Rogue DHCP
A rogue DHCP server (rogue: English for rogue ) disrupts the operation of a local network managed by DHCP . The malware runs i. d. Usually on an ordinary work computer, but appears in the network like an ordinary DHCP server and gives nonsensical to malicious answers to DHCP requests.
Working method
In order to gain network access, a computer (client) sends a request for the assignment of an IP address and information such as the IP address of the responsible router to a DHCP server by sending a broadcast (a type of broadcast) in the local network. A DHCP server replies to this message. A rogue DHCP server tries to respond faster than the regular server and transmits either manipulated or simply unusable information.
In a harmless case, this technology can be used to easily “paralyze” a company network. It is sufficient, for example, not to transmit a gateway , or each client is assigned its own subnet , thus limiting the connection as far as possible.
The targeted redirection of data traffic by sending addresses from defective DNS servers or routers (gateways) to the requesting computer has far more drastic effects on network security . For example, a router can be specified that records the client's data traffic or prepares a man-in-the-middle attack .
Countermeasures:
- RogueDetect is a Perl script with which DHCP requests can be sent into the network and the responses can be evaluated. The free script can be used as a daemon and expanded.
- Open DHCP Locate is free software for finding DHCP problems
- The switch manufacturer CISCO offers appropriate software for its hardware under the name DHCP-snooping