[c-nsp] Tracking down rogue DHCP server

Kristofer Sigurdsson kristo at ipf.is
Mon Aug 15 10:16:19 EDT 2005


Hi,

Often you can find out the IP address and even the mac address of
your DHCP server.  So, if you can put a PC on the segment and let
it obtain an IP address from the rogue server, you may be in luck
in finding this information.  There's also an easier way, most 
residential DHCP servers specify themself as default gateway, so
an ordinary printout of the DHCP info obtained should be enough.

Once you have the IP info, you can put a secondary interface on your
2600 router towards this segment, using an address from the private 
range from the DHCP server.  Then, ping the rogue server.  That should
put it's mac address in your ARP table.  Using this information, you
could snmpwalk all your switches, grep'ing for this mac address (in the
XX XX XX XX XX XX format), find the switch, then find the mac address in
the switch's mac address table.  I find the interface command "shutdown"
extremely helpful in these scenerios. :-)

You might want to implement something like DHCP snooping in order to 
prevent this from happening.


On Mon, 2005-08-15 at 08:56 -0500, Eric Whitehill wrote:
> Hello:
> 
> Over the last couple of days, someone on one of our customer's sites has
> been putting up a rogue DHCP server and bringing down the customer's
> network.  
> 
> We currently have all cisco switches within the network, and we are using a
> Cisco 2600 to hand out DHCP addresses to the customers.  
> 
> While the customer's DHCP server is trying to hand out addresses from our
> assigned DHCP pool, the customer's rogue DHCP server is trying to hand out
> private addresses.  Thus, the problem.  
> 
> I've thought about doing a check on the mac-address-table on the cisco, but
> there has to be an easier way (over 50 switches, which makes it prohibitive
> to do this) 
> 
> I am trying to find an easy way to track down this rogue DHCP server and
> smack the user really really really hard.  
> 
> Thanks, with LART in hand,  
> 
> -Eric 
> 


More information about the cisco-nsp mailing list