DHCP Bad Addresses

We just switched to a different ISP provider a few days ago. Since then, there have been several Bad Address entries in the DHCP server (Windows server 2012). After deleting them, they'll appear again in an hour. Their Mac addresses are not shown in the address lease.

I used the DHCPFind to check if there's any other DHCP server on the network. The result is attached.

How do I find out what device(s) is causing the issue? Or How to fix this issue?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

if no rogue server on network, check your AV software if its causing bad addresses on DHCP server, you may try to disable network access protection component from AV
stillsyraAuthor Commented:
The anti-virus network protection has been disabled on the server since it was installed.
Brian BEE Topic Advisor, Independant Technology ProfessionalCommented:
The two items aren't related. Or at least they shouldn't be. DHCP for your internal network should be totally separate from your external network. You can tell this because your inside IP addresses should be different than your external.

Also check firewall logs to see if any traffic is hitting it which matches those IPs.
Get a highly available system for cyber protection

The Acronis SDI Appliance is a new plug-n-play solution with pre-configured Acronis Software-Defined Infrastructure software that gives service providers and enterprises ready access to a fault-tolerant system, which combines universal storage and high-performance virtualization.

Kyle AbrahamsSenior .Net DeveloperCommented:
arp -a might give you a mac for the bad IP.

Also run wireshark and filter for those IPs?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dr. KlahnPrincipal Software EngineerCommented:
Kyle's approach should work.  Either arp or sniff the network for the offending MAC addresses.

Then, once you know the MAC addresses, you can do an owner lookup (below) and find out who made the product.  This may give you some insight into whether it's an item you own, or something that an "enterprising" employee has hung on the network.

stillsyraAuthor Commented:
Brian: the firewall log didn't show any related information.

Kyle: arp -a didn't show any bad IP info. I'm not familiar with wireshark. Should I run it on the DHCP server, and on any computer in the network?
Dr. KlahnPrincipal Software EngineerCommented:
Or, you can Do It The Hard Way if the network is small enough:  Go to each authorized device, get its MAC address, and enter it into the DHCP server's authorized device list.  Problem solved; any unauthorized devices will be ignored.

Of course, any time anything new is installed, removed or replaced, you must update the DHCP server's authorized device list.  This gets to be a hassle for anything over 30 devices.
stillsyraAuthor Commented:
Thank you for the suggestion Dr. Klahn. Unfortunately, the hard way won't work for us since we have more than hundred devices. And there're laptops and mobile devices.
Kyle AbrahamsSenior .Net DeveloperCommented:
Wireshark can be run on any computer in the network that has the same subnet you're interested in.

I have no issues running it on my servers but I've run into some security teams who are against running any sort of software on a server.

It's essentially just a packet sniffer that'll grab all communications on the network.
Dr. KlahnPrincipal Software EngineerCommented:
Kyle Abrahams comments:

I've run into some security teams who are against running any sort of software on a server.

I would have to agree with that.  The server should serve, and do nothing else.

Anyway, if Wireshark is installed on a laptop then the laptop can be carted around at will and also used to sniff temporarily disconnected sub-networks to locate an offending device.
Kyle AbrahamsSenior .Net DeveloperCommented:
@Dr. Klahn:

If it were a permanent thing, then yes, I agree running wireshark on the server is a bad way to go.

Since this is a troubleshooting ,temporary thing then I see no issues with it.  The server is already seeing the bad address and why introduce one more variable to the mix:

EG:  Laptop on wifi drops signal for some reason and misses the incoming packet.  

Since the server is seeing the issue and we know it's definitely happening there in this case I *would* run wireshark on it (assuming no major production impacts) and try to keep the variables to a minimum.
If possible create a rule on your firewall to prevent the IP from connecting to the internet or to a specific service and wait to see if any user complaint about not having access or any similar question.
stillsyraAuthor Commented:
Using Wireshark, I found out the cause: several ShoreTel phones were requesting the data network IP addresses.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.