Subject: | |
From: | |
Reply To: | |
Date: | Fri, 13 Feb 2009 18:42:11 -0800 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
Hey Chris,
We're taking a look at this. Please can you unicast me the TAC case
number and we'll track it.
Thanks
-Alok
-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:[log in to unmask]] On Behalf Of Chris Healey
Sent: Friday, February 13, 2009 11:51 AM
To: [log in to unmask]
Subject: HELP! - MAC Agent causes Denial of Service-like attack on my
DHCP server
Hello all; I wish I can be brief but I need to be detailed . . . sorry!
Summary bullets:
- DHCP renew requests about 4 times a minute from MACs
- New/Clean MacBook Pro w/ Mac CCA agent 4.1.3.1 moved from AP to AP
- iPhone to the Wi-Fi makes the MacBook switch to another AP
- Also would happen as the MacBook would sit on my desk
- Conclusion: MAC CCA Agent performs a DHCP renew when changing APs
- DHCP lease time changed from 8 Hrs to 3 Days - no affect
- MAC CCA 4.5.0.0 and it has helped but will still perform renews just
sitting on my desk.
Detailed explanation / request:
I need help: we noticed a couple of weeks ago that we are getting
SLAMMED
with DHCP renew requests. After a couple of days thinking it was a
D.O.S.
attack/virus we noticed that it was centered mostly on our Macintosh
users. I took one of my server's logs and ran it through MS Access and
did
a count based on MAC addresses and the top ones had hostnames that said
Macintosh something or another in them. My logs reach a 10Mb stop limit
around about 1:00pm - so in that 13 hr time one student was performing a
DHCP renew request about 4 times a minute.
Using a new, clean MacBook Pro with the Mac CCA agent 4.1.3.1 we noticed
that as we walked around the building and moved from AP to AP (Cisco
LWAPs
w/ WiSM controllers) the DHCP server would log a renew entry. We also
noticed this when a co-worker connected their iPhone to the Wi-Fi that
the
MacBook would switch to another AP - we assume for load balancing etc.
Turing on the MacBook's console we would see the refresh DHCP lease
request logged locally too.
Up to this point we were not sure if it was the APs or the NAC until we
noticed the Sender PID listed in the MAC console said CCAAgent - I shut
down the agent, had the co-worker turn on the WI-FI of their iPhone - No
DHCP renew request on the server. We walked from AP to AP and can see
the
radios the MacBook is connected to change in the WiSM controller but no
DHCP renew request is logged in the server.
Therefore: our only conclusion is that the MAC CCA Agent performs a DHCP
renew request when changing radios; even when on the same sub-net. BTW
there is no logout / login with the Clean Access Manager event log
listed
nor is there any change in the Online users section of the CCA Manager
details.
My lease time was kind of short for this subnet (8 hours - student
wireless in the library) I have since increased that time to 3 days. In
fact all locations have been boosted to at least 3 days, - No affect. I
still firmly believe it is the MAC agent.
I have made available the MAC CCA 4.5.0.0 and it has helped but still
not
enough. The MacBook Pro will still perform DHCP renews just sitting on
my
desk. Times seem to range now from every few minutes to maybe a few
times
an hour.
The problem is as students move from class to class they cause a ripple
in
the APs as they balance the clients and all the MAC based agents renew
their IPs. Why would the MAC agent renew its IP Address when it is the
same network???? Why does it not behave like the PC client????
I do not see the PCs renewing at this rate - they renew much less often
such as at renew time or power up. I can walk around the building with a
PC and it will change APs but not generate a renew request based on the
DHCP server's log or on it's lease time info.
I opened a case at TAC and also called my local Cisco folks and have
gotten very little in response as if they are shying away from the
problem. Reading the emails from the list I do not see anyone talking
about this so either I am the only one . . . or no one else has seen it
yet.
If anyone knows what I can do then please respond as my server is not
getting behind in supplying IPs but it is getting battered nonetheless.
In
addition I ask for everyone to please check to see if you are
experiencing
this and if so lets get Cisco TAC to take responsibility of this and
give
us a good MAC client.
Thanks for your time and any thoughts you can offer.
|
|
|