DHCP Rogue Impact

In DHCP world, a Rogue DHCP server can be plugged to the Network.
* However what is the worst case scenario that can happen, other than Denial of Service attack, seeing that the Rogue DHCP server can hand out wrong TCP/IP settings :IP address/Default Gateway/DNS ?

*To prevent that DHCP Snooping can be configured on Switches.  It needs to be configured at the global configuration then on the Vlan(s).
 I am not sure if it needs to be configured on all Vlans on all Switches ?



Any clarifications ?

Thanks
jskfanAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jody LemoineNetwork ArchitectCommented:
It needs to be configured on all VLANs that you want to protect. If you have a VLAN that used only static addressing, you can leave that out. By default, DHCP snooping is disabled on all VLANs, so it won't work at all until you configure it on at least one VLAN.
Kanti PrasadCommented:
Hi

DHCP provides clients connecting to your network with IP addresses and configuration parameters such as subnet mask, default gateway, and DNS server information.If these parameters become corrupted, the smooth flow of network traffic can abruptly halt.  Worse, if a setting such as the default gateway is maliciously defined, network security is immediately jeopardized, but you may not immediately notice.

DHCP snooping on switches must be implemented correctly on all switches otherwise clients will not get their information as it allows DHCP information to be provided by certain servers on certain ports only.

DHCP packets need to be authenticated so that only authorised packets are accepted by the client. So use Network Access Protection (NAP) or control (NAC) which will help all devices to authenticate to the network.

Devices that do not meet the criteria or can't authenticate correctly are segmented on specific subnet or VLAN.

Meraki’s switches operate at the same TCP/IP layer as the DHCP protocol will help to detect rogue DHCP Servers.

https://meraki.cisco.com/products/switches

Here is some more info on Rogue DHCP

https://en.wikipedia.org/wiki/Rogue_DHCP
jskfanAuthor Commented:
How is the Rogue DHCP server going to get the real default gateway from the network, since it is the one that is going to hand out DG to clients in addition to IP address and DNS.?

I know that it can cause Denial Of Service Attack by handing out wrong tcp/ip settings to clients, but I do not see how it is going to "Steal" the DG IP address or any other settings from the network
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Jody LemoineNetwork ArchitectCommented:
Rogue DHCP servers typically don't bother to get the real default gateway of the network. They just provide a different one, usually themselves. This causes clients that get their addresses from the rogue to send off-network traffic to a gateway that either has no connectivity or has connectivity that bypasses your network's internal controls. By providing IP information that is completely different from that provided by the legitimate DHCP servers, they essentially remove the client from your network.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jody LemoineNetwork ArchitectCommented:
In short, rogues don't steal IP information from your network. They steal the clients from your network.
jskfanAuthor Commented:
So if they still clients from the Network...at least they do not still data from the network...
I agree DOS is a problem, but the Data in the network stays safe, if I am not wrong
Jody LemoineNetwork ArchitectCommented:
At the surface, yes. However, an rogue's client with outside connectivity is a potential jump-off point to your actual network. You definitely want to stop it from happening.
jskfanAuthor Commented:
I agree..

 by default a Switch has all ports Untrusted by default.
Let 's say we do not want to configure DHCP snooping in the network at all. In this case  if we connect DHCP server to a switch then the clients will not get IP address.
JustInCaseCommented:
but the Data in the network stays safe, if I am not wrong
You are wrong.
DHCP server can set some host (attacker) as default gateway, and all traffic that should be directed to other networks will be sent to that host (fake default gateway and attacker would forward information to destination addresses through your actual default gateway, so your hosts thinks that everything is OK since all traffic seems uninterrupted), so all data can be stolen on default gateway (Man in the middle attack).
Kanti PrasadCommented:
Hi

Rogue DHCP Servers on the network create multiple problems.

You will get too many help desk calls as legitimate users cannot access corporate network resources if their IP Addressing is not identical to the corporate IP Address  and this would prevent users from accessing file servers, internet etc.

