Logo Light

Network

Web Apps

System

Cloud

Cryptography

IoT

Exercise 48: Detecting Rogue DHCP Servers

by | May 20, 2025 | 0 comments

Objective

Detect and mitigate unauthorized (rogue) DHCP servers on a network to prevent malicious or accidental IP assignment that can disrupt network operations or enable attacks.

Scenario

An unauthorized DHCP server can distribute incorrect network configurations, leading to traffic interception, denial of service, or network outages. In this exercise, you’ll simulate a rogue DHCP server using dnsmasq, detect rogue DHCP activity using tools like Wireshark and dhcpdump, and implement mitigation techniques like DHCP snooping.

⚠️ Important: This exercise must be performed in a legal and controlled lab environment. Unauthorized deployment of DHCP servers on production networks is illegal and unethical.

Lab Instructions

Step 1: Set Up a Legitimate DHCP Server

a. Install and Configure the DHCP Server

sudo apt update
sudo apt install isc-dhcp-server -y

b. Configure the DHCP Server

sudo nano /etc/dhcp/dhcpd.conf
  • Add the following configuration:
default-lease-time 600;
max-lease-time 7200;
subnet 192.168.1.0 netmask 255.255.255.0 {
    range 192.168.1.100 192.168.1.200;
    option routers 192.168.1.1;
    option domain-name-servers 8.8.8.8, 8.8.4.4;
}

c. Start the DHCP Server

sudo systemctl restart isc-dhcp-server
sudo systemctl enable isc-dhcp-server

Step 2: Deploy a Rogue DHCP Server

a. Install dnsmasq on the Attacker Machine

sudo apt install dnsmasq -y

b. Configure dnsmasq as a Rogue DHCP Server

sudo nano /etc/dnsmasq.conf
  • Add the following configuration:
dhcp-range=192.168.1.201,192.168.1.254,12h
dhcp-option=3,192.168.1.2  # Rogue gateway

c. Start the Rogue DHCP Server

sudo systemctl restart dnsmasq
sudo systemctl enable dnsmasq

Step 3: Detect Rogue DHCP Servers

a. Using Wireshark to Monitor DHCP Traffic

  • Start Wireshark and apply the filter:
dhcp || bootp
  • Expected Result: Detect multiple DHCP offers from different IPs.

b. Using dhcpdump to Analyze DHCP Offers

sudo apt install dhcpdump -y
sudo dhcpdump -i eth0
  • Expected Result: Identify unauthorized DHCP offers from unexpected sources.

Step 4: Mitigate the Rogue DHCP Server

a. Enable DHCP Snooping (on Managed Switches)

  • Access the switch configuration interface.
  • Enable DHCP snooping globally:
ip dhcp snooping
  • Enable DHCP snooping on specific VLANs:
ip dhcp snooping vlan 1
  • Define trusted interfaces (uplinks to legitimate DHCP servers):
interface GigabitEthernet0/1
ip dhcp snooping trust
  • Set all other ports as untrusted by default.

b. Block Rogue DHCP Traffic with iptables (Linux Firewall)

sudo iptables -A INPUT -p udp --dport 67:68 --sport 67:68 -j DROP

c. Identify and Shut Down Rogue Devices

  • Physically disconnect or disable the rogue DHCP server.

Step 5: Verify Mitigation

  1. Monitor DHCP Traffic:
    • Confirm that only legitimate DHCP servers are responding to DHCP requests.
  2. Test Device Connectivity:
    • Ensure devices receive correct network configurations.

Solution & Explanation

How Rogue DHCP Servers Operate

  • A rogue DHCP server assigns incorrect network configurations, enabling attacks such as man-in-the-middle (MITM), traffic interception, or denial of service.

Detection Techniques

  1. Network Monitoring Tools: Use Wireshark or dhcpdump to detect multiple DHCP offers.
  2. DHCP Logs: Analyze DHCP server logs for unexpected activity.

Mitigation Techniques

  1. DHCP Snooping: Only allows DHCP responses from trusted interfaces.
  2. Port Security: Restricts the number of MAC addresses per port.
  3. Firewall Rules: Blocks unauthorized DHCP traffic.

Testing & Verification

  • Before Mitigation: Multiple DHCP servers are offering IP addresses.
  • After Mitigation: Only the legitimate DHCP server is active.

Verify DHCP Snooping

show ip dhcp snooping

Check Firewall Rules

sudo iptables -L -v -n

Security Best Practices

  1. Enable DHCP Snooping: Protect against rogue DHCP servers.
  2. Port Security: Limit devices connected to switch ports.
  3. Network Segmentation: Isolate critical services.
  4. Regular Auditing: Continuously monitor for unauthorized devices.

Additional Script (Optional)

Automate DHCP Rogue Detection:

#!/bin/bash
# Detect Rogue DHCP Servers
sudo dhcpdump -i eth0 | grep "DHCPOFFER"
echo "Monitoring for rogue DHCP servers..."

Run the script:

chmod +x detect_rogue_dhcp.sh
sudo ./detect_rogue_dhcp.sh

Conclusion

In this exercise, you simulated a rogue DHCP server using dnsmasq, detected unauthorized DHCP activity with Wireshark and dhcpdump, and implemented mitigation techniques such as DHCP snooping and firewall rules. Regular monitoring and proactive defense are essential for securing network infrastructure.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *