dhcp-server alert

pe1chl · August 18, 2016, 2:31pm

On a guest WiFi network with hundreds of active users, today I got a few alerts from the dhcp-server alert.
They provide the MAC and IP address of the user, it is a Samsung phone (Android). I don’t know who it
is and if this user is malicious, the phone is infected with a trojan, or otherwise.

Unfortunately the log has very little detail. To know what this guy is up to, it would be really helpful to know
the OFFER that the dhcp-server alert received. Unfortunately it is not being logged. Is it somehow available
in the context of the script that can be called when a rogue server is detected?

For now I just started a packet sniff to catch the reply when it is next seen.

pe1chl · August 22, 2016, 2:57pm

Ok the sniff learned me it is apparently an Android device that somehow operates in tethering mode
while it is a client on the WiFi. I am not sure how this can happen and how to avoid it. I don’t know
which device it is, I only have the MAC address and IP address, and the hostname is the usual garbage
name for Android devices (Apple IOS devices often have the ownername as part of the hostname).

Frustrating… of course this kind of problem could be avoided by doing client-to-client isolation, but
there are also devices like Google Chromecast on the network for which this is causing trouble…