How to deal with Rogue DHCP or DHCP Spoofing?

[racer]

This might be kind of very simple topic which is not really highlighted but very important to understand and remember. The reason is due to vast expansion of web we are now in more engaged in new technologies. Latest platform challenges to give more recent security support on software and hardware level. But does that complete security package is enough to deal with the threats. My guide is more based on a very vast network. Anyhow we are now in touch with network either your are sole broadband using surfing no WAN or either you are an enterprise. DHCP spoofing or Rogue DHCP is a method by which your traffic is hijacked and redirected to unknown websites. I cannot explain the same in more simple way. For getting more aware about this you will need to go through the below articles where I had tried to explain in more detail how this all works.

I had figured out many times an unknown kind of DHCP server addresses. It was difficult for me to talk with ISP customer care and tell them this to fix the same from there end. By they don’t looks much bothered. A way to protect my system and data is by using a pack of internet security suite which is plenty of available. Each of it guarantees a kind of security features and tons of updates which not a simple user’s cup of tea. So we blindly buy that and think we are secure. But do we really think that even after configuring a high end Internet Security package we are safe. How much of you are satisfied. I will surely find a high percentage. Because on software level it is possible to block some kind of virus infection but what on the hardware level or on the core level where a regular user never checks.

These types of attack usually affect a large network. For example you are on a WAN. The connect is provided you by the ISP. A direct LAN cable goes to your system and your surf. You visit social networking websites, shop online, buy stuff, banking transaction and all and all. And lots other things are carried out, but what I think and found that it is rare to find a security package which gives you a full security unless and until you are entirely on a highly secure independent network. But still there are certain flaws which are still influenced by anti social elements. This flaws are well knows by this attackers who work for various motive to capture data and redirect traffic. I am not talking about IP spoofing here but a low level layer where are not aware how this all work. I recommend reading this once a while to figure out how DHCP Spoofing works. My guide is to provide you proper techniques and information to protect yourself from such threats.

What is DHCP?

DHCP is widely used protocol. It is a process by which the host clients receive auto-ip on automatic settings. It is not secure. DHCP Stands for Dynamic Host Configuration Protocol. It is kind of network protocol which helps the host machine to get access on IP network. Computers around the world are connected via IP network. Each IP network has tons of inter connected computers which in all together become the biggest network called as Internet. Let’s take a smaller example. You have 4 to 7 systems in your office which are connected with each and a user can access by providing the user login / password which is authenticated by a local in-house server. Here IP address is the most important part. This is your systems direct address. For a small network it is allowed automatically by the server itself. So no need to learn rocket science here. What DHCP does here is, it removes the manual work of providing IP address to each system. DHCP does the job when the systems are set on automatic configuration.

The network admin does not need to go in each system and configure the addresses manually. Other than this a DHCP is a central hub for these systems on network. It has a list of all computers temporary IP connected and removes the issue of duplicate ip addresses which can cause network conflict.

How does DHCP Spoofing works:

This attack works by collection of IP addresses of innocent users via spoofed DHCP. I had small explanation on this first how DHCP access works. This is important to understand to figure out the process of gaining access to DHCP server. If you are able to understand this process then it will become easier to manage this. First let’s being with DHCP Spoofing. DHCP Spoofing is a process by which a system acquires IP address from the server. To get on the network you need an IP address. DHCP is responsible to give you that.

The connection follows is in this way:

Look above. The first layer in the system the host. Then comes the network mode or pipeline and then the WAN which is wide area network. The last is the DHCP server. The server for example lies on a remote location. You need IP address via to get on internet. So for that the Pipeline or the network devices, etc will receive a DHCP discover packet. This is preconfigured by the server and can only be understood by the devices. You can install some tools which can sniff this packet. This Discover packet comes from your system on which the pipeline or the network devices respond with DHCP offer packet. This packet has information related to spoofed ip address which is allotted to the system for some time. In this once the DHCP server you contacted is already spoofed your data goes to hijacker. He can redirect the users also to other websites which can carry infections.

