Shulou(Shulou.com)06/01 Report--

Some time ago, my colleague at headquarters told me that the wireless network could not be used, and I found that I could not get IP. I logged in to the DHCP server to check, and found that the DHCP server failed. The specific failure phenomenon is shown in the figure below, where a large number of bad_adddress quickly fill the address pool of DHCP.

Then he grabbed a data packet and asked me to help analyze it.

I filtered DHCP and focused on its DHCP package. A large number of DHCP Decline packets were found.

Some people here may have seldom heard of DHCP Decline. To put it simply, this package means that if CLIENT finds that the IP address assigned by DHCP SERVER has been used by someone else, CLIENT will send a DHCP DECLINE message informing DHCP SERVER to disable the IP address to avoid causing IP address conflicts, and the address pool will display bad_address.

It seems that the reason for the outage of the DHCP server is the large number of Decline packets, and now it is time to find out why there is so much Decline.

Here I found a decline that analyzed the packets before and after it in detail and found the entire DHCP process in the following figure.

The first four packages in the above figure are standard DHCP 4 steps.

Packet sequence number 917 963 964 997: shows that the mac of clinet is 8b07 (not visible from the screenshot). 8B07 obtained an IP of 172.18.56.189 through DHCP.

Packet 1092: 8b07 obtains the IP and executes an arp request to confirm that it is not used.

Unfortunately, packet 1173 shows that the terminal with MAC address A053 says, "Sorry, I've already used this IP."

At this point, packet 1178 shows that 8B07 thinks that the IP172.16.56.189 given to me by DHCP has been used by someone else, so it sends Decline to the server.

Continuing to analyze the cause of the next Decline, it is found that the same 8B07 has obtained a new IP 172.18.46.190. And the same A053 terminal says 172.18.46.190 I have already used it! It seems that there is a big problem with this A053. So focus on filtering the following picture of A053.

The figure above seems to show that no matter which address 8B07 gets, A053 will reply that I am in use, causing 8B07 to send a large number of Decline so that the DHCP server address pool is quickly exhausted.

Solution: decisively log in to the AC controller to block the A053 MAC. All the problems were solved at once.

Follow-up: guess A053 this host is poisoned by ARP, a small ARP virus unexpectedly has such a big impact. If the security step is saved, there may be annoyance. If you want to secure as many AP AC switches and servers as possible, you need to have as strict a policy as possible. We can talk about the future blog posts in more detail.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.