Re: Strange DHCP Requests from dead.c0de.cafe on Cisco Router

Ian Stephens · ‎05-18-2018

We are noticing some strange DHCP leases on our Cisco router.

We noticed this issue as the pool was moving up faster than we knew clients were requesting new addresses.

We noticed strange bindings like below:

IP address          Client-ID/	 	    Lease expiration        Type
		    Hardware address/
		    User name
192.168.3.189     dead.c0de.cafe                May 18 2018 04:07 PM    Automatic

The lease expiration was usually immediate even though we have set it to 1 day.

Does anyone know what could be causing this strange behavior? Perhaps we have a rogue machine on our network?

Thank you for your suggestions, ideas and opinions in advance.

Here is some logging data of the issue:

*May 18 17:14:40.211: DHCPD: Sending notification of DISCOVER:
*May 18 17:14:40.211:   DHCPD: htype 1 chaddr dead.c0de.cafe
*May 18 17:14:40.211:   DHCPD: remote id 020a0000c0a8000100000000
*May 18 17:14:40.211:   DHCPD: circuit id 00000000
*May 18 17:14:40.211: DHCPD: Seeing if there is an internally specified pool class:
*May 18 17:14:40.211:   DHCPD: htype 1 chaddr dead.c0de.cafe
*May 18 17:14:40.211:   DHCPD: remote id 020a0000c0a8000100000000
*May 18 17:14:40.211:   DHCPD: circuit id 00000000
*May 18 17:14:40.211: DHCPD: Allocated binding 23073E0C
*May 18 17:14:40.211: DHCPD: Adding binding to radix tree (192.168.1.18)
*May 18 17:14:40.211: DHCPD: Adding binding to hash tree
*May 18 17:14:40.211: DHCPD: assigned IP address 192.168.1.18 to client dead.c0de.cafe.
*May 18 17:14:40.219: DHCPD: Sending notification of DISCOVER:
*May 18 17:14:40.219:   DHCPD: htype 1 chaddr dead.c0de.cafe
*May 18 17:14:40.219:   DHCPD: remote id 020a0000c0a8000100000000
*May 18 17:14:40.219:   DHCPD: circuit id 00000000
*May 18 17:14:40.219: DHCPD: Seeing if there is an internally specified pool class:
*May 18 17:14:40.219:   DHCPD: htype 1 chaddr dead.c0de.cafe
*May 18 17:14:40.219:   DHCPD: remote id 020a0000c0a8000100000000
*May 18 17:14:40.219:   DHCPD: circuit id 00000000
*May 18 17:14:40.219: DHCPD: Found previous server binding
*May 18 17:14:40.231: DHCPD: Sending notification of DISCOVER:
*May 18 17:14:40.231:   DHCPD: htype 1 chaddr dead.c0de.cafe
*May 18 17:14:40.231:   DHCPD: remote id 020a0000c0a8000100000000
*May 18 17:14:40.231:   DHCPD: circuit id 00000000
*May 18 17:14:40.231: DHCPD: Seeing if there is an internally specified pool class:
*May 18 17:14:40.231:   DHCPD: htype 1 chaddr dead.c0de.cafe
*May 18 17:14:40.231:   DHCPD: remote id 020a0000c0a8000100000000
*May 18 17:14:40.231:   DHCPD: circuit id 00000000
*May 18 17:14:40.231: DHCPD: Found previous server binding
*May 18 17:14:42.211: DHCPD: Sending notification of DISCOVER:
*May 18 17:14:42.211:   DHCPD: htype 1 chaddr dead.c0de.cafe
*May 18 17:14:42.211:   DHCPD: remote id 020a0000c0a8000100000000
*May 18 17:14:42.211:   DHCPD: circuit id 00000000
*May 18 17:14:42.211: DHCPD: Seeing if there is an internally specified pool class:
*May 18 17:14:42.211:   DHCPD: htype 1 chaddr dead.c0de.cafe
*May 18 17:14:42.211:   DHCPD: remote id 020a0000c0a8000100000000
*May 18 17:14:42.211:   DHCPD: circuit id 00000000
*May 18 17:14:42.271: DHCPD: Sending notification of ASSIGNMENT FAILURE:
*May 18 17:14:42.271:   DHCPD: htype 1 chaddr dead.c0de.cafe
*May 18 17:14:42.271:   DHCPD: remote id 020a0000c0a8000100000000
*May 18 17:14:42.271:   DHCPD: circuit id 00000000
*May 18 17:14:42.271: DHCPD: Sending notification of ASSIGNMENT_FAILURE:
*May 18 17:14:42.271:  DHCPD: due to: Reason with no text explanation
*May 18 17:14:42.271:   DHCPD: htype 1 chaddr dead.c0de.cafe
*May 18 17:14:42.271:   DHCPD: remote id 020a0000c0a8000100000000
*May 18 17:14:42.271:   DHCPD: circuit id 00000000

Ian Stephens · ‎05-18-2018

I have added some logging data to the original post above.

Leo Laohoo · ‎05-18-2018

It looks to me like someone has enabled random MAC address on their machine.