Header Only - DO NOT REMOVE - Extreme Networks

DHCP Snooping False Positives


Userlevel 4
Create Date: Dec 20 2012 11:51AM

Hello All!

I’ve been using DHCP Snooping on my corporate network and its working as I would expect, apart from a few oddities. Which I would like to point out to you guys and hopefully find people seeing similar.

The main focus is an issue we've been experiencing with Windows 7 clients sending DHCP Offer packets instead of acknowledgement/request packets. This causes DHCP snooping to kick into life and to either disable the port or drop the packet, which is what we have it set too after the issues we are seeing. This then causes a log message informing us that an untrusted source has sent a DHCP offer of 0.0.0.0, which we then get alerted on via our syslog server.

When this happens it can also take the client PC longer to obtain an IP address. The symptoms/circumstances that can cause this to happen have been tested extensively and we’ve confirmed they are consistent. However, that’s not to say it will always trigger the offer packet from the client. It is seemingly random. Generally speaking, when a laptop is moved from a private network, or another subnet within our corporate network, there’s a chance it will send a DHCP offer packet. Please see example below. Entry one, two, four and five are from the DHCP Servers. The third entry is from the client machine, sending an offer packet itself instead of a request/acknowledgement.

58476 12:56:58 16/11/2012 XXX.XXX.XXX.XXX DHCP:Reply, MsgType = OFFER, TransactionID = 0xE5F0E526



58477 12:56:58 16/11/2012 XXX.XXX.XXX.XXX DHCP:Reply, MsgType = OFFER, TransactionID = 0xE5F0E526



58494 12:56:58 16/11/2012 0.0.0.0 255.255.255.255 DHCP:Reply, MsgType = OFFER, TransactionID = 0xE5F0E526



58498 12:56:58 16/11/2012 XXX.XXX.XXX.XXX 255.255.255.255 DHCP:Reply, MsgType = OFFER, TransactionID = 0xE5F0E526



58507 12:56:58 16/11/2012 XXX.XXX.XXX.XXX 255.255.255.255 DHCP:Reply, MsgType = OFFER, TransactionID = 0xE5F0E526

Previously we had set the port to block on detection of rogue DHCP Services, however, with the more wide spread rollout of Windows 7 we changed this to just drop the packet. However the frequency and volume of syslog alerts has increased as you would expect.

Basically, I’ve submitted my findings to Microsoft and they have confirmed it’s a bug in Windows 7 that was introduced with a hotfix pre-SP1. In order for them to be willing to fix it and to release a hotfix to fix the hotfix, they need to gauge the impact on businesses running Windows 7 with DHCP Snooping enabled on their network.

Please can people respond to this thread if they’ve seen some similar behaviour, even if they haven’t been able to explain it please? I’m hoping there are more people out there who have been using DHCP snooping with Windows 7 client s

I would like people to respond to this thread please, especially the people using Windows 7 and DHCP snooping and have seen this issue. Even if it hasn’t occurred to you that Windows 7 might have been the issue, any DHCP Snooping false positives would be handy to know about.

Googling around, there have been some instances reported with people running a competitors switch setup (not sure if I can mention their name here! 😉 ) and they’re seeing the same issue with DHCP Snooping enabled and Windows 7 being used. So I’m pretty certain it’s in no way an issue with Extreme’s implementation. Take this thread as an example:

http://www.pronetworks.org/forums/win...

Shows someone also noticing/experiencing the issue, so I’m hoping there are more people here.

Many thanks for takign the time to read all of it if you got this far! 🙂

(from Shaun_Kent)

13 replies

Userlevel 4
Create Date: Dec 20 2012 1:25PM

Great post Nerfie thanks for sharing it. I have also sent it on to my customers to inform them of potential issues that they may be seeing.

P (from Paul_Russo)
Userlevel 4
Create Date: Dec 21 2012 10:26AM

Hi Nerfie,
Thanks for the Post, infact we have DHCP snooping enabled on our network and I too had this for a long time infact.

ipSecur: A Rogue DHCP server with IP 0.0.0.0 was detected on port 9
ipSecur: A Rogue DHCP server on VLAN with IP 0.0.0.0 was detected on port 9

Regards
PJ (from PRASAD_JACOB)
Userlevel 4
Create Date: Jan 7 2013 9:14AM

@Prusso, Thanks! I hope it helps! Can you confirm how wide spread you've seen this, if at all yet, with your customers?

@Pj, Cheers! Glad to see we were not the only ones! Can you confirm if this was due to Windows 7 Clients?

(from Shaun_Kent)
Userlevel 4
Create Date: Jan 7 2013 11:16AM

HI, in fact all clients were Windows 7

Regards
PJ (from PRASAD_JACOB)
Userlevel 4
Create Date: Jan 7 2013 11:55AM

Thanks PJ, are you investigating every instance of this happening or pretty much ignoring anything which shows up with 0.0.0.0 ?

