I have a Windows Server 2016 that runs DHCP. While reviewing the leases I noticed some odd entries.
There are 2 different sets of leases that I am concerned about and I am not sure how to narrow it down.
1) There were about 30-40 leases that had a MAC address that was 32 characters long. These MAC addresses were almost identical with the exception of the last few characters. IP's were did not respond to PING. I removed similar entries a few weeks ago and I found them again.
2) I have a set of leases that have no Name, the MAC address lookup says invalid manufacturer, and they do not respond to ping. I deleted them and about 75% of them are back within a few hours.
I ran Wireshark to see if I could determine where they were coming from but all the traffic I saw was legitimate traffic that did not relate to these leases.
How can I determine what is requesting the lease? Is this malicious?
If it is not a legitimate device how can I prevent it from getting an IP on my network?
Just a guess... Welcome to IPV6?
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-28-83-A9-76-7C-8A-E1-85-EA-B7
This is in the IPv4 Scope not IPv6. The IPv6 entries would be under the IPv6 DHCP scope.
1. They don't have long mac address they have long clients IDs. Whilst you think that column is mac address it is actually clientID which does not have to be mac address. IT typically is just the mac address but in recent years more systems are defaulting to an extended client ID - linux often does this so my first guess would be linux clients. Do you use pxe boot? windows often uses the GUID for client id in dhcp when pxe booting.
2. Quickest way to determine what these are will be to track one down. If you have managed switches then use that to determine the port on of these mac addreses is connected to - then you know what it is.
What is the environment that this dhcp scope provides for? just internal workstations (i..e under your control for example all windows), or do you have guest/random devices, wifi etc? this makes a grate deal of difference to what will be accessing the dhcp. If you are seeing a large amount of unique leases that do not return these could be vms in a test environment or pxe boot etc - one off tasks.
Hi Folks, The Company I work for has just sold off its sales operation. As part of the sale, several laptop & desktop computers that were used in the sales department will be taken to the new companyMy Director has asked me to effectively pre...
Hello,I have:1- 150 HIKVISION IP camera 4MP 2- 5*32-CH HIKVISION NVR I want to display a live view of the 150 camera on a video wall.What is the additional required devices should I have?I think I just need a video wall controller and a high performance p...
In honor of Geek Pride day on May 25th, we want to know about your unique hobbies and interests and all the things you could spend hours talking about.Are you a huge comic book fan? Do you love creating megastructures out of LEGO bricks? Are you int...
Your daily dose of tech news, in brief. Welcome to not only Friday, but according to Lonny6654 who wrote today's community-created Spark article, it is also World Bee Day. To raise awareness of the importance of pollinators, the threats they face, ...
Good morning and welcome to today's briefing. We have a lot of updates and none more relevant than Microsoft since their AD Authentication issues from last week's patch Tuesday. We have some updates for VMware, WordPress, QNAP, SOnicwall and Apple. We th...
