Strange router activity

Hi guys. I've had some strange activity on my router's security log that I don't understand and I was wondering if someone could explain what's going on. This is an excerpt of what I see in my log:

Code:

Feb/5/2013 04:00:10 	WAN DHCP client receive DHCP Ack
Feb/5/2013 04:30:10 	WAN DHCP client receive DHCP Ack
Feb/5/2013 05:00:10 	WAN DHCP client receive DHCP Ack
Feb/5/2013 05:30:10 	WAN DHCP client receive DHCP Ack
Feb/5/2013 06:00:10 	WAN DHCP client receive DHCP Ack
Feb/5/2013 06:30:10 	WAN DHCP client receive DHCP Ack

The activity continues regularly every half an hour all day long and I was wondering what it was. Is someone trying to brute my router or is it just a technical issue? Thanks.

P.S. Sorry if this isn't the right forum section to post this in.

 

Those appear to be instances where the router (a DHCP Client) received DHCP ACKS on its WAN interface (ISP side). DHCPACKs are part of the DHCP Discover/Offer/Request/Acknowledgement sequence that is carried out when your router attempts to acquire/verify an IP Address and other information. For reference: https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol.

It is unclear from just that log information whether those DHCPACKs came from an expected DHCP Server or some other computer. If it came from an expected DHCP Server then the question is why is it occurring so (too) frequently. One possible explanation would be that your ISP has set lease times very short, inadvertently or because they are making changes to their network. Another possible explanation would be that your router has a problem and it is initiating DHCP requests more frequently than it should.

Log into your router and look for information about its DHCP lease. You should find its (WAN Side) IP Address, default gateway, DNS servers, ..., and DHCP lease time. There should be manual way to cause it to release its lease and then renew it. Do that and see what the fresh lease time is. If there is other information in the log that could shed light on how DHCP is going, review that for clues. It might also be a good time to look over other settings and make sure your firmware is up to date.

 

What model of router do you have?

 

Don't you have something after saying:
WAN DHCP client get IP XXX.XXX.XXX.XXX

This should help identifying the PC causing problems. The normal sequence of these type of events should be:

- WAN DHCP client send DHCP Discover
- WAN DHCP client receive DHCP Offer
- DHCP client send DHCP Request
- WAN DHCP client receive DHCP Ack
- WAN DHCP client get IP XXX.XXX.XXX.XXX

 

The router is a Belkin N150 model f9k1001v1

There is never an IP after the message and the send/receive sequence that fax mentioned is also not there. Including the other messages on the router, it looks like this:

Code:

Feb/5/2013 20:30:10 	WAN DHCP client receive DHCP Ack
Feb/5/2013 20:31:33 	leave multicast group 224.0.0.253
Feb/5/2013 21:00:10 	WAN DHCP client receive DHCP Ack
Feb/5/2013 21:02:33 	##:##:##:71:4b:b5(###) get IP 192.168.2.3
Feb/5/2013 21:02:34 	join multicast group 224.0.0.253
Feb/5/2013 21:02:36 	##:##:##:71:4b:b5(###) renew IP 192.168.2.3
Feb/5/2013 21:08:31 	leave multicast group 224.0.0.253
Feb/5/2013 21:08:31 	leave multicast group 224.0.0.252
Feb/5/2013 21:30:10 	WAN DHCP client receive DHCP Ack

The get/renew messages are just my computer joining. I don't know what the multicast messages are.

There's also a firewall section that has messages like this:

Code:

Ip Spoofing from IP XXX to IP YYY dropped[3 times]

I will look more into the details TheWindBringeth talked about after work.

 

Are you sure you cannot see anything in the logs like:

- WAN DHCP client send DHCP Release followed by
- WAN DHCP client send DHCP Request

What device/PC is attached to the IP... 192.168.2.3. Have you checked in the system logs of the PC? (assuming its a PC). Is this IP connected via Wireless? If yes, does it have a strong signal?

A first impression would be--> looks like a bug in belkin firmware. Are you on the latest firmware version released in November last year? Version: 1.00.13

Otherwise I would try alternative firmware, but I not sure there is one unfortunately. Also, do you have any game console attached to the router? (This could explain the multicast).

 

@barium: 224.0.0.253 is used for Teredo (an IPv6 over IPv4 protocol). 224.0.0.252 is used for Link-local Multicast Name Resolution (LLMNR). After you figure out the DHCPAck situation you could read up on them and decide whether you can and want to disable such mechanisms.

@fax: Feel free to challenge this, but I don't think a DHCPRequest would immediately follow a DHCPRelease. If the router is attempting to renew a lease I think you'd see a DHCPRequest, DHCPAck. If the router wants to release the lease and subsequently acquire another one I think you'd see DHCPRelease, DHCPDiscover, DHCPOffer, DHCPRequest, DHCPAck. Either way, though, I think you would expect to see a DHCPRequest come right before a DHCPAck. So it does seem odd that barium's log doesn't show that.

I'm going to offer a twist on what I suggested earlier, in case it might come in handy...

Log into the router, command it to release its lease, then download all of the logs so you have them. Look for a trailing entry that shows the router sending a DHCPRelease. Then clear the logs. Then command the router to renew its lease. Wait for a bit and check the logs. You should see the DHCP activity from the beginning so to speak which should include discover/offer/request/ack. That would help determine whether the router is logging everything you would expect it to and possibly confirm that things are coming up properly. You could also twist it to involve a power cycle, just to see if that makes a difference in behavior.

 

Indeed I agree about the release/request/ack explanation...

 

What you are seeing is normal DHCP handshaking activity between the DHCP server on the router(I assume) and your ISP to renew it's connection lease. Notice that the DHCP ACK are occuring every half an hour.

You can read about all the DHCP process details here: http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol

 

The state transition diagram for DHCP clients from the RFC, scroll down a bit...
http://tools.ietf.org/html/rfc2131#page-34

I somewhat easier on the eyes version...
http://www.tcpipguide.com/free/t_DHCPGeneralOperationandClientFiniteStateMachine.htm

Supposed screenshot of Belkin F9K1001v1 security log with DHCP activity...
http://screenshots.portforward.com/routers/Belkin/F9K1001v1/Security_Log.htm

Showing a quick pace Discover, Release, Discover, Offer, Request, Ack, "got IP..." sequence. I don't know what's up with the leading Discover, Release.

 

Thanks for all the links. I unplugged the router, left it for a few minutes and plugged it back in. the Ack issue is gone now. It looks like every time a computer connects to the network, there's a get ip and a renew ip message. I guess that's normal, I just didn't think it would happen every single time a computer connected to the network.