How To Find A Rogue DHCP Server?
A rogue DHCP server does not work under the control of the network staff. It is a network device like a router connected to your network, mostly by a man in the middle for network attacks. However, a rogue DHCP server works like a usual legal DHCP server on a network. The question is, then, how to find a rogue DHCP server?
To find a rogue DHCP server, you can temporarily disable your DHCP in the command prompt and see if there are other servers responding. There are also third-party tools available to detect a rogue DHCP server. Finally, DHCP snooping software can be used to improve the security of a DHCP infrastructure.
A rogue DHCP server is very often set up by computer viruses or malicious software. So let’s take a look at when to check for a rogue DHCP server and how to do it. And most importantly, I will talk about how you can avoid connecting to a rogue DHCP server.
How Does A Rogue DHCP Server Attack?
A Rogue DHCP server works by impersonating a legitimate server. The client is offered IP addresses and other network information within a specific network. Clients will connect to the network using the IP address assigned by a rogue DHCP unsuspectingly, and become victims of security attacks.
The clients’ network information can be accessed by rogue servers. Man in the middle (MITM) attacks can compromise all private information. There can also be malware transferred through the rogue DHCP server.
Symptoms Of A Rogue DHCP Server
When there is a rogue DHCP server, it will offer the internet user with an IP address, default gateway, DNS servers, etc., along with the user’s legal DHCP server. This information provided by the legal and the rogue DHCP server is likely to differ.
When connected to a rogue DHCP, the client will face network access problems. It may include speed issues and incorrect IP network or gateway causing the inability to reach other hosts. So you should look for a rogue DHCP server when network issues come up.
The DHCP can be set by malware or a man in the middle. In case the rogue DHCP server is set by a computer virus, the client’s network security policies like user privacy are violated. So it is important to know how to detect a rogue DHCP server in your connection.
How To Detect A Rogue DHCP Server?
The Dynamic Host Configuration Protocol (DHCP) is used to automatically assign IP addresses. It is a network management protocol that is used on Internet Protocol (IP) networks. So a rogue DHCP server can be connected to your network either unknowing to the connecting part.
However, there will be network issues, and so you should always look for a rogue DHCP server in that case.
Temporarily Disable The DHCP Server
Allowing a device to receive an IP address from the rogue DHCP server can be an easy way to figure out where the rogue DHCP is coming from.
By temporarily disabling the DHCP server, you are allowing your network you get another IP address available, which is from the rogue DHCP. Now you can run commands to detect the IP and MAC address.
In a Windows device, run the command ipconfig /all to get the IP address. Using arp -a, you can get the MAC address of the device by looking for that IP address.
If you are using a Mac device, run the command ipconfig getpacket en0 (or en1). The DHCP server information can be found in /var/log/messages using sudo grep -i dhcp /var/log/messages*
You may be able to detect the rogue server by this process.
Use Tools Made For Detecting Rogue DHCP Server
Software tools are available for everyone to quickly detect any rogue DHCP server on the network. Some of these tools are:
Microsoft Rogue Check Tool
Microsoft archived the previous Microsoft Network Monitor 3.4 for windows devices and launched a simpler tool for detecting the rogue DHCP server. You can simply run dhcploc.exe. This command-line tool will display all the DHCP servers active and also detect if there are any unauthorized DHCP servers. The tool will alert you in case there is a rogue DHCP present.
Dhcp_probe
It is software designed to discover DHCP and BootP servers. It works on a directly attached Ethernet network. However, it is only good for a one-time or periodic check, and you will need to run this tool every once in a while.
WireShark
A widely popular network protocol analyzer, Wireshark is compatible with all sorts of devices, whether you have windows or mac. With its efficiency, Wireshark will very quickly detect a rogue DHCP, and even offer packets to block the rogue DHCP.
Block The Rogue DHCP Server
Once the rogue DHCP server is detected, you can block it by configuring the LAN switches. Because DHCP servers allocate IP addresses on a LAN, configuring LAN switches can remove the rogue DHCP server and any malicious DHCP traffic.
You can configure switches by using software widely provided for this. Cisco and Juniper switches are fast and easy to use.
How To Avoid A Rogue DHCP Server?
DHCP servers can be kept safe with a series of techniques called DHCP snooping. Provided by third-party software, DHCP snooping detects rogue servers and alerts the client. It further blocks rogue DHCP servers as well as strengthens the security of the legal DHCP.
DHCP snooping features thus provide constant protection. The client is firmly secured from rogue DHCP servers on the network. This feature is supported by many hardware vendors.
The main features of DHCP snooping include:
- Separates the DHCP messages received from trusted and untrusted servers. It further filters out invalid messages from untrusted sources.
- DHCP traffic is rate-limited based on whether the source is trusted or untrusted.
- The DHCP snooping binding database contains IP address information about untrusted hosts. This database is regularly built and maintained.
- Utilizing the DHCP snooping binding database, the requests from untrusted hosts are validated.
A rogue DHCP server possesses the risk of corrupting your network. Even connecting to a harmless rogue server can cause network issues. So it’s better to use configured switches to block the rogue DHCP servers from providing you IP addresses and gateways.
