[RndTbl] Shaw DHCP weirdness or attack?
Trevor Cordes
trevor at tecnopolis.ca
Wed Dec 5 12:31:07 CST 2012
On 2012-12-05 Sean Walberg wrote:
> On Wed, Dec 5, 2012 at 11:59 AM, Trevor Cordes <trevor at tecnopolis.ca>
> wrote:
>
> The packet is 50.72.224.1:67 to 255.255.255.255:68, 308 bytes
>
> But is it to your MAC address or not?
The ethernet layer is of course bc'ing to ff:ff:ff:ff:ff:ff
The DHCP packet is showing a client MAC address that's the AsustekC,
and it's not my MAC.
> The router is probably not the DHCP server, it's just the forwarder
> for a backend management system.
Ya, looks like it.
> My guess is that our AsustekC friend
> is making a request with a strange option 81 that's being blindly
> copied in the response and since DHCP is a broadcast at this point,
> you're seeing it.
Hmm, I'm not sure I follow... been up too long! Not sure why Shaw's
routers would relay bc's across subnets sourced from random nitwit's
broken client/router? This is type "Boot Reply (2)" which should be
coming from the DHCP server back to the client?
More information about the Roundtable
mailing list