Solved

Blocking rogue DHCP servers with Cisco

Posted on 2004-10-30
1,946 Views
Last Modified: 2010-05-18
I have a large wireless network with probably 600 wifi clients.  I run all cisco 3550/3560 edge switches and just recently got my new 4506 as my core.  My access points are a combo of Cisco 1231s, Cisco 1120s, and some old lucent ones I have not replaced yet.  My clients are XP Pro with ether SP1 or SP2.  MY problem is that I think someone has turned on internet connection sharing (ICS) on one of their machines.  Randomly throughout the day various people are getting bad address.  My default gateway is x.x.x.1 and my DNS suffix is mycompany.com.  When someone gets an IP address from this other "server" they get some random default gatewat address which is in the same subnet as my network is, which I can ping sometimes, remember a wifi environment so machines are on and off randomly throughout the day.  Their dns suffix is mshome.net, which I believe is the default workgroup that XP pro changes too when you do ICS.  The clients with bad address can access our internal email and network file systems but cannot hit pass through the internet.  If I do a nbtstat /A ipofbaddefaultgateway I get   a netbios name and mac address of the person, which I call in and find out they are NOT doing ICS. One other thing I noticed is that if a client has connected to this bad "server" then in the network connections window iin XP it tells me I am connected to some internet gateway.

Is there anyway to find out exactly who this person is or just block all dhcp servers exact for my dhcp server with my cisco switches?  

Within the next few months I would be implenting a few vlans into my network since I now have all L3 switches now that my 4506 came in.  And I pretty sure I can block it that way, because all of my clients will be in a seperate vlan than my servers, but at the moment everyone is L2 and in the same subnet.

Doing static IP of all my clients is not an option.

I would really appreciate any help or advice.

Thank you.

0
Question by:teecee33
    11 Comments
     
    LVL 5

    Expert Comment

    by:AutoSponge
    If you only have one subnet and as many as 600 clients, I think you know what's going to happen when someone tries to get an address from the network and none of the leases have expired.  Not sure how you're running DHCP but you will often get duplicate addresses assigned when you're out of addresses on the server.  The result is the address doesn't match the MAC of the previous lease and the user gets an error.
    0
     

    Author Comment

    by:teecee33
    I am using a /22 subnet and have under 100 devices that require static IPs so that leaves 900 addresses available.  I think I have them on a 4 day lease.  I did notice that I have been seeing several "Bad_address" in my dhcp server and also "this address is already in use".  That still does not explain why the dns suffix gets changed to mshome.net and the dhcp server ip that displays on a client that has a bad address results in a ip that is not one of my servers.  The address it displays is one that I use in my dhcp scope, which says to me that there is a user that has ICS on.  

    Maybe I am wrong but if there is not enough IP addresses on a dhcp server then shouldnt the client get something like a 169.x.x.x address?  And that would not change the  DNS suffix.
    0
     
    LVL 5

    Expert Comment

    by:AutoSponge
    I'll think about it some more, but when most DHCP servers run out of addresses, they just give out one they already leased.  The result is that the lease for that address is extended and the new addressee has a bad address (since his MAC doesn't match).  It's a flaw that MicroSoft and others know about but haven't fixed yet.
    0
     
    LVL 5

    Expert Comment

    by:AutoSponge
    Because you're wireless the only thing I can think of so far is VPN.  If the clients had to use a VPN tunnel to get in, the VPN client would be needed to access the APs, therefore, simple DHCP (even a rogue one) or a static IP wouldn't be sufficient to gain access to the network.

    Still thinking though...
    0
     
    LVL 5

    Expert Comment

    by:AutoSponge
    Check out this article:

    http://www.windowsitlibrary.com/Content/1110/06/3.html

    Not sure if you're using a Cisco switch that has the snooping feature, but that's a possibility.
    0
     

    Author Comment

    by:teecee33
    I will TRY to check this out today, 11/1/04.  I have 2 of the 4 techs out today so I will be picking up their slack plus I am leaving to go out of town until next Monday.  I will be checking the forums but will not be able to actually implement anything until then.
    0
     
    LVL 5

    Accepted Solution

    by:
    I had another thought that doesn't really involve the routing so much as it does the way the hosts access the network.  You could have all traffic from the Wi-Fi forced into a proxy server that is also your DHCP server.  This way, unless the MAC matches, the user is blocked from getting on the network, and all routers point to that server as the only means of reaching a real host.  This way, any MAC-IP mismatch created by a rogue server will not be responded to by the network.

    Unfortuneatly, this isn't much different than the current setup where someone in range of a rogue server takes the first IP they get and have limited access.  Therefore the best bet is to lock it down by turning off SSID broadcasts and requiring a VPN client to login.  However, if your network is a public one and very "loose" as to who can gain access, you'll need to still keep the rest of the network up and responding to those rogue IPs but all their traffic is forwarded to a portal page with an option to download the VPN client software and an explanation of how this helps secure their data while using that network.  Until they get the VPN client, there is no route to the Internet but once they get it there is almost no way for a rogue server to sniff their traffic.

    I know you have users complaining about not being able to connect, but ultimately it's a security problem.  A rogue server is an attack on the wi-fi network and, when sophisticated, can be used to sniff plain text passwords etc. making every client vulnerable.
    0
     

    Author Comment

    by:teecee33
    We use 128bit WEP atm and do not broadcast our SSID.  I will be moving to LEAP as soon as I can get all the older lucent APs replaced.  My clients are largely students from grades 5-12.  Probably some dad trying to set up his on home network on his daughter's computer and turned ICS on.  Was just hoping there was a way to stop it before I implement my new network design.  
    0
     
    LVL 5

    Expert Comment

    by:AutoSponge
    Supposedly win2k DHCP server with an active directory environment would also prevent a rogue DHCP server from working, but I'm not sure how since I've never used one.  
    0
     
    LVL 11

    Expert Comment

    by:PennGwyn
    > Supposedly win2k DHCP server with an active directory environment would also prevent a rogue DHCP server from working,
    > but I'm not sure how since I've never used one.  

    In a Win2K AD environment, Win2K boxes running as DHCP servers will not actually serve DHCP unless authorized to do so by AD.  This does nothing to protect the network against rogue DHCP servers that don't happen to be Win2K AD members....

    I believe the switch models specified all support per-port access lists (ugh...).  You *could* set those so that only DHCP responses from the legit servers can get through -- that might at least help you pin the problem to a specific switch port.

    Sniffing that traffic should then let you discover a specific MAC address that the bogus DHCP replies are coming from.  Lock out that MAC address (I'm partial to giving it a dynamic VLAN that doesn't connect to anywhere), and see who complains.


    0
     

    Author Comment

    by:teecee33
    Well I used a packet sniffer and found out who the people were.  When I looked at their computers they had no sign of any type of dhcp server.  No virus but tons of spyware.  I reimaged the machines and no problems.
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Product Review - Android Remix

    Come along for the ride with our Senior Product Manager, Brian Matis, as he reviews the Android Remix.

    In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
    Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
    After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    884 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now