Rogue DHCP servers remain one of the most insidious threats to network stability, often introduced accidentally through misconfigured consumer routers or maliciously via compromised devices. These unauthorized servers can hijack DHCP requests, leading to IP conflicts, MITM attacks, and complete network segmentation.
Packet-Level Analysis: Capture DHCP traffic using tcpdump/Wireshark and look for multiple DHCPOFFER packets:
tcpdump -i eth0 -nn -v port 67 or port 68 -w dhcp.pcap
Active Probing Tools: Specialized tools like dhcpexplorer or dhcp_probe can systematically identify rogue servers:
# Using dhcp_probe
dhcp_probe -i eth0 -v -t 5 -r 3Switch Port Security: Configure DHCP snooping on managed switches:
# Cisco IOS example
switch(config)# ip dhcp snooping
switch(config)# ip dhcp snooping vlan 10,20
switch(config)# interface gig1/0/1
switch(config-if)# ip dhcp snooping trustPython Detection Script: Here's a lightweight scanner using scapy:
from scapy.all import *
def detect_rogue_dhcp():
conf.checkIPaddr = False
pkt = sniff(filter="udp and (port 67 or 68)",
prn=lambda x: x.summary(),
timeout=10)
servers = set()
for p in pkt:
if DHCP in p and p[DHCP].options[0][1] == 2:
servers.add(p[IP].src)
if len(servers) > 1:
print(f"Alert! Multiple DHCP servers detected: {servers}")
- Implement 802.1X authentication on all switch ports
- Deploy DHCP guard features in hypervisors
- Monitor DHCP logs for anomalies in lease patterns
- Segment networks using VLANs to contain rogue devices
For modern environments, consider these additional protections:
# AWS GuardDuty example for detecting EC2 instances acting as DHCP servers
{
"ResourceType": "AWS::EC2::Instance",
"Filters": [
{
"Name": "network-interface.dhcp-server",
"Values": ["true"]
}
]
}Rogue DHCP servers can wreak havoc on network operations by assigning incorrect IP configurations, hijacking traffic, or causing IP conflicts. These unauthorized servers might be:
- Misconfigured devices (routers, switches)
- Malicious actors running attacker-controlled DHCP
- Employee-installed consumer networking gear
Packet Analysis Approach:
# tcpdump filter for DHCP traffic
tcpdump -i eth0 -vvv -s 1500 'port 67 or port 68' -w dhcp_capture.pcap
Analyze the capture for multiple DHCPOFFER packets (indicating multiple servers). Wireshark filters:
bootp.option.dhcp == 2 # Shows DHCPOFFER messages
bootp.ip.your != 0.0.0.0 # Filters out empty offers
DHCP Probe: Lightweight Unix tool that sends DHCPDISCOVER packets and reports responses
./dhcp_probe -i eth0 -v -r 3
Alternative Tools:
- Nmap script:
nmap --script broadcast-dhcp-discover - Windows: DHCPLoc (Microsoft tool)
- Enterprise: SolarWinds IP Address Manager
Python script using scapy for continuous monitoring:
from scapy.all import *
import time
def dhcp_monitor(interface):
while True:
dhcp_discover = Ether(dst="ff:ff:ff:ff:ff:ff")/\
IP(src="0.0.0.0", dst="255.255.255.255")/\
UDP(sport=68, dport=67)/\
BOOTP(chaddr=mac2str("00:01:02:03:04:05"))/\
DHCP(options=[("message-type","discover"),"end"])
sendp(dhcp_discover, iface=interface)
time.sleep(300) # Check every 5 minutes
dhcp_monitor("eth0")
Switch Configuration:
# Cisco IOS example
interface GigabitEthernet0/1
switchport port-security
switchport port-security maximum 1
switchport port-security violation restrict
ip dhcp snooping limit rate 10
When detected:
- Trace the MAC address through switch MAC tables
- Physically locate and disconnect the rogue device
- Implement DHCP snooping on network infrastructure
- Document the incident for security audits