Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: DHCP requests to and SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
DHCP requests to and

We had one reader write in today stating that they are seeing dhcp requests to and

DHCP packets should be sent to the broadcast address

So if anyone has packets or an explanation for this traffic please write in to let us know your thoughts.




206 Posts
Jan 6th 2011
Hmm - routers in the enterprise can be configured with a "helper address" to forward BOOTP/DHCP packets to; if one of them is misconfigured that could explain it. Also, I've seen suggestions to use just those addresses ( and in lab environments to troubleshoot DHCP forwarding issues. Maybe someone set something up in a lab and then installed it on the network? Maybe someone misread a Cisco doc?

I'll bet it's someone doing something stupid. Packets, please - tracking these back by the MAC address is the obvious digging method.

7 Posts
I've this today as well, at only one location. To me it seemed that someone has his home system set up with a DHCP server at, and the laptop was attempting to contact it in order to renew his IP. I can't see how something malicious could instruct a workstation to contact, unless there's a process running that is acting as a fake DHCP server, which we didn't observe. also did not ARP resolve.

However, seeing that someone else saw the same thing in a different network is certainly raising my eyebrows. I'll track and have the workstation investigated at the next occurrence.

24 Posts

I have seen this on a network where Cisco Wireless LAN Controllers are used. It seems like is sometimes used as a virtual address by Cisco wireless controllers. The virtual address is used by wireless clients for wireless authentication (over HTTP) and as a DHCP relay.

I agree that the DHCP traffic is probably DHCP renewals. It could be that a client moved from a network where was used a DHCP server. It may also be that a (poorly configured) VPN-client is connected to a local network where is used as a DHCP server and that DHCP renewals are sent through the VPN-tunnel ending up on your network.

Wireless LAN Controller (WLC) FAQ
"Q. How does DHCP work with the WLC?
3. The WLC shows its Virtual IP address, which must be a non-routable address, usually configured as, as the DHCP server to the client."

3 Posts
Many public misconfigured or broken public Wifi do that, many times when a router maxes out its number of connections.

4 Posts
+1 for zeroed's comment... fwiw..
zeroed is probably correct, it's not just cisco alot of solutions that require a T&C confirm or login via http before allowing you onto the network will use for the initial 'DHCP Server' so if this happened to be the last lease you got, you would try to contact the DHCP first.
ha, thought 'alias' was subject for some reason ... time for more coffee

Sign Up for Free or Log In to start participating in the conversation!