[RndTbl] Shaw DHCP weirdness or attack?

Sean Walberg sean at ertw.com
Wed Dec 5 09:44:21 CST 2012


I've seen it a couple of times:

/var/log/messages-20121111:Nov 10 21:35:17 bob dhclient[1114]:
parse_option_buffer: malformed option dhcp.<unknown> (code 105): option
length exceeds option buffer length.
/var/log/messages-20121118:Nov 16 22:02:35 bob dhclient[1114]:
parse_option_buffer: malformed option dhcp.slp-service-scope (code 79):
option length exceeds option buffer length.
/var/log/messages-20121125:Nov 21 22:48:13 bob dhclient[1114]:
parse_option_buffer: malformed option dhcp.slp-service-scope (code 79):
option length exceeds option buffer length.

I'm on 24.77.240.0/22

Sean


On Wed, Dec 5, 2012 at 6:51 AM, Trevor Cordes <trevor at tecnopolis.ca> wrote:

> Starting Nov 29 04:16:10 I start seeing a new error in my /v/l/messages
> from dhclient (the DHCP client for my Shaw internet connection):
>
> Nov 29 04:16:10 pog dhclient[1271]: parse_option_buffer: malformed option
> dhcp.fqdn (code 81): option length exceeds option buffer length.
>
> And it repeats every 30-39s for hours, then sometimes stops for a while.
> Sometimes skips a day but then starts up again.
>
> Is someone trying a known DHCP buffer overflow attack on my Shaw segment
> or is this something legit that Shaw is passing out that linux doesn't
> understand?  I know what fqdn means, though why it should exceed buffer
> limits is beyond me.
>
> Can others check their logs and see if they're getting this too?
>
> There was 1 other weird dhclient error before this started:
> Nov 27 06:52:55 pog dhclient[1271]: parse_option_buffer: malformed option
> dhcp.uap-servers (code 98): option length exceeds option buffer length.
> _______________________________________________
> Roundtable mailing list
> Roundtable at muug.mb.ca
> http://www.muug.mb.ca/mailman/listinfo/roundtable
>



-- 
Sean Walberg <sean at ertw.com>    http://ertw.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.muug.mb.ca/pipermail/roundtable/attachments/20121205/bd715287/attachment.html>


More information about the Roundtable mailing list