We are seeing this as well, although it is not causing performance issues as our DHCP servers are pretty beefy boxes. Taking a quick look at today's dhcpd log, specifically dhcp requests:
[krzywiecc2@<servername> ~]$ sudo cat /var/log/dhcpd.log | grep -i dhcprequest | cut -d ' ' -f 8 | sort | uniq -c | sort -rn | head -10 1784 10.27.6.115 1584 10.27.0.107 1455 10.27.6.100 1180 10.27.3.231 1042 10.27.0.195 870 10.26.131.220 694 10.26.133.148 663 10.27.4.149 636 10.26.130.92 618 10.27.0.75 Those IP addresses all belong to OOB Mac users. If TAC needs additional logs or information, please feel free to contact me. We are running version 4.1.3.1 for the Mac agent. Thanks, -- Cal A. Krzywiec Network Engineer The University of Scranton Phone: (570) 941-6748 Email: [email protected] Alok Agrawal (alagrawa) wrote: > Hey Chris, > We're taking a look at this. Please can you unicast me the TAC case > number and we'll track it. > > Thanks > -Alok > > -----Original Message----- > From: Cisco Clean Access Users and Administrators > [mailto:[email protected]] On Behalf Of Chris Healey > Sent: Friday, February 13, 2009 11:51 AM > To: [email protected] > Subject: HELP! - MAC Agent causes Denial of Service-like attack on my > DHCP server > > Hello all; I wish I can be brief but I need to be detailed . . . sorry! > > Summary bullets: > - DHCP renew requests about 4 times a minute from MACs > - New/Clean MacBook Pro w/ Mac CCA agent 4.1.3.1 moved from AP to AP > - iPhone to the Wi-Fi makes the MacBook switch to another AP > - Also would happen as the MacBook would sit on my desk > - Conclusion: MAC CCA Agent performs a DHCP renew when changing APs > - DHCP lease time changed from 8 Hrs to 3 Days - no affect > - MAC CCA 4.5.0.0 and it has helped but will still perform renews just > sitting on my desk. > > > Detailed explanation / request: > I need help: we noticed a couple of weeks ago that we are getting > SLAMMED > with DHCP renew requests. After a couple of days thinking it was a > D.O.S. > attack/virus we noticed that it was centered mostly on our Macintosh > users. I took one of my server's logs and ran it through MS Access and > did > a count based on MAC addresses and the top ones had hostnames that said > Macintosh something or another in them. My logs reach a 10Mb stop limit > around about 1:00pm - so in that 13 hr time one student was performing a > > DHCP renew request about 4 times a minute. > > Using a new, clean MacBook Pro with the Mac CCA agent 4.1.3.1 we noticed > > that as we walked around the building and moved from AP to AP (Cisco > LWAPs > w/ WiSM controllers) the DHCP server would log a renew entry. We also > noticed this when a co-worker connected their iPhone to the Wi-Fi that > the > MacBook would switch to another AP - we assume for load balancing etc. > Turing on the MacBook's console we would see the refresh DHCP lease > request logged locally too. > > Up to this point we were not sure if it was the APs or the NAC until we > noticed the Sender PID listed in the MAC console said CCAAgent - I shut > down the agent, had the co-worker turn on the WI-FI of their iPhone - No > > DHCP renew request on the server. We walked from AP to AP and can see > the > radios the MacBook is connected to change in the WiSM controller but no > DHCP renew request is logged in the server. > > Therefore: our only conclusion is that the MAC CCA Agent performs a DHCP > > renew request when changing radios; even when on the same sub-net. BTW > there is no logout / login with the Clean Access Manager event log > listed > nor is there any change in the Online users section of the CCA Manager > details. > > My lease time was kind of short for this subnet (8 hours - student > wireless in the library) I have since increased that time to 3 days. In > fact all locations have been boosted to at least 3 days, - No affect. I > still firmly believe it is the MAC agent. > > I have made available the MAC CCA 4.5.0.0 and it has helped but still > not > enough. The MacBook Pro will still perform DHCP renews just sitting on > my > desk. Times seem to range now from every few minutes to maybe a few > times > an hour. > > The problem is as students move from class to class they cause a ripple > in > the APs as they balance the clients and all the MAC based agents renew > their IPs. Why would the MAC agent renew its IP Address when it is the > same network???? Why does it not behave like the PC client???? > > I do not see the PCs renewing at this rate - they renew much less often > such as at renew time or power up. I can walk around the building with a > > PC and it will change APs but not generate a renew request based on the > DHCP server's log or on it's lease time info. > > I opened a case at TAC and also called my local Cisco folks and have > gotten very little in response as if they are shying away from the > problem. Reading the emails from the list I do not see anyone talking > about this so either I am the only one . . . or no one else has seen it > yet. > > If anyone knows what I can do then please respond as my server is not > getting behind in supplying IPs but it is getting battered nonetheless. > In > addition I ask for everyone to please check to see if you are > experiencing > this and if so lets get Cisco TAC to take responsibility of this and > give > us a good MAC client. > > Thanks for your time and any thoughts you can offer. >
