+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 20
Windows Server 2008 R2 Thread, bad_address filling up dhcp leases in Technical; Greetings, Having a weird issue thats just started in the last week. For no reason at all the dhcp leases ...
  1. #1

    Join Date
    Oct 2008
    Location
    Southampton, England
    Posts
    215
    Thank Post
    40
    Thanked 10 Times in 6 Posts
    Rep Power
    14

    bad_address filling up dhcp leases

    Greetings,

    Having a weird issue thats just started in the last week. For no reason at all the dhcp leases suddenly fill up with bad addresses until the scope is full and noone can log on. The network grinds to a halt at the same time. Nothing has been changed on the dhcp side of things but a few months ago i had enabled dns scavenging, however this problem has only happened twice in the last week. It seems to happen at the time the clients renew their leases which would explain why there is a sudden flood of bad addresses but i cant think of anything that would be causing this to happen.

    Any ideas, advice are most welcomed!

    James

  2. #2

    Join Date
    Oct 2008
    Location
    Southampton, England
    Posts
    215
    Thank Post
    40
    Thanked 10 Times in 6 Posts
    Rep Power
    14
    Additional info: The mac addresses being reported for all of the bad_address clients are not correct either, they are only 8 digits long as opposed to the normal 12. digits

  3. #3
    Mcshammer_dj's Avatar
    Join Date
    Feb 2007
    Location
    Portsmouth
    Posts
    991
    Thank Post
    39
    Thanked 180 Times in 145 Posts
    Rep Power
    98
    sounds like a failed network card may be trying to get an address and then failing an retrying

    Run wireshark and see if that can help identify the culprit

  4. Thanks to Mcshammer_dj from:

    jjohnsoncantell (31st May 2012)

  5. #4

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,821
    Thank Post
    272
    Thanked 1,140 Times in 1,036 Posts
    Rep Power
    351
    You don't have 2 dhcp servers do you that are conflicting?

    Also I've seen it before where a device (printer) was requesting DHCP address but never actually taking them - therefore eating all the free addresses.

  6. Thanks to glennda from:

    jjohnsoncantell (31st May 2012)

  7. #5

    Join Date
    Oct 2008
    Location
    Southampton, England
    Posts
    215
    Thank Post
    40
    Thanked 10 Times in 6 Posts
    Rep Power
    14
    Thanks for such a quick replies. Ive heard of wireshark but never used it, what am i looking for? I have just cleared them and within seconds they are all back again. The mac addresses are still unique and i find it hard to believe that many different machines have failed all at the same time (although i cant rule it out either)

  8. #6
    Mcshammer_dj's Avatar
    Join Date
    Feb 2007
    Location
    Portsmouth
    Posts
    991
    Thank Post
    39
    Thanked 180 Times in 145 Posts
    Rep Power
    98
    check there isn't a router or a device that can dish out ip addresses attached to the network.

  9. Thanks to Mcshammer_dj from:

    jjohnsoncantell (31st May 2012)

  10. #7
    Mcshammer_dj's Avatar
    Join Date
    Feb 2007
    Location
    Portsmouth
    Posts
    991
    Thank Post
    39
    Thanked 180 Times in 145 Posts
    Rep Power
    98
    Client computers running Windows Server 2003, Windows XP, Windows 2000, Windows NT 4.0, Windows Millennium Edition, and Windows 98 automatically check to determine if an IP address is already in use before using it.

    After the DHCP client receives a lease from the DHCP server, the client sends an Address Resolution Protocol (ARP) request to the address that it has been assigned. If a reply to the ARP request is received, the client has detected a conflict and sends a DHCPDecline message to the DHCP server. The DHCP server attaches a BAD_ADDRESS value to the IP address in the scope for the length of the lease. The client then begins the lease process again, and is offered the next available address in the scope.

    Likely an overlapping scope on another DHCP server (maybe authorised or rogue) or a PC with static IP that conflicts.

  11. Thanks to Mcshammer_dj from:

    jjohnsoncantell (31st May 2012)

  12. #8

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,821
    Thank Post
    272
    Thanked 1,140 Times in 1,036 Posts
    Rep Power
    351
    Or somebody has been really clever and bought in there own wireless router which happens to also be giving out addresses!

