[NTLUG:Discuss] DHCP Vulnerability?

Jack Snodgrass jack at jacksnodgrass.com
Fri Aug 13 15:28:17 CDT 2004 

On Fri, 2004-08-13 at 14:54 -0500, Jim Goode wrote:
> I am running an e-Smith/Mitel SME server with DHCP enabled. The server 
> supports desktops that are running MS Windows 2000 Professional.
> 
> Earlier today (and several times over the past 2 months) I lost 
> connectivity to the server from my desktop. This time I discovered that 
> the IP assigned to my desktop was not in the DHCP range I had specified 
> on the server. I spot checked a couple of other desktops and they had 
> the same problem. The 1st and 2nd octet that had been assigned remained 
> constant (169.254.) but the 3rd and 4th were quite different (113.233, 
> 133.162, and 233.134). I use 192.168 for my internal LAN.
> 
> After researching some web sites, I see that US-CERT reported a DHCP 
> vulnerability on June 22, 2004 (VU# 317350 and 654390).
> 
> 1) Could my problem be related to one of these vulnerabilities?
> 2) Could my server have a virus?
> 3) If yes, how can I find and remove the virus?
> 4) Is there a patch for the DHCP problem? The SME server is based on Red 
> Hat 7.2 under the covers and RH no longer supports this release.
> 
> Thank you for your time and response,
> Jim

169.254/16 are what windows PCs ( and maybe some linux boxes ) assign 
themselves when they can't talk to a DCHP server. The 169.254/16 range
is documented someplace..... it may be a MS thing... 
See http://www.win2000mag.com/Articles/Index.cfm?ArticleID=7464

So... I think your saying that you 
1) You expected to have your DHCP addresses assigned in the 192.168.x.x 

range and that 

2). You are getting them assigned in the 169.254/16 range...

... the simple answer ( I think ) is your PCs aren't able to talk to
the DHCP server so when their leases expire... they auto-assign them
selves one of these bogus 169.254.x.x addresses. 

   Maybe your DHCP server is busy, or has network connectivity issues. 
I'd start some sort of ping 10 times a mintute log and see if it 
goes off the network for extended periods of time and check the logs
on the DHCP server. 


jack

More information about the Discuss mailing list