Attackers can  router and replicate the packets passing the legitimate traffic  to their PCs for packet analysis.
Jody LemoineNetwork ArchitectCommented:
Ideally, you want to use DHCP snooping combined with dynamic ARP inspection to ensure that there are not only no rogue DHCP servers, but also no unauthorized static clients on the network.
jskfanAuthor Commented:
On DHCP server ,usually you authorize it to authenticate with Active Directory, which means if a client is not joined to the domain it does not get IP address from that authorized DHCP server.

So the Rogue DHCP can take advantage of PCs that are not joined to the domain.
I also do not see how ROGUE DHCP can steal the DG of other PCs, since those PCs will be using only the DG that the Rogue DHCP itself has handed out to them.

 
The Risk of placing unauthorized computer in the network does not have to be DHCP Rogue, it can be any computer with sniffer application able to steel data from that Vlan, probable there are sniffer applications that can sniff data from other vlans too.
JustInCaseCommented:
On DHCP server ,usually you authorize it to authenticate with Active Directory, which means if a client is not joined to the domain it does not get IP address from that authorized DHCP server.
DHCP usually just assigns addresses, and does have much with joining to domain, except that hosts must have IP address to be able to contact server. Client is getting IP address even if it is not joined to domain. There are attacks designed on this fact - like DHCP Starvation.
You can read more in this Microsoft article.
I am currently working on my Microsoft certification, and all hosts in my home get IP address from Server 2012 R2 whether they are joined to the domain or not.
jskfanAuthor Commented:
Predrag Jovic
DHCP server authorized in the domain will hand out IP addresses only to clients joined to the domain
Then if you put another DHCP server not authorized in the domain, it will hand out  IP addresses to clients not joined to the domain.

In your case you have only one DHCP server and it is not authorized, you cannot see the difference..
JustInCaseCommented:
Not true. Server is authorized, otherwise it will not lease addresses at all. :)
Microsoft - If the DHCP server is not authorized, it will not lease IP addresses to DHCP clients. It does not matter if clients are part of domain or not.
Let's simplify this reducing it to basic networking:
Clients cannot join domain if they don't have IP address assigned first. DHCP server just responding to DHCP requests there is no way to know at that moment (when client request ip address) is that client  part of domain or not, that comes later.
It is network like any others. If client don't have IP address - there is no way for client to communicate with server (remember OSI model?).
There are some other mechanisms to prevent hosts to get IP address from DHCP server (like use 802.1X on network infrastructure, or to allow only specific list of MAC addresses to get IP address from DHCP server), but authorization of DHCP server has nothing to do with preventing clients to get IP address.
jskfanAuthor Commented:
So What is the purpose of DHCP authorization, while someone can plugin a router somewhere in the network and make it DHCP server...

Though, per Microsoft :https://technet.microsoft.com/en-us/library/Dd296633(v=WS.10).aspx
it is talking about windows  DHCP servers that are not authorized cannot hand out IP addresses...I am not sure how can it control that ? since if you bring windows DHCP server into the network, I believe it still can respond to DHCP client broadcast and hand out IP addresses
JustInCaseCommented:
I am not sure how can it control that ?
You (enterprise admin) manually authorize or unauthorize DHCP server.
Not if is not authorized (not authorized to lease IP addresses) - it is disabled. It is like computer, it does not work if you don't power it on first.
:)
You can download trial server from Microsoft and try it for yourself.
Kanti PrasadCommented:
Hi

If you are not on Active directory setup then  SOHO style WAP/ 4 port router plugged into a wall-port, and will respond to DHCP requests.
So if you have the required infrastructure setup DHCP Snooping is an option  as it blocks DHCP messages reaching clients, if it is not from a  trusted port.

Stand-alone server which acts as a DHCP server that is not on a subnet with any authorized DHCP servers releases IP addresses to DHCP clients but can be used only for computer browsing purposes and not to provide secure logon access to shared domain resources.
jskfanAuthor Commented:
I will come back on this later
thanks
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.