  13. Thanks to glennda from:

    jjohnsoncantell (31st May 2012)

  14. #9
    Mcshammer_dj's Avatar
    Join Date
    Feb 2007
    Location
    Portsmouth
    Posts
    991
    Thank Post
    39
    Thanked 180 Times in 145 Posts
    Rep Power
    98
    Quote Originally Posted by glennda View Post
    Or somebody has been really clever and bought in there own wireless router which happens to also be giving out addresses!
    yeah seen this before with someone having a spare router so plugged it in to make hs mobile phone work wirelessly at work

  15. Thanks to Mcshammer_dj from:

    jjohnsoncantell (31st May 2012)

  16. #10

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,821
    Thank Post
    272
    Thanked 1,140 Times in 1,036 Posts
    Rep Power
    351
    Quote Originally Posted by Mcshammer_dj View Post
    yeah seen this before with someone having a spare router so plugged it in to make hs mobile phone work wirelessly at work
    Same here!

  17. Thanks to glennda from:

    jjohnsoncantell (12th June 2012)

  18. #11

    Join Date
    Oct 2008
    Location
    Southampton, England
    Posts
    215
    Thank Post
    40
    Thanked 10 Times in 6 Posts
    Rep Power
    14
    could a network bridge a staff member set up on their laptop be causing this to happen??

    James

  19. #12

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,821
    Thank Post
    272
    Thanked 1,140 Times in 1,036 Posts
    Rep Power
    351
    Quote Originally Posted by jjohnsoncantell View Post
    could a network bridge a staff member set up on their laptop be causing this to happen??

    James
    Possibly - it depends what is bridged and the options setup.

  20. Thanks to glennda from:

    jjohnsoncantell (31st May 2012)

  21. #13

    Join Date
    Oct 2008
    Location
    Southampton, England
    Posts
    215
    Thank Post
    40
    Thanked 10 Times in 6 Posts
    Rep Power
    14
    it was the lan + wan nic that had been bridged. The nic was plugged in and active and the wireless card was also live and connected to the network.

  22. #14

    Join Date
    Oct 2008
    Location
    Southampton, England
    Posts
    215
    Thank Post
    40
    Thanked 10 Times in 6 Posts
    Rep Power
    14
    havent had and bad addresses so far today but im still a bit anxious it will happen again bearing in mind its not regular since it happened on Monday and Wednesday. Got fingers crossed and thanks to all for your suggestions.

  23. #15

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,850
    Thank Post
    110
    Thanked 598 Times in 514 Posts
    Blog Entries
    1
    Rep Power
    227
    Bear in mind this can also be caused deliberately by someone doing nefarious things.

    Hak5 - Episode 702 – DHCP Exhaustion and DNS Man-in-the-Middle
    Metasploit DHCP Exhaustion and DNS MiTM - DigiNinja

    This can (along with the other issues like rogue DHCP servers) and should be mitigated by using the DHCP snooping features on your switches.

    DHCP snooping - Wikipedia, the free encyclopedia
    Last edited by Geoff; 31st May 2012 at 12:23 PM.

  24. Thanks to Geoff from:

    jjohnsoncantell (12th June 2012)



SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. DHCP leases at 100%
    By sdc in forum Windows Server 2000/2003
    Replies: 2
    Last Post: 27th April 2009, 01:44 PM
  2. Offline files filling up hard drive
    By OverWorked in forum Windows
    Replies: 8
    Last Post: 8th January 2009, 03:35 PM
  3. Terminal server drives filling up with profiles
    By Andi in forum Thin Client and Virtual Machines
    Replies: 9
    Last Post: 23rd June 2007, 09:36 AM
  4. Access points not picking up DHCP reservations?
    By Halfmad in forum Wireless Networks
    Replies: 2
    Last Post: 26th April 2007, 03:11 PM
  5. DHCP lease duration +increased traffic
    By Kyle in forum Windows
    Replies: 6
    Last Post: 25th January 2007, 10:20 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •