DHCP Bad Addresses

stillsyra
stillsyra used Ask the Experts™
on
We just switched to a different ISP provider a few days ago. Since then, there have been several Bad Address entries in the DHCP server (Windows server 2012). After deleting them, they'll appear again in an hour. Their Mac addresses are not shown in the address lease.

I used the DHCPFind to check if there's any other DHCP server on the network. The result is attached.

How do I find out what device(s) is causing the issue? Or How to fix this issue?
DHCPFindResult.JPG
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
MaheshArchitect
Distinguished Expert 2018

Commented:
if no rogue server on network, check your AV software if its causing bad addresses on DHCP server, you may try to disable network access protection component from AV

Author

Commented:
The anti-virus network protection has been disabled on the server since it was installed.
Brian BEE Topic Advisor, Independant Technology Professional

Commented:
The two items aren't related. Or at least they shouldn't be. DHCP for your internal network should be totally separate from your external network. You can tell this because your inside IP addresses should be different than your external.

Also check firewall logs to see if any traffic is hitting it which matches those IPs.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Senior .Net Developer
Commented:
arp -a might give you a mac for the bad IP.

Also run wireshark and filter for those IPs?
Dr. KlahnPrincipal Software Engineer

Commented:
Kyle's approach should work.  Either arp or sniff the network for the offending MAC addresses.

Then, once you know the MAC addresses, you can do an owner lookup (below) and find out who made the product.  This may give you some insight into whether it's an item you own, or something that an "enterprising" employee has hung on the network.

https://macvendors.com/

Author

Commented:
Brian: the firewall log didn't show any related information.

Kyle: arp -a didn't show any bad IP info. I'm not familiar with wireshark. Should I run it on the DHCP server, and on any computer in the network?
Dr. KlahnPrincipal Software Engineer

Commented:
Or, you can Do It The Hard Way if the network is small enough:  Go to each authorized device, get its MAC address, and enter it into the DHCP server's authorized device list.  Problem solved; any unauthorized devices will be ignored.

Of course, any time anything new is installed, removed or replaced, you must update the DHCP server's authorized device list.  This gets to be a hassle for anything over 30 devices.

Author

Commented:
Thank you for the suggestion Dr. Klahn. Unfortunately, the hard way won't work for us since we have more than hundred devices. And there're laptops and mobile devices.
Kyle AbrahamsSenior .Net Developer

Commented:
Wireshark can be run on any computer in the network that has the same subnet you're interested in.

I have no issues running it on my servers but I've run into some security teams who are against running any sort of software on a server.

It's essentially just a packet sniffer that'll grab all communications on the network.
Dr. KlahnPrincipal Software Engineer

Commented:
Kyle Abrahams comments:

I've run into some security teams who are against running any sort of software on a server.

I would have to agree with that.  The server should serve, and do nothing else.

Anyway, if Wireshark is installed on a laptop then the laptop can be carted around at will and also used to sniff temporarily disconnected sub-networks to locate an offending device.
Kyle AbrahamsSenior .Net Developer

Commented:
@Dr. Klahn:

If it were a permanent thing, then yes, I agree running wireshark on the server is a bad way to go.

Since this is a troubleshooting ,temporary thing then I see no issues with it.  The server is already seeing the bad address and why introduce one more variable to the mix:

EG:  Laptop on wifi drops signal for some reason and misses the incoming packet.  

Since the server is seeing the issue and we know it's definitely happening there in this case I *would* run wireshark on it (assuming no major production impacts) and try to keep the variables to a minimum.
hecgomrecNetwork Administrator

Commented:
If possible create a rule on your firewall to prevent the IP from connecting to the internet or to a specific service and wait to see if any user complaint about not having access or any similar question.

Author

Commented:
Using Wireshark, I found out the cause: several ShoreTel phones were requesting the data network IP addresses.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial