How can I fiind a rouge DHCP server?

Posted on 2009-04-16
Last Modified: 2013-11-22
I have figured out that it is the trojanflush.m virus/malware that is causing this.  It gives the machines a 1 hour lease time and gives your bogus dns addresses.  The site that is affected has around 400 computers so it's like finding a needle in a haystack.  Any help would be greatly appreciated.
Question by:HCSB
    LVL 70

    Expert Comment

    by:Chris Dent

    Are your switches Managed? Can you tie a MAC address to a Port?

    Or if it's a windows network, and you have the MAC it is possible to remotely check the MAC address on each client remotely (using WMI and a bit of scripting).

    LVL 31

    Expert Comment

    Where is your DNS normally pointed to?  If your Server is controlling DNS I would have thought you could setup the perimeter firewall to block all access to DNS requests from all pc's except for the server.  All pc's that have been zombied would try to connect to the rogue DNS address but would be barred by the perimeter firewall, so it is immediately obvious which pc's are affected.
    LVL 7

    Expert Comment

    You can always use the ethereal to capture data packets and make analysis after.
    You can also be sure that rogue DHCP are not operating in your network if you enable DHCP snooping in your switches.
    Cisco supports the feature. It is possible that other vendors will also have dhcp snooping support


    Author Comment

    All switches expect for one building are managed cisco switches.  The only problem is there all out of date so in order to use dhcp snooping we would need to update all the switches we checked and our current version doesn't support it.

    The dns addresses it uses were already blocked by our firewall so we know which ones are getting the bogus address the problem is finding the machine that is handing them out.
    LVL 5

    Expert Comment


    try using dhcploc.exe

    this will give you the Ip address of the server, NBTSTAT -A [IPADDRESS]

    if you dont recognize the name do the following

    On your switches  

    check which port that MAC is on
    show ip arp [ip-address]
    show ip arp

    Happy hunting

    LVL 15

    Accepted Solution


    Here's my checklist for detecting a rouge dhcp servers in your network:

    1) If you are a Cisco shop, you are lucky enough because they have implemented a built-in security mechanism called "DHCP Snooping", is a DHCP security feature that provides security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding table. Read more about it.

    This is an example of enabling DHCP Snooping on a Cisco Switch:

    switch(config)# ip dhcp snooping
    !Enables DHCP Snooping globally!
    switch(config)# ip dhcp snooping vlan {,}
    !Enables DHCP Snooping for Specific VLANs!
    switch(config-if)# ip dhcp snooping trust
    !Sets the interface to trusted state; can then pass DHCP replies!
    switch(config-if)# ip dhcp snooping limit rate
    !Sets rate limit for DHCP Snooping!

    2) Use " DHCPLOC Utility" to detect rogue DHCP servers on your network, Get it from here


    With this tool, you can determine which DHCP servers are available to a DHCP client and to detect unauthorized DHCP servers on a subnet.

    3) Use " DhcpExplorer" , its a tool that allows you to discover DHCP servers on your local subnet or LAN. This is useful for locating servers that are not supposed to be on your network (rogue DHCP servers) as well as checking the expected output of known servers. The tool is designed with a user-friendly interface and is easy to use. Download it form here:

    4) Use " DHCPing", it is a simple utility, like ping, except it tests for running DHCP servers. The results of a dhcping scan can be matched against a list of known DHCP servers on your network. Anything showing up in the scan, and not on your server inventory, should be suspect. Get it from


    5) If you are a Microsoft shop, make sure that you have configured authorized DHCP server correctly, read here for more details:

    6) If you use Nmap, and you should by the way. You can scan your network for hosts that listen to port 67. See this example:

    nmap -sU -P0 -p 67-68 -oN dhcp-scan-results > 192.168.0-3.*

    Replace 192.168.0-3.* with your network's IP range.

    7) Snort, is your watch dog while you are busy. Modify your snort.conf file to add a new servers list, like this:

    var Authorized_DHCP [,]

    replace, with your production servers

    And use this rule to detect rogue dhcp servers:

    alert udp !$AUTHORIZED_DHCP 67 -> any (msg: "Rogue DHCP Server OnNetwork"; sid:1000001;)

    8)If you have tcpdump around, you can run and use this Bpf filter to detect rogue dhcp servers:

    tcpdump -i eth0 -nn 'udp port 67 and !(host x.x.xx or host x.x.xx)'

    9) And last, double check with your host-based firewall vendor that their product dose support NDIS-level firewalling. This means the FW will protect against unauthorized NDIS protocol registration by hooking NdisRegisterProtocol()/NdisOpenAdapter(). So, the FW will be notified when a NDIS protocol is trying to be registered or when its binding to some adapter.

    A Symantec Certified Specialist @ your service

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    PREFACE The purpose of this guide is to explain how to manually move a SEP client to a different client group by performing steps on the client-side. These steps may prove particularly useful because they allow the client to move after it has alrea…
    Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now