What is a rogue DHCP server?

Written by gigmocha in Uncategorized

What is a rogue DHCP server?

A Rogue DHCP server will provide IPs to devices on your network that are not authorized, which can cause some serious problems. It’s important to find and remove these servers before they do real damage to your network. In this blog post, we’ll teach you how to find these servers so you can shut them down before any more damage occurs.

How do I find a Rogue DHCP server on my network?

One of the easiest ways to find DHCP servers on your network is to monitor network traffic via a network sniffer, such as Wireshark

Once installed, you can use Wireshark to search for DHCP packets coming from unauthorized servers. Keep in mind that if the rogue server is handing out IPs on your network, it will be sending these packets with an IP address belonging to a MAC address not associated with any machine known by the authorized DHCP server (in this case, our sniffer).

If you find one of these packets containing an unknown IP and matching MAC – there’s likely a rogue DHCP server on your network. If possible try accessing or pinging devices connected to this new IP range. You may get more information about potential issues caused by the rogue DHCP server. Additionally, having access to another device within this range could help us determine whether we’re dealing with a rogue DHCP server or something else that’s causing the IP confusion.

How do I remove a Rogue DHCP Server?

Once you’ve found your wayward DHCP servers, it’s time to get rid of them before they cause any more damage. We recommend blocking this traffic from entering and leaving your network via an access control list (ACL). If these unauthorized packets are trying to enter and exit your network, we can create ACLs on each router connected to our internal LAN or VLAN networks in order to block these bad boys.

If you are a network administrator and use Cisco routers , we would use: ip access-list extended “RogueServer” deny udp x.x.x . y . z any eq bootpc deny udp x.x.x . y . z any eq bootps deny ip x.x.x . y . z x.x.a . b any  permit tcp any host xxx

xxx is the IP of your sniffer (the authorized DHCP server). Now, all traffic trying to enter or leave with a destination port of 67 will be blocked by our ACL “RogueServer”. This effectively stops unauthorized DHCP servers from gaining access to and/or handing out IPs on our network! If you cannot reach devices connected to these rogue networks, this step alone may not do much for you – but it’s great as an added layer of protection just in case someone else does happen upon your uninvited guest(s).

Blocking traffic coming from unauthorized DHCP servers is a great way to maintain network security and prevent future issues. You can find rogue DHCP servers on your internal networks as well, so be sure to monitor that traffic too.

What causes a rogue DHCP server?

A rogue DHCP server can be caused by a number of issues. Some common causes include: 

A misconfigured home router where many people use their home routers as WiFi repeaters, creating one large wireless network that spans multiple access points. When this is done using the default settings on some older models , it will usually configure these devices to act as an unauthorized DHCP server handing out IPs within your own subnet range(s). This would explain why you are seeing traffic coming from unknown machines with local IP addresses belonging to known MACs.

Another cause may involve someone plugging in a new device (or connecting wirelessly) which was configured for static addressing but gets assigned an address via DHCP instead due to how the packets were routed.

There are multiple ways an unauthorized DHCP server could be created on your network. We’ve seen this happen in many different scenarios including: firewalls, proxies and even IoT devices like printers that act as a DHCP server when plugged into the network. If you’re having trouble tracking down where one of these rogues is coming from – running Wireshark to monitor for packets with unknown IPs can help narrow things down quickly.

How do I check DHCP status?

In order to check DHCP status, use “show ip dhcp binding” this command shows us which IPs are assigned and available. If you’re looking for a free tool that makes this process much easier, try out SolarWinds Engineer’s Toolset – it has an option to find unauthorized DHCP servers.

Conclusion

A Rogue DHCP server can be caused by many different things such as misconfigured home routers, firewalls, proxies, and even IoT devices like printers acting as a de facto DHCP server when plugged into the network. Blocking traffic coming from unauthorized DHCP servers is a great way to maintain network security and prevent future issues. You can find rogue DHCP servers on your internal networks as well, so be sure to monitor that traffic too.

Recent Posts