounds exactly like a DHCP starvation attack! Intruder alert!