"Rogue" DHCP server

[cenuij]

Hi

I have a 'rogue' dhcp server running on my home network, and I was trying to locate and disable it. So I captured some network traffic during a DHCP request, like this

$ sudo tcpdump -i br0 -ne udp port 68  -vv
tcpdump: listening on br0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
10:43:38.342293 b2:d2:08:2e:13:91 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 352: (tos 0x0, ttl 64, id 6190, offset 0, flags [DF], proto UDP (17), length 338)
    192.168.2.166.68 > 255.255.255.255.67: [bad udp cksum 0xc49d -> 0x4efb!] BOOTP/DHCP, Request from de:ad:c0:de:ca:fe, length 310, xid 0x794bb7e, Flags [Broadcast] (0x8000)
      Client-Ethernet-Address de:ad:c0:de:ca:fe
      Vendor-rfc1048 Extensions
        Magic Cookie 0x63825363
        DHCP-Message (53), length 1: Discover
        Parameter-Request (55), length 64:
          Unknown (252), Subnet-Mask (1), Time-Zone (2), Default-Gateway (3)
          Time-Server (4), IEN-Name-Server (5), Domain-Name-Server (6), LOG (7)
          CS (8), LPR-Server (9), IM (10), RL (11)
          Hostname (12), BS (13), DP (14), Domain-Name (15)
          SS (16), RP (17), EP (18), IPF (19)
          SRT (20), PF (21), RSZ (22), TTL (23)
          MTU-Timeout (24), MTU-Table (25), MTU (26), LSN (27)
          BR (28), MD (29), MS (30), Router-Discovery (31)
          RSA (32), Static-Route (33), UT (34), AT (35)
          IE (36), TT (37), KI (38), KG (39)
          YD (40), YS (41), NTP (42), Vendor-Option (43)
          Netbios-Name-Server (44), WDD (45), Netbios-Node (46), Netbios-Scope (47)
          XFS (48), XDM (49), Requested-IP (50), Lease-Time (51)
          OO (52), DHCP-Message (53), Server-ID (54), Parameter-Request (55)
          MSG (56), MSZ (57), RN (58), RB (59)
          Vendor-Class (60), Client-ID (61), BF (67), TFTP (66)
10:43:38.400529 a0:f3:e4:a2:e1:2f > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 304: (tos 0xc0, ttl 64, id 49562, offset 0, flags [none], proto UDP (17), length 290)
    100.72.70.1.67 > 255.255.255.255.68: [udp sum ok] BOOTP/DHCP, Reply, length 262, xid 0x794bb7e, Flags [Broadcast] (0x8000)
      Your-IP 100.72.70.90
      Server-IP 155.239.255.250
      Gateway-IP 100.72.66.1
      Client-Ethernet-Address de:ad:c0:de:ca:fe
      Vendor-rfc1048 Extensions
        Magic Cookie 0x63825363
        DHCP-Message (53), length 1: Offer
        Server-ID (54), length 4: 155.239.255.250
        Lease-Time (51), length 4: 63936000
        Subnet-Mask (1), length 4: 255.255.255.0
10:43:38.868458 d4:ca:6d:9a:17:53 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: (tos 0x0, ttl 16, id 0, offset 0, flags [none], proto UDP (17), length 328)
    192.168.2.1.67 > 255.255.255.255.68: [udp sum ok] BOOTP/DHCP, Reply, length 300, xid 0x794bb7e, Flags [Broadcast] (0x8000)
      Your-IP 192.168.2.142
      Server-IP 192.168.2.1
      Client-Ethernet-Address de:ad:c0:de:ca:fe
      file "grubnetx64.efi.signed"
      Vendor-rfc1048 Extensions
        Magic Cookie 0x63825363
        DHCP-Message (53), length 1: Offer
        Server-ID (54), length 4: 192.168.2.1
        Lease-Time (51), length 4: 36000
        Subnet-Mask (1), length 4: 255.255.255.0
        Default-Gateway (3), length 4: 192.168.2.1
        Domain-Name-Server (6), length 4: 192.168.2.1
        Domain-Name (15), length 4: "reda"
        NTP (42), length 4: 192.168.2.1

One DHCP offer comes from my Mikrotik router, which is fine. The other seems to be from some Alcatel Lucent device (based on the MAC address, guessing it is related to some VOIP service or something) running on the Telkom network (server ip is 155.239.255.250). I am on OpenServe fibre, so it seems to me be something related to some configuration on my Huawei EchoLife HG8240H ONT device ... or at least that is what I am guessing here? If it is, is it something that I can disable myself? How would I do it? Or should I contact Axxess support?

Thanks in advance ...

 

[ubercal]

enable dhcp snooping if your switch allows it.

 

[cenuij]

enable dhcp snooping if your switch allows it.

Oh wow, thanks!. So much to learn ...

 

[krieg]

Alcatel Lucent is most probably the ONT for your fibre.

 

[SauRoNZA]

Alcatel Lucent is most probably the ONT for your fibre.

Yes, he said that in the first post.

 

[krieg]

Yes, he said that in the first post.

The Huawei would not identify as Alcatel Lucent.

 

[SauRoNZA]

The Huawei would not identify as Alcatel Lucent.

Well he clearly doesn’t have an Alcatel Lucent and I’m sure he can read a box.

So either it’s something else, or it’s using an Alcatel chipset.

Or the MAC address database it wrong and it’s actually just a HUAWEI box.

 

[r00igev@@r]

Looks like you bridged the WAN and LAN?

 

[cenuij]

Well he clearly doesn’t have an Alcatel Lucent and I’m sure he can read a box.

So either it’s something else, or it’s using an Alcatel chipset.

Or the MAC address database it wrong and it’s actually just a HUAWEI box.

Well there is just the Huawei box, so maybe the Alcatel MAC was just misleading.

 

[cenuij]

Looks like you bridged the WAN and LAN?

Hmm, indeed, I just bridged everything on the mikrotik . Not sure why it worked without issues until now ... but I will try to change my setup. Thanks.

 

[thehuman]

Hmm, indeed, I just bridged everything on the mikrotik . Not sure why it worked without issues until now ... but I will try to change my setup. Thanks.

Remove the wan port from the bridge

 

[r00igev@@r]

The default tik config is good. It has separate WAN and LAN + it has MSS clamping. You will save yourself many headaches by just adopting and using that.
Also rather use 1.1.1.2 or 9.9.9.9 as the DNS.