1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

how to block rogue DHCP Server

Discussion in 'Networks' started by Andrzej, Apr 28, 2010.

  1. Andrzej

    Andrzej New Member


    I guess many people had this once or twice.... you come to work and your users jump on you "my internet is gone!!" :twisted:

    we had recentely switch which been accidentely conected into our network and literally shut down our DHCP Windows Server, and started giving ip addresses in diffrent range range to clients...

    till that day I blindly believed that only authorized in AD DHCP server can start assigning IP addresses :D

    anyhow just wonder if anyone came with any solution as how to prevent this things from happening in the future?

    chears everyone
    Certifications: MCSE
  2. soundian

    soundian Gigabyte Poster

    Test things in a controlled environment before you make them live.

    Simple but stunningly effective
    Certifications: A+, N+,MCDST,MCTS(680), MCP(270, 271, 272), ITILv3F, CCENT
    WIP: Knuckling down at my new job
  3. SimonD

    SimonD Terabyte Poster Moderator

    There are ways around this, if your rogue dhcp server is not MS based then it gets harder but if it's a Cisco \ HP based switch\router then you may be able to do what they have done here
    Certifications: CNA | CNE | CCNA | MCP | MCP+I | MCSE NT4 | MCSA 2003 | Security+ | MCSA:S 2003 | MCSE:S 2003 | MCTS:SCCM 2007 | MCTS:Win 7 | MCITP:EDA7 | MCITP:SA | MCITP:EA | MCTS:Hyper-V | VCP 4 | ITIL v3 Foundation | VCP 5 DCV | VCP 5 Cloud | VCP6 NV | VCP6 DCV | VCAP 5.5 DCA
    WIP: VCP6-CMA, VCAP-DCD and Linux + (and possibly VCIX-NV).
  4. craigie

    craigie Terabyte Poster

    Cisco devices have switch port mac address security, where it can learn about devices mac addresses and only allow them access.

    It can also detect if any port has more than one mac address coming from it and shut it down.
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  5. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    Find it, confiscate it permanently, warn the staff, and unemploy the next offender. :twisted:
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  6. danielno8

    danielno8 Gigabyte Poster

    Shut down unused ports and make all ports access ports so they cannot trunk (other than ports you want connected to switches of course)
    Certifications: CCENT, CCNA
  7. Andrzej

    Andrzej New Member

    hi all and thanks for your responce,

    should probably mention that our IT is divaded between network and systems team and I work for systems.

    the switch we use is extreme make and I believe it is capable of DHCP snooping so I think this is going be the way to go...

    as I understand though there is no windows server based solution? i checked the internet here and there but could not see anything worth attention (obviously could have missed maybe something)....


    have a great day!!:p
    Certifications: MCSE
  8. Andrzej

    Andrzej New Member

    this guy bee just 3 weeks now with us and was helping build testing area... everyone does mistakes
    we gonna keep him, unless he do it again then this would be only way to go :knife

    just joke:D
    Certifications: MCSE
  9. DC Pr0Mo

    DC Pr0Mo Kilobyte Poster


    Ha ha, nice one :)
    Certifications: MCDST | BSc Network Computing
    WIP: 70-291 | 70-293 | 70-294 | 70-297
  10. zebulebu

    zebulebu Terabyte Poster


    I think we did this a few weeks back - there should be a post on it somewhere if you search. You can use a tool called dhcploc to look for rogue DHCP servers on your network (basically it just pumps out dhcp-req packets and records the IP address of any dhcp-acks received.)

    As for securing, the only real way to do it is via MAC tables on your switches - keep a list of every MAC address used by any legit devices and ensure that only those devices can get an IP address. Doesn't prevent someone spoofing or hardcosing a MAC, but it will deter the casual pillock who just wants to plug their little wireless router in...

    EDIT - Previous post link
    Last edited: Apr 29, 2010
    Certifications: A few
    WIP: None - f*** 'em
  11. DC Pr0Mo

    DC Pr0Mo Kilobyte Poster

    Would dhcp class ID's be an option, or is it to hard to manage?
    Certifications: MCDST | BSc Network Computing
    WIP: 70-291 | 70-293 | 70-294 | 70-297

Share This Page