NetFort Advertising

How to Alert on Rogue DHCP Servers

Detecting rogue DHCP servers using network traffic

Alert on Rogue DHCP Servers Using Network Traffic as a Data Source

Recently a customer came to us with the following query:

We were wondering whether there is a way to setup an alert on LANGuardian if we see any other DHCP servers on the network other than our own – particularly on the 192.168.0.0/24 range. We have DHCP snooping on all our newer switches, but not on some the older ones. We have used LANGuardian to do this manually with a report – but an email alert would be great.

The ability to detect DHCP servers is a feature that has been in LANGuardian for some time, but more and more customers want alerts if a rogue DHCP server appears on the network.

DHCP is a standard Internet protocol that enables the dynamic configuration of hosts on an Internet Protocol (IP) internetwork. Dynamic Host Configuration Protocol (DHCP) is an extension of the bootstrap protocol (BOOTP). The image on the right depicts the breakdown of a typical DHCP client request.

A DHCP server is a machine that runs a service that can lease out IP addresses and other TCP/IP information to any client that requests it. They are usually managed and controlled by the network administrators.

Rogue DHCP server showing DHCP request

Rogue DHCP Servers & Their Risks

A rogue DHCP server can be defined as one which is not managed by IT. It could be a wireless router added to the network by a user or someone enabling DHCP services on a server.

As clients connect to the network, both the rogue and legal DHCP server will offer them IP addresses as well as a default gateway; DNS servers, WINS servers, and others. If the information provided by the rogue DHCP differs from the real one, clients accepting IP addresses from it may experience network access problems, as well as an inability to reach other hosts because of an incorrect IP network or gateway. IP conflicts can cause problems for existing clients and they may also experience network access problems.

In addition, if a rogue DHCP is set to provide as a default gateway, such as an IP address of a machine controlled by a misbehaving user, it can sniff all the traffic sent by the clients to other networks. This is typically referred to as a man in the middle attack.

Detecting DHCP Servers

One of the easiest ways to detect DHCP servers on your network is to monitor network traffic via a SPAN, mirror port or TAP. Once you have your packet data source, watch out for DHCP offer packets. These are sent by DHCP servers when a client sends out a broadcast packet looking to discover a DHCP server.

The image below shows the output of a DHCP request sequence which was captured using Wireshark. You can use the bootp filter to exclude other packets from the display. This approach is particularly useful for smaller networks where the traffic volumes are low. For larger networks, you may want to consider a dedicated traffic analysis system such as our own LANGuardian.

DHCP offer packet

LANGuardian comes with a set of DHCP reports. To access these, type DHCP into the search bar at the top of the web GUI and select Services :: DHCP Servers. You can filter based on a specific subnet by using the Server report variable on the left hand side. The image below shows an example of the report output. It lists all active DHCP servers for a selected time period. Click on it to access this report on our online demo.

DHCP servers detected using network traffic analysis

Generating Alerts if Rogue DHCP Servers Are Detected.

While running DHCP server reports are useful, most of us do not have the time to do this on a regular basis. Another useful feature of LANGuardian which can help here is the in built alerting engine. For example, I want to generate an alert if a DHCP server is detected within my 192.168.0.0/24 network range. The steps involved to get this alert setup are:

  1. Log onto your LANGuardian web interface and click on the gear symbol top left. Select Settings
  2. Within settings select Alert rules
  3. Click on Add New Rule.
  4. Assign a name to the rule, like Rogue DHCP Servers
  5. Select the DHCP module from the dropdown
  6. Enter the text server_ip=192.168.0.0/24 && message_type=2 as the rule and then save

You may need to change the IP range to match your own network IP ranges. The image below shows the rule definition on my LANGuardian.

A LANGuardian rule to alert on rogue DHCP servers

If you have any questions about how to monitor traffic on your network using LANGuardian, or would like to know more about how our network traffic monitoring tool can be used to detect rogue DHCP servers, do not hesitate to contact us and speak with our technical support team.