Controllerless Networks

 View Only
  • 1.  LAPTOP SLEEP MODE DHCP REQUEST

    Posted Jun 20, 2023 04:22 PM
    Edited by Luis_A Jun 20, 2023 04:49 PM

    Greetings to all,

    How can I control that a laptop that already has an assigned IP is constantly generating DHCP requests when it remains in SLEEP mode?
    The situation is that after receiving your IP assignment through the normal IP assignment process there are no issues. If the laptop is in active use, there are no problems.

    The situation becomes complicated when the laptop remains in SLEEP mode and its behavior in the network is intermittent, which reflects loss of response to ping. With this, I can see on Wireshark captures, multiples ando múltiples DHCP requests  which causes the new IP assignments that are assigned to be reserved and the DHCP server begins to deny service when running out of IP availability.


    I saw an IDS option of "Power Save DOS Attack", however it would only alert and I think it is not useful for this.

    Help please.



    ------------------------------
    LS
    ------------------------------



  • 2.  RE: LAPTOP SLEEP MODE DHCP REQUEST

    Posted Jun 26, 2023 09:31 AM

    If a client is really in sleep mode, it's expected to be disconnected from the network; but that may depend on the exact mode of sleep (deep/hybernation/normal).

    Regardless of that, when a client with an assigned/active lease requests a DHCP address, the DHCP server should respond with the same IP, not with a new IP as it would deplete the DHCP pool as you see. What is the DHCP server that is in use? Do you see the client MAC remain the same between the different DHCP requests for the same client?

    As this does not work as expected, it may be best to work with your network admin, Aruba/network partner or Aruba Support to look through your Wiresharks to find out what is going on. The WIDS 'Power Save DOS Attack' is an wireless attack to break wireless clients, so it's unrelated to the DHCP pool depletion you see.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: LAPTOP SLEEP MODE DHCP REQUEST

    Posted Jun 26, 2023 10:40 AM
    Edited by Luis_A Jun 26, 2023 10:46 AM

    Thank you for your comments Herman, it is really appreciated.


    The DHCP server is a Windows server. In effect, the laptop receives its IP allocation for a period of 8 hours. When entering sleep mode, it starts making multiple requests and the server responds by indicating the same address that it had already given it and the response is repeated over and over again, with the same address. At a certain point, the computer sends a response indicating that the address is already in use, so the server sends it a new IP address. This only happens when the device is in sleep mode. If it is not in sleep mode, in the captures there are no DHCP requests until it is time to renew. Could you give me more detail on how it works or under what scenario the "Power Save DOS Attack" works.

    In the captures, the MAC ADDRESS is the same in the field of Ethernet and DHCP.


    Is there some kind of wireless protection that I can use to control the number of DHCP requests for a MAC ADDRESS on an SSID?



    ------------------------------
    LS
    ------------------------------



  • 4.  RE: LAPTOP SLEEP MODE DHCP REQUEST
    Best Answer

    Posted Jun 27, 2023 06:48 AM

    Here are descriptions of the WIDS signatures. The Power Save DoS Attack is where an attacker spoofs on behalf of a client that it is in sleep mode, resulting in that the AP will not send any traffic anymore to the client.

    DHCP is more a network thing, not so much wireless. What you see is really strange behavior, and the resolution should probably in the client or in the DHCP server in my view. What you could do is further packet capturing near the DHCP server, and near the client (or on the AP) to see if traffic possibly is lost. As well you can check the client status/client role on the controller or AP when the client is in this mode. If all traffic is delivered to the client, it's a client issue for sure. Patching the symptoms probably is not a solution as the client may end up without an IP address. You could also argue that a DHCP server should never allocate multiple IP addresses for one client, but if the client is reporting duplicate IP, not sure how it would be expected to behave. I've not noticed this before, and if DHCP pools are depleted, there should be many customers experiencing the same.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: LAPTOP SLEEP MODE DHCP REQUEST

    Posted Jun 27, 2023 08:54 AM

    Thanks Herman for all your comments and recommendations. 

    I will put into practice the suggestions and excellent shared link. Thanks for everything.



    ------------------------------
    LS
    ------------------------------



  • 6.  RE: LAPTOP SLEEP MODE DHCP REQUEST

    Posted 28 days ago

    Hi Luis,

    could you solve your issues?

    I have exactly the same problem. 

    Thanks and regards.

    Jürgen