How you can Alert on Rogue DHCP Servers

The power to detect Dynamic Host Configuration Protocol (DHCP) servers is a function that has been in community site visitors evaluation (NTA) instruments for a while, however extra individuals are in search of alerts if a rogue DHCP server seems on the community.

You are reading: How to find dhcp server on network | How you can Alert on Rogue DHCP Servers

DHCP is a typical web protocol that allows the dynamic configuration of hosts on an Web Protocol (IP) internetwork. DHCP is an extension of the bootstrap protocol (BOOTP). The picture on the fitting depicts the breakdown of a typical DHCP consumer request.

A DHCP server is a machine that runs a service that may lease out IP addresses and different TCP/IP info to any consumer that requests it. They’re normally managed and managed by the community directors.

Rogue DHCP servers and their dangers

A rogue DHCP server could be outlined as one that’s not managed by IT. It could possibly be a wi-fi router added to the community by a person, or somebody enabling DHCP companies on a server.

As shoppers connect with the community, each the rogue and authorized DHCP server will provide them IP addresses, in addition to a default gateway, DNS servers, WINS servers, and others. If the data offered by the rogue DHCP differs from the actual one, then shoppers accepting IP addresses from it could expertise community entry issues, in addition to an incapability to succeed in different hosts due to an incorrect IP community or gateway. IP conflicts may cause issues for current shoppers, and so they can also expertise community entry issues.

As well as, if a rogue DHCP is about to offer as a default gateway, reminiscent of an IP tackle of a machine managed by a misbehaving person, it may sniff all of the site visitors despatched by the shoppers to different networks. That is sometimes known as a man-in-the-middle (MitM) assault.

Discovering DHCP servers

One of many best methods to seek out DHCP servers in your community is to observe community site visitors by way of a SPAN, mirror port, or TAP. After getting your packet knowledge supply, be careful for DHCP provide packets. These are despatched by DHCP servers when a consumer sends out a broadcast packet seeking to uncover a DHCP server.


The picture under exhibits the output of a DHCP request sequence as captured by Wireshark. You need to use the bootp filter to exclude different packets from the show. This method is especially helpful for smaller networks the place the site visitors volumes are low. For bigger networks, you might need to contemplate a device that features community site visitors evaluation (NTA).

Producing alerts if rogue DHCP servers are discovered

Whereas operating DHCP server experiences are helpful, most of us wouldn’t have the time to do that regularly. A device with a built-in alerting engine might help. For instance, let’s say I need to generate an alert if a DHCP server is detected inside my community vary. The steps concerned to get this alert setup are:

  1. Log onto your device’s interface and discover Settings (or the system equal)
  2. Discover alert guidelines
  3. Click on so as to add a brand new rule.
  4. Assign a reputation to the rule, like ‘Rogue DHCP Servers’
  5. Choose the DHCP module from the dropdown
  6. Enter the textual content server_ip= && message_type=2 because the rule after which save.

Chances are you’ll want to alter the IP vary to match your individual community IP ranges.

To study extra about easy methods to monitor and analyze site visitors in your community, try this brief demo of the community site visitors evaluation options in InsightIDR.

Category: How to at

Article post on:

Recommended For You

About the Author: Phuoc Toan