2

Hi Serverfault community members.

I've been trying to identify the source of an abnormal broadcast traffic generated by some Samsung Android devices with no success, so I ask for your help.

I have this pfSense virtual machine running on top of a VMware ESXi 5.1 host. This VM works as gateway for our WiFi network. This is the overall interface config.

  • WAN: Public IP connected directly to Internet (VLAN3).
  • LAN: Internal IP used to route to corporate services (VLAN 8).
  • OPT1: 172.20.0.0/23 for students wifi (VLAN 200)
  • OPT2: 172.21.0.0/23 for internal users wifi (vlan 201)
  • OPT3: 172.22.0.0/24 for guest wifi (VLAN 202)
  • OPT4: 172.23.0.0/24 for multi purpose wifi network (VLAN 203)
  • OPT5: Public IP connected directly to Internet (secondary WAN access) (VLAN3)

OPT1-3 are set up with captive portal authentication.

Recently we have notice that on WAN interface periodically an abnormal amount of traffic is present, which uses about 10 Mb/s bandwith of out internet link. Making a package capture directly with pfsence, we notice an Android device generating broadcast traffic for DHCP with message type "Boot Request". You can download the CAP file from here.

Analyzing the packages I can say.

  • Broadcast traffic has the pfSence WAN interface MAC address as source (00:0c:29:44:07:c6)
  • Broadcast if for 192.168.0.0/24 IP segment, which is not defined anywhere on our LAN.
  • Traffic is generated by an Android device with hostname android-5049184d224de050 and MAC address f4:09:d8:2a:19:6e.
  • Traffic correspond to DHCP Boot Request message.

When this traffic is present it floods VLAN 3 with broadcast package affecting other device that connect directly to Internet link.

I have tried to trace the "phantom" devices MAC on our LAN in order to identify it, but sometimes the MAC just doesn't even appears in any ARP table. Some other times I have been able to find it connected to some access point on VLAN 201 (internal users wifi) but although is has a 172.21.0.0/23 IP, it is not authenticated, so I can assume that is not a valid internal user.

What I found really strange and really don't understand is why this traffic runs on WAN interface aparently generated by itself but really is a device connected on OPT2 interface whith an IP different that the generated traffic.

What I really want to know right know is to understand why this is happening in order to came up with a solution.

Any advice will be very appreciated. Thanks in advance.

Bye.

Dago Pacheco
  • 21
  • 1

0 Answers0