Rogue DHCP

A rogue DHCP server interfere with the operation of a managed via DHCP local network. He acts as an independent server that exists next to the server provided in the network. A rogue DHCP server can also be used for attacks on a network or be the result of misconfiguration.

Operation

To access the network, a client makes the request to assign an IP address to the DHCP server by sent a broadcast on the local network, to receive all network participants. This message will only respond to the DHCP server and transmits the information necessary for the further network access data. Now the rogue DHCP server tries with his answer faster than the regular server to be transmitted and either manipulated or simply useless parameter.

In harmless case, one can easily " cripple " with this technique, a corporate network. It is enough, for example, to convey not have a gateway, or each client is assigned an own subnet and thus the connection restricted largely. For network security far more drastic effects the targeted diversion of traffic by transmitted DHCP options such as DNS server or gateway and, for example, a router infiltrates, which prepares the data traffic of the client from then on mitschneidet or a Janus attack.

Countermeasure

In order to detect such a server on the network, the Resource Kit from Microsoft provides with a tool called " dhcploc ". So you can identify servers, but do not turn off. A method to use such switches, the function of "DHCP snooping ", which prevents the passing of counterfeit DHCP packets. This feature, however, should only be used when clients are connected directly, since the entire port is disabled when an attack occurs.