DHCP requests to 1.1.1.1 and 3.3.3.3?

Published: 2011-01-06. Last Updated: 2011-01-07 18:30:51 UTC
by donald smith (Version: 2)
7 comment(s)

We had one reader write in today stating that they are seeing dhcp requests to 1.1.1.1 and 3.3.3.3.

DHCP packets should be sent to the broadcast address 255.255.255.255.

So if anyone has packets or an explanation for this traffic please write in to let us know your thoughts.

 

UPDATE

When I googled around for dhcp and 1.1.1.1 and 3.3.3.3 I found lots of links to cicso examples for dhcp and dhcp helper.

Several reader's wrote in pointing out those those two IP addresses appear in cisco DHCP examples.

So one current theory is someone was learning about DHCP and used the examples as is without changing the example ip addresses.

Keywords:
7 comment(s)

Comments

Hmm - routers in the enterprise can be configured with a "helper address" to forward BOOTP/DHCP packets to; if one of them is misconfigured that could explain it. Also, I've seen suggestions to use just those addresses (1.1.1.1 and 3.3.3.3) in lab environments to troubleshoot DHCP forwarding issues. Maybe someone set something up in a lab and then installed it on the network? Maybe someone misread a Cisco doc?

I'll bet it's someone doing something stupid. Packets, please - tracking these back by the MAC address is the obvious digging method.
I've this today as well, at only one location. To me it seemed that someone has his home system set up with a DHCP server at 1.1.1.1, and the laptop was attempting to contact it in order to renew his IP. I can't see how something malicious could instruct a workstation to contact 1.1.1.1, unless there's a process running that is acting as a fake DHCP server, which we didn't observe. 1.1.1.1 also did not ARP resolve.

However, seeing that someone else saw the same thing in a different network is certainly raising my eyebrows. I'll track and have the workstation investigated at the next occurrence.

I have seen this on a network where Cisco Wireless LAN Controllers are used. It seems like 1.1.1.1 is sometimes used as a virtual address by Cisco wireless controllers. The virtual address is used by wireless clients for wireless authentication (over HTTP) and as a DHCP relay.

I agree that the DHCP traffic is probably DHCP renewals. It could be that a client moved from a network where 1.1.1.1 was used a DHCP server. It may also be that a (poorly configured) VPN-client is connected to a local network where 1.1.1.1 is used as a DHCP server and that DHCP renewals are sent through the VPN-tunnel ending up on your network.

Wireless LAN Controller (WLC) FAQ
"Q. How does DHCP work with the WLC?
[...]
3. The WLC shows its Virtual IP address, which must be a non-routable address, usually configured as 1.1.1.1, as the DHCP server to the client."
http://www.cisco.com/en/US/products/ps6366/products_qanda_item09186a008064a991.shtml
Many public misconfigured or broken public Wifi do that, many times when a router maxes out its number of connections.
+1 for zeroed's comment... fwiw..
zeroed is probably correct, it's not just cisco alot of solutions that require a T&C confirm or login via http before allowing you onto the network will use 1.1.1.1 for the initial 'DHCP Server' so if this happened to be the last lease you got, you would try to contact the DHCP first.
ha, thought 'alias' was subject for some reason ... time for more coffee

Diary Archives