[unisog] Rogue DHCP and nmap (finding rogue DHCP servers)

Irwin Tillman irwin at princeton.edu
Wed Apr 24 18:11:12 GMT 2002


We detect rogue DHCP and BootP servers three ways:

1) We use a locally-developed tool to send BootP and DHCP requests of various
flavors, and see who answers.  The tool is available at:
  http://www.net.princeton.edu/software/dhcp_probe/

This approach is the most reliable, finding most rogues that do not
take additional measures to avoid answering us, and produces very
few false positives.  But it requires the probing host to have a direct
attachment to every LAN you wish to monitor.


2) Our DHCP servers look at the Server Identifier Option field 
(present in DHCPREQUEST message when a client is SELECTING),
DHCPRELEASE messages, and DHCPDECLINE messages.  If the 
value is not one a short list of known values, it logs it.
A log watcher sends pages when this happens.

This approach is helpful, but produces false positives in some
circumstances.  (Client last attached to a foreign network and
last bound to a foreign DHCP server is re-attached to your network
can mention the foreign DHCP SID at first.)  It also will not locate
all rogue servers.


3) We configure all our routers to forward to a single collection point a
copy of every UDP packet they see which was broadcast to the bootp client port.
(Note this is not the same as performing BootP Relay.)
In theory, these packets are only replies from DHCP/BootP servers to clients.
The collection point is a simple daemon that checks to see if the packets
it receives are from known IP source addresses.  If not, it generates a notification.

This approach is helpful, but produces false positives in common circumstances.
(E.g. a multihomed client attached to your public network and a private network.  The client
acts as a DHCP server for the private network.  When this box must send
a DHCP reply to the private network with the IP broadcast address as its IPdst,
it may send (a copy of) the reply to its interface attached to your public network.
The reply is harmless, but it will produce a false positive.
One common device that does this is the Apple AirPort Software Base Station.)


Irwin Tillman
OIT Network Systems
Princeton University



More information about the unisog mailing list