[RndTbl] Shaw DHCP weirdness or attack?
trevor at tecnopolis.ca
Wed Dec 5 11:59:00 CST 2012
On 2012-12-05 Sean Walberg wrote:
> I've seen it a couple of times:
> /var/log/messages-20121111:Nov 10 21:35:17 bob dhclient:
> parse_option_buffer: malformed option dhcp.<unknown> (code 105):
> option length exceeds option buffer length.
> I'm on 220.127.116.11/22
I did a packet cap and wireshark to view. Something very weird is
going on here. Wireshark says the DHCP packets at the time of error
It's from 18.104.22.168, which appears to be a Shaw router? I'm on a
50.72 network. It doesn't appear to be the normal Shaw DHCP server.
The packet is 22.214.171.124:67 to 255.255.255.255:68, 308 bytes
It's telling me my client IP is <insert not my ip here>
"Relay agent" 126.96.36.199 (same as above)
client mac: AsustekC brand (hmmmm...)
It gets cutoff in the middle of the fqdn option, hence probably the
malformation and /v/l/messages error.
So my guess now is probably some nitwit has a DHCP server working the
Shaw network side rather than their internal side? Or maybe a
deliberate hack attempt to hand out bogus IPs?
Sucks that it has to fill my logs with 648 errors so far today...
More information about the Roundtable