What is a Rogue DHCP? | GigMocha Defines
A DHCP Server is a network server that automatically offers and assigns network parameters, such as IP addresses and default gateways to client devices. The server can respond to clients’ queries because of a standard protocol, called the Dynamic Host Configuration Protocol (DHCP). As important as DHCP servers are, one of its drawbacks is that it has no secure mechanism for clients’ authentication.
Furthermore, if a rogue DHCP server is introduced to a network, the DHCP automation can turn out to become dangerous. That said, here’s a burning question; what exactly is a rogue DHCP?
A rogue Dynamic Host Configuration Protocol (DHCP) server is a DHCP server that is not under the administrative control of any network staff. Since that’s the case, it simply means the server is unauthorized. Unfortunately, this server is capable of wreaking all sorts of havoc on your network.
Rogue Dynamic Host Configuration Protocol servers are security issues that everyone needs to address. In the rest of this post, you’ll find out everything about the rogue DHCP server and how to check whether or not it is on your network.
What Is a DHCP and How Does It Work?
Before going ahead to discuss everything you need to know about rogue DHCP servers, let me start by talking about DHCP servers. So, what exactly are DHCP servers?
The Dynamic Host Configuration Protocol, first defined in RFC 1531 in October 1993, is designed based on the Bootstrap Protocol (BOOTP), a network protocol that network clients utilize to obtain IP addresses from a configuration server.
Furthermore, a DHCP is an automated configuration protocol. That’s so because it is designed to configure and assign a computer automatically with an IP address. Of course, the aim of that is to eliminate the need for humans to intervene in IP generation.
How does DHCP work?
As earlier stated, DHCP works by rolling out IP addresses and IP information to network clients temporarily. However, for this to happen, there needs to be a boot process. During this period, a DHCP-enabled client will send out a broadcast message, called DHCPDISCOVER – this will help to search for the DHCP server.
The DHCP server can respond to the broadcast message because the packet contains the client’s computer name and Media Access Control (MAC) address. Fortunately, if there is any server available to lease out an IP address, it’ll respond to the client’s broadcast with a DHCPOFFER.
In some cases, it’s possible to see more than one server respond to this broadcast message. If that happens, the client will receive the first offer that comes in. For the client to accept the offer, it’ll respond with a broadcast message called a DHCPREQUEST. In the case of multiple offers, the rest of the servers will also get a decline message.
Finally, the first server whose offer was accepted will acknowledge the client’s action by responding with a DHCPACK message. Interestingly, the packet will include the client’s IP address and other information needed to start participating in the network.
How Does Rogue DHCP Come Into Play?
Now, let’s go back to the main topic of this post; what is rogue DHCP?
Ever since the dynamic host configuration protocol was invented, it has always been known to be prone to security issues. For instance, in 1993, when the automated configuration protocol was introduced, one of its sections talked about Security Considerations. According to it, it says “DHCP in its current form is quite insecure”. Fast forward to the early 2000s, there were cases where many automated tools were utilized to perform the DHCP MITM attacks.
Although the DHCP server is quite important to us, one of its setbacks as earlier pointed out is that – it doesn’t have any secure mechanism for clients’ authentication. What that means is that there’s no way a client can identify if a DHCP server is legit or not.
When a DHCP-enabled client sends out a broadcast message, the computer will trust all responses from the servers since there’s no way to identify the legitimate ones. Here’s where the need to be careful of rogue DHCP servers comes into the scene.
That brings us to the burning question of what is a rogue DHCP server?
What is a rogue DHCP server?
Rogue DHCP servers are servers that aren’t under the control of network administrators. They tend to impersonate a legitimate server, offering IP addresses and other network information alongside the legal DHCP server as the DHCP-enabled client sends a broadcast message.
If the rogue DHCP offers a packet that is different from that of the real DHCP server, accepting the offering, especially if it comes first, will cause all sorts of havoc for the client.
Most times, attackers are the ones behind the rogue DHCP servers. If the client receives an IP address and other information from a rogue DHCP server, it means the IP address will receive all the traffic from the client – this, the attacker can acquire and send to the appropriate default gateway.
How to Detect if a Rogue DHCP Server Is on Your Network?
There are many ways to find out whether or not a rogue DHCP server is on your network.
The first technique involves using a sniffer, such as the Tcpdump/Wireshark. All you need is to run this sniffer on your computer before sending the usual DHCP request. This way, you should get offers from the legitimate DHCP server. However, if you notice any other offer that’s not from the real DHCP server, it means you have a rogue DHCP server on your network.
Another way to find out about a rogue DHCP server is by scanning your network using any of the many tools available out there. The common ones are DHCP Sentry and dhcp_probe. Interestingly, most of these tools are designed with built-in IM alerting capabilities, which will signal your system administrators as soon as there’s any rogue DHCP server.