• Microsoft

Unsolicited DHCP ACK from Microsoft DHCP Server

A few days ago while reviewing my data center firewall rules I noticed that my DHCP Server was trying to make outbound connections to a subset of clients.

The firewall showing a DHCP packet that should have not been there.

Upon further inspection I determined that it was sending a few packets of data only to Windows DHCP Clients, usually in the morning, presumably because the lease expired overnight and the client was powered on again the next morning.

Since a DHCP Server should not be sending out spontaneous ACK messages, I decided to enable a packet capture on the firewall and leave it running for a few days.

A DHCP acknowledge packet that should not be there.

Here we have it: a DHCP Acknowledge message for which there was no request; moreover, we have an option (43: Vendor-Specific Information) that’s not supposed to be here.
The content of the option’s message is also interesting because it contains the string “NAP“: a functionality that was removed in Windows Server 2016. This DHCP Server, however, is running on Windows Server 2022 (for the time being).

Since the server is sending these unsolicited ACK only to Windows DHCP Clients, it must have a way to know that it is serving a Windows DHCP Client. So I reversed the capture.

A DHCP Request coming from a Linux Host

Here we have a DHCP Request from a Linux DHCP Client; “nothing to see here”.

A DHCP Request coming from a Windows Host.

Here we have a DHCP Request from a Windows DHCP Client and we have something notable: an Option 60: Vendor class identifier with a value of “MSFT 5.0“.

There it is. The Microsoft DHCP Server knows it have a friend to talk to, which understands its bizarre way of ignoring standards that are followed by the rest of the world (as per section 1.3 of RFC 2131: https://www.rfc-editor.org/rfc/rfc2131#section-3.1).

The RFC also offers a nice view of every possible DHCP Client-Server interaction at section 4.4 (https://www.rfc-editor.org/rfc/rfc2131#section-4.4); I could not find any instance where a server should be sending a DHCP ACK message which was not previously solicited. Even if the client wants some more configuration data, it must send a DHCPINFORM message and, if that was the case, the connection would not have been denied by the firewall, because it would be part of an already established traffic flow.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Comments RSS Feed

Related Posts

Running Samba in a security hardened environment

Comparing apples and oranges … or Samba vs Windows, if you want. Here is a nice table of the most commonly implemented security policies that you can find in an AD DS environment where the suggestions from the Microsoft Compliance Toolkit were applied. The last column compares the security default […]

  • Linux
  • Samba
  • Security

Setting up a File Server using Samba

I wanted to migrate my existing Windows File Server to an open alternative, and being Samba the industry standard I decided to give it a go.In this article I will share what I learnt in the process, but first… Get your gears right The system I used is a Fedora […]

  • Linux
  • Samba

Setting up a Printer Server with CUPS

Printing in Linux Reading is very much like other activities, it comes better when you are doing it off a screen. But in order to do that, first you need to print. Enters the Common Unix Printing System; CUPS for friends.CUPS takes care to send whatever your client applications wants […]

  • CUPS
  • Linux

Using FreeRADIUS to perform EAP-TLS and PAP

In my journey to make CavanaSystems more open I wanted to replace my existing Microsoft NPS farm with a piece of Free Software… and found an amazing one! Make your requirements As with any IT project, you have to start with your requirements.Mine were:1. High Availability2. PAP will be used […]

  • FreeRADIUS
  • Linux
See all posts