[RndTbl] Shaw DHCP weirdness or attack?

Trevor Cordes trevor at tecnopolis.ca
Wed Dec 5 12:31:07 CST 2012

On 2012-12-05 Sean Walberg wrote:
> On Wed, Dec 5, 2012 at 11:59 AM, Trevor Cordes <trevor at tecnopolis.ca>
> wrote:
> The packet is to, 308 bytes
> But is it to your MAC address or not?

The ethernet layer is of course bc'ing to ff:ff:ff:ff:ff:ff

The DHCP packet is showing a client MAC address that's the AsustekC,
and it's not my MAC.

> The router is probably not the DHCP server, it's just the forwarder
> for a backend management system.

Ya, looks like it.

> My guess is that our AsustekC friend
> is making a request with a strange option 81 that's being blindly
> copied in the response and since DHCP is a broadcast at this point,
> you're seeing it.

Hmm, I'm not sure I follow... been up too long!  Not sure why Shaw's
routers would relay bc's across subnets sourced from random nitwit's
broken client/router?  This is type "Boot Reply (2)" which should be
coming from the DHCP server back to the client?

More information about the Roundtable mailing list