Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Blocking rogue DHCP servers with Cisco

Posted on 2004-10-30
11
Medium Priority
?
2,030 Views
Last Modified: 2010-05-18
I have a large wireless network with probably 600 wifi clients.  I run all cisco 3550/3560 edge switches and just recently got my new 4506 as my core.  My access points are a combo of Cisco 1231s, Cisco 1120s, and some old lucent ones I have not replaced yet.  My clients are XP Pro with ether SP1 or SP2.  MY problem is that I think someone has turned on internet connection sharing (ICS) on one of their machines.  Randomly throughout the day various people are getting bad address.  My default gateway is x.x.x.1 and my DNS suffix is mycompany.com.  When someone gets an IP address from this other "server" they get some random default gatewat address which is in the same subnet as my network is, which I can ping sometimes, remember a wifi environment so machines are on and off randomly throughout the day.  Their dns suffix is mshome.net, which I believe is the default workgroup that XP pro changes too when you do ICS.  The clients with bad address can access our internal email and network file systems but cannot hit pass through the internet.  If I do a nbtstat /A ipofbaddefaultgateway I get   a netbios name and mac address of the person, which I call in and find out they are NOT doing ICS. One other thing I noticed is that if a client has connected to this bad "server" then in the network connections window iin XP it tells me I am connected to some internet gateway.

Is there anyway to find out exactly who this person is or just block all dhcp servers exact for my dhcp server with my cisco switches?  

Within the next few months I would be implenting a few vlans into my network since I now have all L3 switches now that my 4506 came in.  And I pretty sure I can block it that way, because all of my clients will be in a seperate vlan than my servers, but at the moment everyone is L2 and in the same subnet.

Doing static IP of all my clients is not an option.

I would really appreciate any help or advice.

Thank you.

0
Comment
Question by:teecee33
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
11 Comments
 
LVL 5

Expert Comment

by:AutoSponge
ID: 12452356
If you only have one subnet and as many as 600 clients, I think you know what's going to happen when someone tries to get an address from the network and none of the leases have expired.  Not sure how you're running DHCP but you will often get duplicate addresses assigned when you're out of addresses on the server.  The result is the address doesn't match the MAC of the previous lease and the user gets an error.
0
 

Author Comment

by:teecee33
ID: 12453251
I am using a /22 subnet and have under 100 devices that require static IPs so that leaves 900 addresses available.  I think I have them on a 4 day lease.  I did notice that I have been seeing several "Bad_address" in my dhcp server and also "this address is already in use".  That still does not explain why the dns suffix gets changed to mshome.net and the dhcp server ip that displays on a client that has a bad address results in a ip that is not one of my servers.  The address it displays is one that I use in my dhcp scope, which says to me that there is a user that has ICS on.  

Maybe I am wrong but if there is not enough IP addresses on a dhcp server then shouldnt the client get something like a 169.x.x.x address?  And that would not change the  DNS suffix.
0
 
LVL 5

Expert Comment

by:AutoSponge
ID: 12456537
I'll think about it some more, but when most DHCP servers run out of addresses, they just give out one they already leased.  The result is that the lease for that address is extended and the new addressee has a bad address (since his MAC doesn't match).  It's a flaw that MicroSoft and others know about but haven't fixed yet.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 5

Expert Comment

by:AutoSponge
ID: 12458159
Because you're wireless the only thing I can think of so far is VPN.  If the clients had to use a VPN tunnel to get in, the VPN client would be needed to access the APs, therefore, simple DHCP (even a rogue one) or a static IP wouldn't be sufficient to gain access to the network.

Still thinking though...
0
 
LVL 5

Expert Comment

by:AutoSponge
ID: 12458177
Check out this article:

http://www.windowsitlibrary.com/Content/1110/06/3.html

Not sure if you're using a Cisco switch that has the snooping feature, but that's a possibility.
0
 

Author Comment

by:teecee33
ID: 12462956
I will TRY to check this out today, 11/1/04.  I have 2 of the 4 techs out today so I will be picking up their slack plus I am leaving to go out of town until next Monday.  I will be checking the forums but will not be able to actually implement anything until then.
0
 
LVL 5

Accepted Solution

by:
AutoSponge earned 2000 total points
ID: 12463209
I had another thought that doesn't really involve the routing so much as it does the way the hosts access the network.  You could have all traffic from the Wi-Fi forced into a proxy server that is also your DHCP server.  This way, unless the MAC matches, the user is blocked from getting on the network, and all routers point to that server as the only means of reaching a real host.  This way, any MAC-IP mismatch created by a rogue server will not be responded to by the network.

Unfortuneatly, this isn't much different than the current setup where someone in range of a rogue server takes the first IP they get and have limited access.  Therefore the best bet is to lock it down by turning off SSID broadcasts and requiring a VPN client to login.  However, if your network is a public one and very "loose" as to who can gain access, you'll need to still keep the rest of the network up and responding to those rogue IPs but all their traffic is forwarded to a portal page with an option to download the VPN client software and an explanation of how this helps secure their data while using that network.  Until they get the VPN client, there is no route to the Internet but once they get it there is almost no way for a rogue server to sniff their traffic.

I know you have users complaining about not being able to connect, but ultimately it's a security problem.  A rogue server is an attack on the wi-fi network and, when sophisticated, can be used to sniff plain text passwords etc. making every client vulnerable.
0
 

Author Comment

by:teecee33
ID: 12463861
We use 128bit WEP atm and do not broadcast our SSID.  I will be moving to LEAP as soon as I can get all the older lucent APs replaced.  My clients are largely students from grades 5-12.  Probably some dad trying to set up his on home network on his daughter's computer and turned ICS on.  Was just hoping there was a way to stop it before I implement my new network design.  
0
 
LVL 5

Expert Comment

by:AutoSponge
ID: 12466113
Supposedly win2k DHCP server with an active directory environment would also prevent a rogue DHCP server from working, but I'm not sure how since I've never used one.  
0
 
LVL 11

Expert Comment

by:PennGwyn
ID: 12468275
> Supposedly win2k DHCP server with an active directory environment would also prevent a rogue DHCP server from working,
> but I'm not sure how since I've never used one.  

In a Win2K AD environment, Win2K boxes running as DHCP servers will not actually serve DHCP unless authorized to do so by AD.  This does nothing to protect the network against rogue DHCP servers that don't happen to be Win2K AD members....

I believe the switch models specified all support per-port access lists (ugh...).  You *could* set those so that only DHCP responses from the legit servers can get through -- that might at least help you pin the problem to a specific switch port.

Sniffing that traffic should then let you discover a specific MAC address that the bogus DHCP replies are coming from.  Lock out that MAC address (I'm partial to giving it a dynamic VLAN that doesn't connect to anywhere), and see who complains.


0
 

Author Comment

by:teecee33
ID: 13207838
Well I used a packet sniffer and found out who the people were.  When I looked at their computers they had no sign of any type of dhcp server.  No virus but tons of spyware.  I reimaged the machines and no problems.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question