Device is spamming my routers log

For some reason a for me unknown device is trying to connect to my router and fills up its log.
Apparently it must have connected at least once with my router because it gets offered an IP address. To find out the device I tried to look up the mac address (02:44:86:eb:07:ae) with no luck.
Is there a way to find out what device this is?

TIA

Tue Sep 24 14:35:59 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.1.144 02:44:86:eb:07:ae
Tue Sep 24 14:36:59 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 02:44:86:eb:07:ae
Tue Sep 24 14:36:59 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.1.144 02:44:86:eb:07:ae
Tue Sep 24 14:37:59 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 02:44:86:eb:07:ae
Tue Sep 24 14:37:59 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.1.144 02:44:86:eb:07:ae
Tue Sep 24 14:39:00 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 02:44:86:eb:07:ae
Tue Sep 24 14:39:00 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.1.144 02:44:86:eb:07:ae
Tue Sep 24 14:40:00 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 02:44:86:eb:07:ae
Tue Sep 24 14:40:00 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.1.144 02:44:86:eb:07:ae
Tue Sep 24 14:41:00 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 02:44:86:eb:07:ae
Tue Sep 24 14:41:00 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.1.144 02:44:86:eb:07:ae
Tue Sep 24 14:41:59 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 02:44:86:eb:07:ae
Tue Sep 24 14:41:59 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.1.144 02:44:86:eb:07:ae
Tue Sep 24 14:42:59 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 02:44:86:eb:07:ae
Tue Sep 24 14:42:59 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.1.144 02:44:86:eb:07:ae
Tue Sep 24 14:44:00 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 02:44:86:eb:07:ae
Tue Sep 24 14:44:00 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.1.144 02:44:86:eb:07:ae
Tue Sep 24 14:45:00 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 02:44:86:eb:07:ae
Tue Sep 24 14:45:00 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.1.144 02:44:86:eb:07:ae
Tue Sep 24 14:46:00 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 02:44:86:eb:07:ae
Tue Sep 24 14:46:00 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.1.144 02:44:86:eb:07:ae
Tue Sep 24 14:46:59 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 02:44:86:eb:07:ae
Tue Sep 24 14:46:59 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.1.144 02:44:86:eb:07:ae
Tue Sep 24 14:48:00 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 02:44:86:eb:07:ae
Tue Sep 24 14:48:00 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.1.144 02:44:86:eb:07:ae
Tue Sep 24 14:49:00 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 02:44:86:eb:07:ae
Tue Sep 24 14:49:00 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.1.144 02:44:86:eb:07:ae
Tue Sep 24 14:49:59 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 02:44:86:eb:07:ae
Tue Sep 24 14:49:59 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.1.144 02:44:86:eb:07:ae
Tue Sep 24 14:50:59 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 02:44:86:eb:07:ae
Tue Sep 24 14:50:59 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.1.144 02:44:86:eb:07:ae
Tue Sep 24 14:52:00 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 02:44:86:eb:07:ae
Tue Sep 24 14:52:00 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.1.144 02:44:86:eb:07:ae
Tue Sep 24 14:52:59 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 02:44:86:eb:07:ae
Tue Sep 24 14:52:59 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.1.144 02:44:86:eb:07:ae
Tue Sep 24 14:54:00 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 02:44:86:eb:07:ae
Tue Sep 24 14:54:00 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.1.144 02:44:86:eb:07:ae
Tue Sep 24 14:55:00 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 02:44:86:eb:07:ae
Tue Sep 24 14:55:00 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.1.144 02:44:86:eb:07:ae
Tue Sep 24 14:55:59 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 02:44:86:eb:07:ae
Tue Sep 24 14:55:59 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.1.144 02:44:86:eb:07:ae
Tue Sep 24 14:56:59 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 02:44:86:eb:07:ae
Tue Sep 24 14:56:59 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.1.144 02:44:86:eb:07:ae
Tue Sep 24 14:57:59 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 02:44:86:eb:07:ae
Tue Sep 24 14:57:59 2024 daemon.info dnsmasq-dhcp[1]: DHCPOFFER(br-lan) 192.168.1.144 02:44:86:eb:07:ae
Tue Sep 24 14:59:00 2024 daemon.info dnsmasq-dhcp[1]: DHCPDISCOVER(br-lan) 02:44:86:eb:07:ae


Take your devices off one by one :wink:

This address with 02 is a locally administered MAC address:

1 Like

@egc
OK, so its a private address most probably from an Android or Apple wireless device. We didn't get a new device but maybe our neighbors.

But why is it constantly negotiating an IP address with my router? If it has connected at least once than that means the device should be known?

