[c-nsp] Tracking down rogue DHCP server

Matt Addison maddison at iquest.net
Mon Aug 15 10:54:20 EDT 2005 

NetDisco http://netdisco.org/ looks like it may be a good tool for
tracking down issues like this in the future...

~Matt 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Kristofer
Sigurdsson
Sent: Monday, August 15, 2005 9:16 AM
To: ewhitehill at 702com.net
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Tracking down rogue DHCP server

Hi,

Often you can find out the IP address and even the mac address of your
DHCP server.  So, if you can put a PC on the segment and let it obtain
an IP address from the rogue server, you may be in luck in finding this
information.  There's also an easier way, most residential DHCP servers
specify themself as default gateway, so an ordinary printout of the DHCP
info obtained should be enough.

Once you have the IP info, you can put a secondary interface on your
2600 router towards this segment, using an address from the private
range from the DHCP server.  Then, ping the rogue server.  That should
put it's mac address in your ARP table.  Using this information, you
could snmpwalk all your switches, grep'ing for this mac address (in the
XX XX XX XX XX XX format), find the switch, then find the mac address in
the switch's mac address table.  I find the interface command "shutdown"
extremely helpful in these scenerios. :-)

You might want to implement something like DHCP snooping in order to
prevent this from happening.


On Mon, 2005-08-15 at 08:56 -0500, Eric Whitehill wrote:
> Hello:
> 
> Over the last couple of days, someone on one of our customer's sites
has
> been putting up a rogue DHCP server and bringing down the customer's
> network.  
> 
> We currently have all cisco switches within the network, and we are
using a
> Cisco 2600 to hand out DHCP addresses to the customers.  
> 
> While the customer's DHCP server is trying to hand out addresses from
our
> assigned DHCP pool, the customer's rogue DHCP server is trying to hand
out
> private addresses.  Thus, the problem.  
> 
> I've thought about doing a check on the mac-address-table on the
cisco, but
> there has to be an easier way (over 50 switches, which makes it
prohibitive
> to do this) 
> 
> I am trying to find an easy way to track down this rogue DHCP server
and
> smack the user really really really hard.  
> 
> Thanks, with LART in hand,  
> 
> -Eric 
> 
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list