[RndTbl] Shaw DHCP weirdness or attack?

Trevor Cordes trevor at tecnopolis.ca
Wed Dec 5 11:59:00 CST 2012


On 2012-12-05 Sean Walberg wrote:
> I've seen it a couple of times:
> 
> /var/log/messages-20121111:Nov 10 21:35:17 bob dhclient[1114]:
> parse_option_buffer: malformed option dhcp.<unknown> (code 105):
> option length exceeds option buffer length.
> 
> I'm on 24.77.240.0/22

I did a packet cap and wireshark to view.  Something very weird is
going on here.  Wireshark says the DHCP packets at the time of error
are malformed.

It's from 50.72.224.1, which appears to be a Shaw router?  I'm on a
50.72 network.  It doesn't appear to be the normal Shaw DHCP server.

The packet is 50.72.224.1:67 to 255.255.255.255:68, 308 bytes

It's telling me my client IP is <insert not my ip here>
"Relay agent" 50.72.224.1 (same as above)
client mac: AsustekC brand (hmmmm...)

It gets cutoff in the middle of the fqdn option, hence probably the
malformation and /v/l/messages error.

So my guess now is probably some nitwit has a DHCP server working the
Shaw network side rather than their internal side?  Or maybe a
deliberate hack attempt to hand out bogus IPs?

Sucks that it has to fill my logs with 648 errors so far today...


More information about the Roundtable mailing list