how to block rogue DHCP Server

Discussion in 'Networks' started by Andrzej, Apr 28, 2010.

  1. Andrzej

    Andrzej New Member

    8
    0
    10
    hi,

    I guess many people had this once or twice.... you come to work and your users jump on you "my internet is gone!!" :twisted:

    we had recentely switch which been accidentely conected into our network and literally shut down our DHCP Windows Server, and started giving ip addresses in diffrent range range to clients...

    till that day I blindly believed that only authorized in AD DHCP server can start assigning IP addresses :D

    anyhow just wonder if anyone came with any solution as how to prevent this things from happening in the future?


    chears everyone
     
    Certifications: MCSE
  2. soundian

    soundian Gigabyte Poster

    1,460
    71
    107
    Test things in a controlled environment before you make them live.

    Simple but stunningly effective
     
    Certifications: A+, N+,MCDST,MCTS(680), MCP(270, 271, 272), ITILv3F, CCENT
    WIP: Knuckling down at my new job
  3. SimonD
    Honorary Member

    SimonD Terabyte Poster

    3,681
    440
    199
    There are ways around this, if your rogue dhcp server is not MS based then it gets harder but if it's a Cisco \ HP based switch\router then you may be able to do what they have done here
     
    Certifications: CNA | CNE | CCNA | MCP | MCP+I | MCSE NT4 | MCSA 2003 | Security+ | MCSA:S 2003 | MCSE:S 2003 | MCTS:SCCM 2007 | MCTS:Win 7 | MCITP:EDA7 | MCITP:SA | MCITP:EA | MCTS:Hyper-V | VCP 4 | ITIL v3 Foundation | VCP 5 DCV | VCP 5 Cloud | VCP6 NV | VCP6 DCV | VCAP 5.5 DCA
  4. craigie

    craigie Terabyte Poster

    3,020
    174
    155
    Cisco devices have switch port mac address security, where it can learn about devices mac addresses and only allow them access.

    It can also detect if any port has more than one mac address coming from it and shut it down.
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  5. BosonMichael
    Honorary Member Highly Decorated Member Award 500 Likes Award

    BosonMichael Yottabyte Poster

    19,183
    500
    414
    Find it, confiscate it permanently, warn the staff, and unemploy the next offender. :twisted:
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  6. danielno8

    danielno8 Gigabyte Poster

    1,306
    49
    92
    Shut down unused ports and make all ports access ports so they cannot trunk (other than ports you want connected to switches of course)
     
    Certifications: CCENT, CCNA
    WIP: CCNP
  7. Andrzej

    Andrzej New Member

    8
    0
    10
    hi all and thanks for your responce,

    should probably mention that our IT is divaded between network and systems team and I work for systems.

    the switch we use is extreme make and I believe it is capable of DHCP snooping so I think this is going be the way to go...

    as I understand though there is no windows server based solution? i checked the internet here and there but could not see anything worth attention (obviously could have missed maybe something)....

    chears

    have a great day!!:p
     
    Certifications: MCSE
  8. Andrzej

    Andrzej New Member

    8
    0
    10
    this guy bee just 3 weeks now with us and was helping build testing area... everyone does mistakes
    we gonna keep him, unless he do it again then this would be only way to go :knife

    just joke:D
     
    Certifications: MCSE
  9. DC Pr0Mo

    DC Pr0Mo Kilobyte Poster

    268
    9
    41

    Ha ha, nice one :)
     
    Certifications: MCDST | BSc Network Computing | 365 Fundamentals
  10. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Andrzej

    I think we did this a few weeks back - there should be a post on it somewhere if you search. You can use a tool called dhcploc to look for rogue DHCP servers on your network (basically it just pumps out dhcp-req packets and records the IP address of any dhcp-acks received.)

    As for securing, the only real way to do it is via MAC tables on your switches - keep a list of every MAC address used by any legit devices and ensure that only those devices can get an IP address. Doesn't prevent someone spoofing or hardcosing a MAC, but it will deter the casual pillock who just wants to plug their little wireless router in...

    EDIT - Previous post link
     
    Last edited: Apr 29, 2010
    Certifications: A few
    WIP: None - f*** 'em
  11. DC Pr0Mo

    DC Pr0Mo Kilobyte Poster

    268
    9
    41
    Would dhcp class ID's be an option, or is it to hard to manage?
     
    Certifications: MCDST | BSc Network Computing | 365 Fundamentals

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.