Rogue DHCP
Encyclopedia
A rogue DHCP server is a DHCP
server on a network which is not under the administrative control of the network staff. It is a network device such as a modem
or a router connected to the network by a user who may be either unaware of the consequences of their actions or may be knowingly using it for network attacks such as man in the middle
.
As clients connect to the network, both the rogue and legal DHCP server will offer them IP address
es as well as default gateway
, DNS
servers, WINS
servers, among others. If the information provided by the rogue DHCP differs from the real one, clients accepting IP addresses from it may experience network access problems, including speed issues as well as inability to reach other hosts because of incorrect IP network or gateway. In addition, if a rogue DHCP is set to provide as default gateway an IP address of a machine controlled by a misbehaving user, he can sniff all the traffic sent by the clients to other networks, violating network security policies as well as user privacy (see man in the middle
).
Rogue DHCP servers can be stopped by means of intrusion detection systems with appropriate signatures as well as by some multilayer switches, which can be configured to drop the packets.
Manual examination perusing Scapy package in Python:
Dynamic Host Configuration Protocol
The Dynamic Host Configuration Protocol is a network configuration protocol for hosts on Internet Protocol networks. Computers that are connected to IP networks must be configured before they can communicate with other hosts. The most essential information needed is an IP address, and a default...
server on a network which is not under the administrative control of the network staff. It is a network device such as a modem
Modem
A modem is a device that modulates an analog carrier signal to encode digital information, and also demodulates such a carrier signal to decode the transmitted information. The goal is to produce a signal that can be transmitted easily and decoded to reproduce the original digital data...
or a router connected to the network by a user who may be either unaware of the consequences of their actions or may be knowingly using it for network attacks such as man in the middle
Man-in-the-middle attack
In cryptography, the man-in-the-middle attack , bucket-brigade attack, or sometimes Janus attack, is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other...
.
As clients connect to the network, both the rogue and legal DHCP server will offer them IP address
IP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
es as well as default gateway
Default gateway
In computer networking, a gateway is a node on a TCP/IP network that serves as an access point to another network. A default gateway is the node on the computer network that the network software uses when an IP address does not match any other routes in the routing table.In home computing...
, DNS
Domain name system
The Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...
servers, WINS
Windows Internet Naming Service
Windows Internet Name Service is Microsoft's implementation of NetBIOS Name Service , a name server and service for NetBIOS computer names. Effectively WINS is to NetBIOS names what DNS is to domain names — a central mapping of host names to network addresses...
servers, among others. If the information provided by the rogue DHCP differs from the real one, clients accepting IP addresses from it may experience network access problems, including speed issues as well as inability to reach other hosts because of incorrect IP network or gateway. In addition, if a rogue DHCP is set to provide as default gateway an IP address of a machine controlled by a misbehaving user, he can sniff all the traffic sent by the clients to other networks, violating network security policies as well as user privacy (see man in the middle
Man in the middle
Man in the middle may refer to:* Man-in-the-middle attack, a form of cryptographic attack* Man in the Middle , a 1963 movie* Man In The Middle , a memoir of basketballer John Amaechi-In music:...
).
Rogue DHCP servers can be stopped by means of intrusion detection systems with appropriate signatures as well as by some multilayer switches, which can be configured to drop the packets.
External links
Rogue DHCP servers can be detected using the software:- Microsoft Network Monitor 3.1 (XP, Vista, Server 2003)
- dhcp_probe (UNIX)
- SoftPerfect Network Scanner (Win32 Freeware, supports Windows 2000, XP, 2003, Vista, 2008, Seven)
- dhcploc.exe (Win32) in ResourceKit
- DHCP Sentry (Win32) – DHCP Sentry tool
- Rogue detect (Perl)
- Open DHCP Locate (UNIX, Win32, C)
- MyLanViewer network scanner / IP scanner (Win32)
Manual examination perusing Scapy package in Python:
- Scapy (Python)