On Mon, Dec 09, 2013 at 01:25:30PM -0500, Chris Smith wrote: > What might be the implications of the following messages in the log? > > ============================================ > Dec 6 15:09:39 firewall dhcpd[29710]: option option-79 (119) larger > than buffer. > Dec 6 15:09:39 firewall dhcpd[29710]: rejecting bogus offer. > > Dec 9 12:15:35 firewall dhcpd[29710]: option tftp-server-name (111) > larger than buffer. > Dec 9 12:15:35 firewall dhcpd[29710]: rejecting bogus offer. > ============================================ > > Besides the "bogus offer" entries I'm seeing other things like: > ============================================ > Dec 5 16:02:11 firewall dhcpd[29710]: IP address 172.28.65.139 > answers a ping after sending a release > Dec 5 16:02:11 firewall dhcpd[29710]: Possible release spoof - Not > releasing address 172.28.65.139 > Dec 5 23:03:36 firewall dhcpd[29710]: Abandoning IP address > 172.28.65.121 for 3600 seconds: pinged before offer > Dec 6 09:09:41 firewall dhcpd[29710]: Abandoning IP address > 172.28.65.123 for 3600 seconds: pinged before offer > ============================================ > > Possible network issues? Malicious client? Or?
Malicious or confused. Or truncated packets. The log message means that the option length as given in the packet would run the option data outside the received packet. The confusion might have started in an earlier option, unless you are actually providing Novell Service Location Protocol info? Not sure what the 'Possible release spoof' is. I'd have to go read the code. Ditto 'Abandoning IP address'. tcpdump might be your best friend here to see what packets are coming and going. .... Ken > > Thank you, > > Chris
