• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2106
  • Last Modified:

Blocking rogue DHCP servers with Cisco

I have a large wireless network with probably 600 wifi clients.  I run all cisco 3550/3560 edge switches and just recently got my new 4506 as my core.  My access points are a combo of Cisco 1231s, Cisco 1120s, and some old lucent ones I have not replaced yet.  My clients are XP Pro with ether SP1 or SP2.  MY problem is that I think someone has turned on internet connection sharing (ICS) on one of their machines.  Randomly throughout the day various people are getting bad address.  My default gateway is x.x.x.1 and my DNS suffix is mycompany.com.  When someone gets an IP address from this other "server" they get some random default gatewat address which is in the same subnet as my network is, which I can ping sometimes, remember a wifi environment so machines are on and off randomly throughout the day.  Their dns suffix is mshome.net, which I believe is the default workgroup that XP pro changes too when you do ICS.  The clients with bad address can access our internal email and network file systems but cannot hit pass through the internet.  If I do a nbtstat /A ipofbaddefaultgateway I get   a netbios name and mac address of the person, which I call in and find out they are NOT doing ICS. One other thing I noticed is that if a client has connected to this bad "server" then in the network connections window iin XP it tells me I am connected to some internet gateway.

Is there anyway to find out exactly who this person is or just block all dhcp servers exact for my dhcp server with my cisco switches?  

Within the next few months I would be implenting a few vlans into my network since I now have all L3 switches now that my 4506 came in.  And I pretty sure I can block it that way, because all of my clients will be in a seperate vlan than my servers, but at the moment everyone is L2 and in the same subnet.

Doing static IP of all my clients is not an option.

I would really appreciate any help or advice.

Thank you.

0
teecee33
Asked:
teecee33
  • 6
  • 4
1 Solution
 
AutoSpongeCommented:
If you only have one subnet and as many as 600 clients, I think you know what's going to happen when someone tries to get an address from the network and none of the leases have expired.  Not sure how you're running DHCP but you will often get duplicate addresses assigned when you're out of addresses on the server.  The result is the address doesn't match the MAC of the previous lease and the user gets an error.
0
 
teecee33Author Commented:
I am using a /22 subnet and have under 100 devices that require static IPs so that leaves 900 addresses available.  I think I have them on a 4 day lease.  I did notice that I have been seeing several "Bad_address" in my dhcp server and also "this address is already in use".  That still does not explain why the dns suffix gets changed to mshome.net and the dhcp server ip that displays on a client that has a bad address results in a ip that is not one of my servers.  The address it displays is one that I use in my dhcp scope, which says to me that there is a user that has ICS on.  

Maybe I am wrong but if there is not enough IP addresses on a dhcp server then shouldnt the client get something like a 169.x.x.x address?  And that would not change the  DNS suffix.
0
 
AutoSpongeCommented:
I'll think about it some more, but when most DHCP servers run out of addresses, they just give out one they already leased.  The result is that the lease for that address is extended and the new addressee has a bad address (since his MAC doesn't match).  It's a flaw that MicroSoft and others know about but haven't fixed yet.
0
Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

 
AutoSpongeCommented:
Because you're wireless the only thing I can think of so far is VPN.  If the clients had to use a VPN tunnel to get in, the VPN client would be needed to access the APs, therefore, simple DHCP (even a rogue one) or a static IP wouldn't be sufficient to gain access to the network.

Still thinking though...
0
 
AutoSpongeCommented:
Check out this article:

http://www.windowsitlibrary.com/Content/1110/06/3.html

Not sure if you're using a Cisco switch that has the snooping feature, but that's a possibility.
0
 
teecee33Author Commented:
I will TRY to check this out today, 11/1/04.  I have 2 of the 4 techs out today so I will be picking up their slack plus I am leaving to go out of town until next Monday.  I will be checking the forums but will not be able to actually implement anything until then.
0
 
AutoSpongeCommented:
I had another thought that doesn't really involve the routing so much as it does the way the hosts access the network.  You could have all traffic from the Wi-Fi forced into a proxy server that is also your DHCP server.  This way, unless the MAC matches, the user is blocked from getting on the network, and all routers point to that server as the only means of reaching a real host.  This way, any MAC-IP mismatch created by a rogue server will not be responded to by the network.

Unfortuneatly, this isn't much different than the current setup where someone in range of a rogue server takes the first IP they get and have limited access.  Therefore the best bet is to lock it down by turning off SSID broadcasts and requiring a VPN client to login.  However, if your network is a public one and very "loose" as to who can gain access, you'll need to still keep the rest of the network up and responding to those rogue IPs but all their traffic is forwarded to a portal page with an option to download the VPN client software and an explanation of how this helps secure their data while using that network.  Until they get the VPN client, there is no route to the Internet but once they get it there is almost no way for a rogue server to sniff their traffic.

I know you have users complaining about not being able to connect, but ultimately it's a security problem.  A rogue server is an attack on the wi-fi network and, when sophisticated, can be used to sniff plain text passwords etc. making every client vulnerable.
0
 
teecee33Author Commented:
We use 128bit WEP atm and do not broadcast our SSID.  I will be moving to LEAP as soon as I can get all the older lucent APs replaced.  My clients are largely students from grades 5-12.  Probably some dad trying to set up his on home network on his daughter's computer and turned ICS on.  Was just hoping there was a way to stop it before I implement my new network design.  
0
 
AutoSpongeCommented:
Supposedly win2k DHCP server with an active directory environment would also prevent a rogue DHCP server from working, but I'm not sure how since I've never used one.  
0
 
PennGwynCommented:
> Supposedly win2k DHCP server with an active directory environment would also prevent a rogue DHCP server from working,
> but I'm not sure how since I've never used one.  

In a Win2K AD environment, Win2K boxes running as DHCP servers will not actually serve DHCP unless authorized to do so by AD.  This does nothing to protect the network against rogue DHCP servers that don't happen to be Win2K AD members....

I believe the switch models specified all support per-port access lists (ugh...).  You *could* set those so that only DHCP responses from the legit servers can get through -- that might at least help you pin the problem to a specific switch port.

Sniffing that traffic should then let you discover a specific MAC address that the bogus DHCP replies are coming from.  Lock out that MAC address (I'm partial to giving it a dynamic VLAN that doesn't connect to anywhere), and see who complains.


0
 
teecee33Author Commented:
Well I used a packet sniffer and found out who the people were.  When I looked at their computers they had no sign of any type of dhcp server.  No virus but tons of spyware.  I reimaged the machines and no problems.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now