Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: DHCP requests to 1.1.1.1 and 3.3.3.3? - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
DHCP requests to 1.1.1.1 and 3.3.3.3?

We had one reader write in today stating that they are seeing dhcp requests to 1.1.1.1 and 3.3.3.3.

DHCP packets should be sent to the broadcast address 255.255.255.255.

So if anyone has packets or an explanation for this traffic please write in to let us know your thoughts.

 

 

donald

206 Posts
ISC Handler
Hmm - routers in the enterprise can be configured with a "helper address" to forward BOOTP/DHCP packets to; if one of them is misconfigured that could explain it. Also, I've seen suggestions to use just those addresses (1.1.1.1 and 3.3.3.3) in lab environments to troubleshoot DHCP forwarding issues. Maybe someone set something up in a lab and then installed it on the network? Maybe someone misread a Cisco doc?

I'll bet it's someone doing something stupid. Packets, please - tracking these back by the MAC address is the obvious digging method.
Shane

7 Posts
I've this today as well, at only one location. To me it seemed that someone has his home system set up with a DHCP server at 1.1.1.1, and the laptop was attempting to contact it in order to renew his IP. I can't see how something malicious could instruct a workstation to contact 1.1.1.1, unless there's a process running that is acting as a fake DHCP server, which we didn't observe. 1.1.1.1 also did not ARP resolve.

However, seeing that someone else saw the same thing in a different network is certainly raising my eyebrows. I'll track and have the workstation investigated at the next occurrence.
Frank

24 Posts

I have seen this on a network where Cisco Wireless LAN Controllers are used. It seems like 1.1.1.1 is sometimes used as a virtual address by Cisco wireless controllers. The virtual address is used by wireless clients for wireless authentication (over HTTP) and as a DHCP relay.

I agree that the DHCP traffic is probably DHCP renewals. It could be that a client moved from a network where 1.1.1.1 was used a DHCP server. It may also be that a (poorly configured) VPN-client is connected to a local network where 1.1.1.1 is used as a DHCP server and that DHCP renewals are sent through the VPN-tunnel ending up on your network.

Wireless LAN Controller (WLC) FAQ
"Q. How does DHCP work with the WLC?
[...]
3. The WLC shows its Virtual IP address, which must be a non-routable address, usually configured as 1.1.1.1, as the DHCP server to the client."
http://www.cisco.com/en/US/products/ps6366/products_qanda_item09186a008064a991.shtml
zeroed

3 Posts
Many public misconfigured or broken public Wifi do that, many times when a router maxes out its number of connections.
Etay

4 Posts
+1 for zeroed's comment... fwiw..
Anonymous
zeroed is probably correct, it's not just cisco alot of solutions that require a T&C confirm or login via http before allowing you onto the network will use 1.1.1.1 for the initial 'DHCP Server' so if this happened to be the last lease you got, you would try to contact the DHCP first.
Anonymous
ha, thought 'alias' was subject for some reason ... time for more coffee
Anonymous

Sign Up for Free or Log In to start participating in the conversation!