I work in a K12 environment and recently was promoted from helpdesk to sysadmin. I have been trying to get an idea as to what our baseline network activity is and one thing that is causing me some confusion is the behavior of some random hosts. Usually they are Wireless, but occasionally they are IP phones.
In the span of 1-2 minutes, the host will flood the DHCP server with requests, which in turn generates about 2k-6k Renewal logs. Our DHCP lease is 8 hours, so if I understand correctly, they should only be renewing once every 4 hours or whenever they reconnect to the network. I have yet to be able to catch a device in the act, as it seems pretty random.
Curious if anyone has seen this type of behavior before and has any investigative tips. Some other notes:
Majority of the devices are on our guest network, which requires accepting a EULA. I thought maybe it might have something to do with this?
Most of the devices seem to be apple products. iPad/iPhones. The occasional IP phone are cisco.
There are a few chronic repeat offenders. However, sometimes it will happen with a random device and then it will not do it again.
There have been a couple IP phones as stated previously. After the flooding occurs, I was able to call one and it was a busy signal. I remotely rebooted the phone and it solved the problem. This leads me to believe that the wired culprits might be due to aging infrastructure/physical issue.
Bonus Photo of graph in graylog which shows spikes in DHCP renewals
No comments:
Post a Comment