Also, have you noticed any delay in obtaining an IP address with DHCP snooping enabled? Either via Windows clients or say Avaya (or other VoIP based) phones?

Cheers! (from Shaun_Kent)
Userlevel 4
Create Date: Jan 9 2013 3:55PM

I have definitely seen this on my network, quite a bit actually. I haven't been able to trace it down to windows 7 specifically but that seems to be a common thread (I hadn't found enough machines in time to confirm that was the culprit.) (from Ansley_Barnes)
Userlevel 4
Create Date: Jan 15 2013 3:20PM

Hello,

I am using DHCP Snooping on my corporate network too.
Every few days I get false-positive DHCP-Alerts. From Extreme Switches as well as from HP Switches.
It seems like Windows 7 would sporadically reflect a DHCP-Offer, but replaces Source-MAC with its own and Source-IP with 0.0.0.0. The "DHCP Server Identifier" in the packet still contains the IP from the original DHCP-Server.
I asked the users what they have done when the DHCP-Alert occured, one docked his notebook into the docking station, another restored an image. But we were not able to reproduce the problem.

By the way: Since Windows 7 we also have problems with DHCP Broadcast Storms and IP-Address Conflicts. When someone dismounts his HDD from Computer A and installs it in Computer B, Windows still uses the old IP-Address, it doesn't request a new one. Requirements to reproduce it: Windows 7, DHCP-Reservation (no Pool-IP), enabled APIPA (not disabled in registry). Workaround: I set a registry key to instruct Windows to release the IP-Address on shutdown: HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\Interfaces\\ReleaseOnShutDown = 1 (REG_DWORD)

Best regards,
Michael (from MichaelM)
Userlevel 4
Create Date: Jan 23 2013 1:19PM

Hi All,

we observed the same issues. DHCP snooping is on and under normal circumstances it works perfect. Since we have Dell Notebooks with W7 Pro we got randomly messages that "DHCP violation occured. Blocking MAC ... temporarily. And "A Rogue DHCP server with IP 0.0.0.0 was detected on port .." This only occurs when the notebook starts up. The users didn't mentioned or didn't noticed that the logon process took longer.

Regards, Jack Mikel (from Hans-Michael_Dudek)
Userlevel 4
Create Date: Feb 19 2013 12:17PM

Thanks for all the feedback everyone.

Just an update to let you know that Microsoft should be working on a hotfix as we speak. I will be getting a private release to test, if all goes well, you can all expect the public release via Windows Update in April.

Cheers! (from Shaun_Kent)
Userlevel 4
Create Date: Feb 27 2013 10:58AM

Hello,

Same problem here. We have two Student Residences and discovered DHCP Offer packets from clients with information like:

75462 78.692064000 0.0.0.0 255.255.255.255 DHCP 354 DHCP Offer - Transaction ID 0x1416f5e5
Ethernet II, Src: AsustekC_XX:XX:XX (48:5b:39:XX:XX:XX), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Client IP address: 0.0.0.0 (0.0.0.0)
Your (client) IP address: 192.168.1.27 (192.168.1.27) // range not from residence network
Client MAC address: AsustekC_XX:XX:XX (48:5b:39:XX:XX:XX) // client mac address

[Malformed Packet: BOOTP/DHCP]
Expert Info (Error/Malformed): Malformed Packet (Exception occurred)

Hope to ear from you soon with Microsoft latest info regarding the hotfix.

Best Regards,
Eduardo


edit: can you tell us what hotfix is causing this situation? Thanx

(from [eB] )
Userlevel 4
Create Date: Mar 11 2013 11:37AM

Hi Nerfie

We have the same issue in our network. Did you receive a hotfix from microsoft?

Regards
Markus (from mafumaso )
Userlevel 4
Create Date: May 15 2013 12:05PM

Hello all,

Apologies for the late response. However I come bearing good news! The hotfix has been released publically and you can find information about it here:

http://support.microsoft.com/kb/2824546

Private testing before public release was satisfactory and resolved our issue within the corporate network where it was applied. I hope it also fixes the issues you guys have been seeing similar to me!

Cheers!

(from Shaun_Kent)
EtherNation User wrote:

Create Date: May 15 2013 12:05PM

Hello all,

Apologies for the late response. However I come bearing good news! The hotfix has been released publically and you can find information about it here:

http://support.microsoft.com/kb/2824546

Private testing before public release was satisfactory and resolved our issue within the corporate network where it was applied. I hope it also fixes the issues you guys have been seeing similar to me!

Cheers!

(from Shaun_Kent)

Hi All

I have been experiencing similar issues on corporate LAN where client machines send DHCP requests very often...about 700-3000 requests in couple of hours....Can you please suggest possible cause and fix.Not all but some of the machines...These machines were updated with drivers but issue persists..

Thanks
Karan

Reply