I have a Windows Server 2016 that runs DHCP. While reviewing the leases I noticed some odd entries.
There are 2 different sets of leases that I am concerned about and I am not sure how to narrow it down.
1) There were about 30-40 leases that had a MAC address that was 32 characters long. These MAC addresses were almost identical with the exception of the last few characters. IP's were did not respond to PING. I removed similar entries a few weeks ago and I found them again.
2) I have a set of leases that have no Name, the MAC address lookup says invalid manufacturer, and they do not respond to ping. I deleted them and about 75% of them are back within a few hours.
I ran Wireshark to see if I could determine where they were coming from but all the traffic I saw was legitimate traffic that did not relate to these leases.
How can I determine what is requesting the lease? Is this malicious?
If it is not a legitimate device how can I prevent it from getting an IP on my network?