Your neighbours' devices won't get as far as requesting a DHCP, unless you've given them your wireless access credentials (or wired access).

2 Likes

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

I'd a similar situation where a Redmi 12 phone kept spamming the syslog with DHCPREQUEST and DHCPACK messages (something like twice every minute).

If suppressing those logs is enough for you, you can do so by:

uci set dhcp.@dnsmasq[0].quietdhcp='1'
uci commit
service dnsmasq restart

Fixing these "errors" on a per device basis is a pain in the ass.

2 Likes

No, I'm sure my neighbors do not have my credentials nor did they ever have them nor do they have access via copper.
That's what puzzles me; I can rule out my surroundings so that leaves only a "known" device. And nothing has changed in my own situation. It just starting to happen.

Bring down portd/wifis onr at a time to locate device.

Yeah, that's only masking the issue. I would like to go to the bottoms of this.

That is something i could pursue when users are logged out. It should give me at least a lead if it tries to connect via copper of wifi (almost certain wifi).

I used to deliver fairly low level courses in cyber security. For homework at the end of day one I would get them to try to access their router logs to analyse what sort of info they could get from them. One of the attendees was a copper, and looked pretty angry the next morning. I thought he was disappointed about the standard of training delivery (which would have been fair enough) but when it came to feedback on the router exercise it turned out he's discovered a "rouge" device on his router. Somehow he'd traced it back to a neighbouring flat, and worked out they must have taken a photo of the back of his router shortly after they'd moved in and had popped around on the pretence of being neighbourly. Apparently they "had words!" :joy:
Probably not your issue, but still made me chuckle

1 Like

You can blacklist individual MAC and wait fir neighbours sneeking around barcodes.

My approach is similar to @brada4's, and I don't view it as "masking the issue." The idea is to first try to identify the method by which the device is attaching to the network. If you're confident it is wifi, you can skip the physical ethernet ports, of course, but if not, physically go through and unplug each device while there is a ping test running to the unknown device... watch for it to go offline and you should be able to narrow it down

If the device is wifi and you are able to successfully force-disconnect it, you can hopefully go around and find out what breaks.

Don't forget that these randomized MAC addresses can come from lots of devices. Most Apple products do it - Macs/iPhones/iPads, and even other devices like the Apple Watch and possibly even the Apple TV. If you've recently upgraded the OS on one of them and/or reset it to defaults, that could certainly cause it to come up with the randomized addresses. Android does this, too -- and it's in a lot of places... you may have a smart TV with Android and all sorts of other devices. My cycling computer/head unit even runs Android, so again, it could be really any piece of equipment.

I wouldn't call this an issue. The excessive logging can be an issue, but I am pretty sure the 'quietdhcp' option exists for cases like this.
Other than that, the requests are far enough apart that it wouldn't cause any saturation on your router and DHCP is operating normally.

Like in my case, I believe it's due to wake ups on power-saving devices. They probably request DHCP info in order to validate their interface(s) after waking up.

As for new devices, just because you haven't brought any new devices to your network doesn't mean your smartphones (which are constantly updating themselves in the background) didn't change their behaviors.

See this for another reference: https://stackoverflow.com/questions/39991467/dhcp-request-ack-flooding-on-openwrt

EDIT: Interesting to note that yours appear to always be on 1 minute intervals. The ones spammed in my router are arbitrary (between 20 seconds to 3 minutes) and are more consistent with my theory of wake ups.

1 Like

The only Apple device that is currently in the house is my sons work phone. We checked it but it isn't the device. It's turned off.
All the other usual suspect (Android) are known to the router and are logged on or "sleeping".

Without testing it (but will test tomorrow to be absolutely sure) i'm confident it can not be a wired connection (checked all ethernet port).

This bugs me. Apparently nothing changed but still.....

Also, did you try a reverse dns lookup to see if dnsmasq assigned a hostname to the ip address?

And exactly that bugs me. It's one specific device which I can not identify.

Whats the problem blocking single MAC from wifi?

Provide config, maybe some other glitch.

Since it's always on the same interval (unlike mine) and is not a DHCPREQUEST, but rather a DHCPDISCOVER, this might be a timeout followed by a re-attempt to acquire an address.

Your DHCP server seems to be sending the offer just fine, but it seems the device at the other end is somehow failing to see it.

Did you try a reverse dns lookup on the ip address? Is it assigned to /tmp/dhcp.leases?

EDIT: DHCP Discover/Offer Loop - #8 by dsduarte https://www.reddit.com/r/openwrt/comments/l4r50m/continuous_dhcpdiscoveroffer_from_single_device/

The device is not known/shown in dhcp.leases.

Looks a lot on my issue. Only difference is that the TS knew which device had the issue.