Menu
What's new
By:
Filters Better Search

Random bogons show up on 0.0.0.0 for every MAC?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

D

deanfourie

Occasional Visitor
So, I'm curious, around the same time every night, I get these so called "bogons" showing up on the network with an IP address of 0.0.0.0.

This also causes great network disruption; the client loses internet for periods of time on certain devices. Could be from 2 - 5 minutes at a time.

DHCP lease is still valid, cannot ping gateway and cannot ping other LAN clients, and of course no internet access.

Then BOOM, everything just goes back to normal. Some examples are below, and this happens on nearly every client on the network and moves between MAC's.

Any ideas?

Thanks

Code: 
Oct 12 00:50:17    arpwatch    45709    bogon 0.0.0.0 c4:9d:ed:89:ed:05
Oct 12 00:50:18    arpwatch    45709    bogon 0.0.0.0 c4:9d:ed:89:ed:05
Oct 12 00:50:18    arpwatch    45709    bogon 0.0.0.0 c4:9d:ed:89:ed:05
Oct 12 00:50:33    arpwatch    45709    bogon 0.0.0.0 c4:9d:ed:89:ed:05
Oct 12 00:50:34    arpwatch    45709    bogon 0.0.0.0 c4:9d:ed:89:ed:05
Oct 12 00:50:35    arpwatch    45709    bogon 0.0.0.0 c4:9d:ed:89:ed:05
Oct 12 01:25:11    arpwatch    45709    bogon 0.0.0.0 c0:33:5e:31:9e:87
Oct 12 01:25:12    arpwatch    45709    bogon 0.0.0.0 c0:33:5e:31:9e:87
Oct 12 01:25:13    arpwatch    45709    bogon 0.0.0.0 c0:33:5e:31:9e:87
Oct 12 09:36:45    arpwatch    45709    bogon 0.0.0.0 b8:ee:65:72:92:45
Oct 12 09:36:46    arpwatch    45709    bogon 0.0.0.0 b8:ee:65:72:92:45
Oct 12 09:36:47    arpwatch    45709    bogon 0.0.0.0 b8:ee:65:72:92:45
Oct 12 09:36:48    arpwatch    45709    bogon 0.0.0.0 b8:ee:65:72:92:45
Oct 12 09:36:49    arpwatch    45709    bogon 0.0.0.0 b8:ee:65:72:92:45
Oct 12 12:38:24    arpwatch    45709    bogon 0.0.0.0 b8:ee:65:72:92:45
Oct 12 12:38:25    arpwatch    45709    bogon 0.0.0.0 b8:ee:65:72:92:45
Oct 12 12:38:26    arpwatch    45709    bogon 0.0.0.0 b8:ee:65:72:92:45
Oct 12 15:37:15    arpwatch    45709    bogon 0.0.0.0 c4:9d:ed:b2:2e:ea
Oct 12 15:37:16    arpwatch    45709    bogon 0.0.0.0 c4:9d:ed:b2:2e:ea
Oct 12 15:37:17    arpwatch    45709    bogon 0.0.0.0 c4:9d:ed:b2:2e:ea
Oct 12 17:43:37    arpwatch    45709    bogon 0.0.0.0 78:24:af:36:1a:08
Oct 12 17:43:38    arpwatch    45709    bogon 0.0.0.0 78:24:af:36:1a:08
Oct 12 17:43:39    arpwatch    45709    bogon 0.0.0.0 78:24:af:36:1a:08
 
Some more,


Code: 
Oct 13 21:19:06    arpwatch    45709    bogon 0.0.0.0 c4:9d:ed:89:ed:05
Oct 13 21:19:07    arpwatch    45709    bogon 0.0.0.0 c4:9d:ed:89:ed:05
Oct 13 21:19:08    arpwatch    45709    bogon 0.0.0.0 c4:9d:ed:89:ed:05
Oct 13 21:19:09    arpwatch    45709    bogon 169.254.192.108 c4:9d:ed:89:ed:05
Oct 13 21:19:09    arpwatch    45709    bogon 169.254.192.108 c4:9d:ed:89:ed:05
Oct 13 21:19:12    arpwatch    45709    bogon 169.254.192.108 c4:9d:ed:89:ed:05
Oct 13 21:19:12    arpwatch    45709    bogon 0.0.0.0 c4:9d:ed:89:ed:05
Oct 13 21:19:13    arpwatch    45709    bogon 0.0.0.0 c4:9d:ed:89:ed:05
Oct 13 21:19:14    arpwatch    45709    bogon 0.0.0.0 c4:9d:ed:89:ed:05
Oct 13 21:25:19    arpwatch    45709    bogon 0.0.0.0 c4:9d:ed:b2:2e:ea
Oct 13 21:25:20    arpwatch    45709    bogon 0.0.0.0 c4:9d:ed:b2:2e:ea
Oct 13 21:25:21    arpwatch    45709    bogon 0.0.0.0 c4:9d:ed:b2:2e:ea
 
Check and see if you have IGMP snooping enabled on the wireless interfaces…
 
deanfourie said:
So, I'm curious, around the same time every night, I get these so called "bogons" showing up on the network with an IP address of 0.0.0.0.

This also causes great network disruption; the client loses internet for periods of time on certain devices. Could be from 2 - 5 minutes at a time.

DHCP lease is still valid, cannot ping gateway and cannot ping other LAN clients, and of course no internet access.

Then BOOM, everything just goes back to normal. Some examples are below, and this happens on nearly every client on the network and moves between MAC's.

Any ideas?

Thanks

Code: 
Oct 12 00:50:17    arpwatch    45709    bogon 0.0.0.0 c4:9d:ed:89:ed:05
Oct 12 00:50:18    arpwatch    45709    bogon 0.0.0.0 c4:9d:ed:89:ed:05
Oct 12 00:50:18    arpwatch    45709    bogon 0.0.0.0 c4:9d:ed:89:ed:05
Oct 12 00:50:33    arpwatch    45709    bogon 0.0.0.0 c4:9d:ed:89:ed:05
Oct 12 00:50:34    arpwatch    45709    bogon 0.0.0.0 c4:9d:ed:89:ed:05
Oct 12 00:50:35    arpwatch    45709    bogon 0.0.0.0 c4:9d:ed:89:ed:05
Oct 12 01:25:11    arpwatch    45709    bogon 0.0.0.0 c0:33:5e:31:9e:87
Oct 12 01:25:12    arpwatch    45709    bogon 0.0.0.0 c0:33:5e:31:9e:87
Oct 12 01:25:13    arpwatch    45709    bogon 0.0.0.0 c0:33:5e:31:9e:87
Oct 12 09:36:45    arpwatch    45709    bogon 0.0.0.0 b8:ee:65:72:92:45
Oct 12 09:36:46    arpwatch    45709    bogon 0.0.0.0 b8:ee:65:72:92:45
Oct 12 09:36:47    arpwatch    45709    bogon 0.0.0.0 b8:ee:65:72:92:45
Oct 12 09:36:48    arpwatch    45709    bogon 0.0.0.0 b8:ee:65:72:92:45
Oct 12 09:36:49    arpwatch    45709    bogon 0.0.0.0 b8:ee:65:72:92:45
Oct 12 12:38:24    arpwatch    45709    bogon 0.0.0.0 b8:ee:65:72:92:45
Oct 12 12:38:25    arpwatch    45709    bogon 0.0.0.0 b8:ee:65:72:92:45
Oct 12 12:38:26    arpwatch    45709    bogon 0.0.0.0 b8:ee:65:72:92:45
Oct 12 15:37:15    arpwatch    45709    bogon 0.0.0.0 c4:9d:ed:b2:2e:ea
Oct 12 15:37:16    arpwatch    45709    bogon 0.0.0.0 c4:9d:ed:b2:2e:ea
Oct 12 15:37:17    arpwatch    45709    bogon 0.0.0.0 c4:9d:ed:b2:2e:ea
Oct 12 17:43:37    arpwatch    45709    bogon 0.0.0.0 78:24:af:36:1a:08
Oct 12 17:43:38    arpwatch    45709    bogon 0.0.0.0 78:24:af:36:1a:08
Oct 12 17:43:39    arpwatch    45709    bogon 0.0.0.0 78:24:af:36:1a:08
Click to expand...
DDOS Attack.
 
deanfourie said:
So, I'm curious, around the same time every night, I get these so called "bogons" showing up on the network with an IP address of 0.0.0.0.
Click to expand...

Did some more digging on this...

It is related to DHCP, in that a device that doesn't have a local IP assigned yet, inserts a null address for itself on the DHCP request.

arpwatch flags this as a bogon - it's just a warning in syslog, not much to worry about.

If you look on the wire with tcpdump (filter on arp and dhcp), you should see that once the device has an IP address assigned by DHCP, the bogon warning should stop...

BTW - your devices that are kicking the warning - the IEEE OUI lookup for the MAC addresses are as follows:

  1. C49DED: Microsoft Corporation
    One Microsoft Way REDMOND WA US 98052
  2. B8EE65: Liteon Technology Corporation
    4F,90,Chien 1 Road,ChungHo,Taipei Hsien,Taiwan, TaiPei TaiWan TW 23585
  3. 7824AF: ASUSTek COMPUTER INC.
    15,Li-Te Rd., Peitou, Taipei 112, Taiwan Taipei Taiwan TW 112
 
You must log in or register to reply here.

Similar threads

K
WPS connection issues to IoT device with GT-AXE16000 GT-AXE11000
Replies
3
Views
1K
glens
G
N
RT-AX88U wireless shuts down at irregular intervals
Replies
8
Views
496
Nighthawke70
N
L
Asus ac88u and mesh, keeps loosing internet connection
Replies
1
Views
2K
RTNDO128
R
W
RT-AX86U wifi capping out 300mb below max speed
2
Replies
31
Views
4K
dlandiss
dlandiss
S
RT-AX88U - randomly WAN going down
Replies
7
Views
2K
sharmay
S

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 789 (members: 23, guests: 766)
Top