[racer]

Types of DHCP Attacks

There are some numbers of attacks which are related to DHCP spoofing and you must learn something about them also.

DHCP server spoofing— as it already discussed more on that above. The name says about the attack. It simply gives a spoof access to the user to the hijacked DHCP server. The attack simply aims to make attackers pc to become a DHCP server and access your network. This can be very risky. Your users can loose most valuable information under this attack even when you are highly secured. In simple world a Rogue server working in the place of actual. An attacker can do lot more with this. He can pull the data, sent virus, sniff the network, etc.

DHCP Exhaustion — Under this DoS attack is carried out by modifying the address service on DHCP servers. Under this the ip address are spoofed and a large number of attack are carried one with one process. Those who are aware how DoS works can easily figure out the working of same. Still I will give a small explanation on the same. When the DHCP Discover message is broadcast form a system he also sends the MAC address with the packet data. Now here the attacker what he does, is keeps changing the Mac address of his system. This Mac address is the hardware address of the system which is very important. By this the attacker used up all the pending ip causing a DHCP exhaust. When this is carried the user machines fails to collect the access to DHCP server and redirects to the attackers server.

Hijacking the IP – This is the later part when the DHCP Discover and DHCP offer process ends. Here the user machine send DHCPRelease message to the server to tell the server that IP address is provided and the user machine can access the network now. But the hijacker here has the knowledge to capture DHCP Release packet and exploit. He can then capture the provided IP and cause network disruption.

How DHCP Spoofing attack does occurs

This attack occurs when your time of temporary ip expires. Your system sends the DHCP Discover packet and the attacker responds on the packet. When the attacker responds on your query he can set himself as your default gateway or DNS without your knowledge. This is a type of intercepting your traffic to the actual gateway. Here the attacker has a chance to flood the DHCP server with DHCP offer packet causing a DoS type attack. Many users who never ever thing what going on the web are easy catch for them. The IPs is pre-assigned by the attackers and they are assigned to the host which make more prone to high risk.

How to Prevent or Protect yourself from DHCP Spoofing

There certain ways to deal with this. You can avoid DHCP Spoofing. It doesn’t matter what type of user you are but at least the steps can be a guide for you to deal with this situation. Currently due to such vastness of the network it is not easy to get a secure DHCP. Till yet I had not found such service. But you can resistance to the attack. You can protect yourself from that and avoid using your valuable information.

First get aware about the various DHCP attacks. Learn about them and take precautions.

Second step, if you want get completely secured then in my views do not use DHCP. Try to configure your each TCP/IP manually so that you can avoid someone to exploit your protocol. Many big enterprise use dedicated network admin to configure the same. If you do not have a largest network then this will not be an issue.

Third, for a DHCP attack the hijacker needs access to your network first. If he is not in he cannot do anything. So for that will send DHCP offer packets to hijack the client pc. The hijacker will convert this own system as a Rogue DHCP server which will capture your data and traffic. So if you have DHCP protocol enabled on your network then you must take precaution. The IP information is refreshed within few interval of time which can be captured by the hijacker.

Fourth, configuring DHCP with proper admin control. It is possible in DHCP to configure a separate group of Administrator. This group has rights to make changes and authorizes users to DHCP settings. This is really very essential for long network groups. The one thing which you need to take is managing tight account registration settings. The audit is really necessary to check the authorize and unauthorized access to the network. If you cannot control the security or manage the group it is no worth of applying the same as this can be a bit complicated.

Common cause of DHCP Attack

If your network is under DHCP spoofing the common issue that you will face is loose in bandwidth, cannot access some webpages, redirection, loss of user privacy, etc. Via simpl process the attacker hijacks the network and post its server on the default dns causing the entire network prone to attack. Youc an check the same via ipconfig /all what is your current DHCP server.

Rogue DHCP Detection Tool:

There is small tool which I found on internet. You can download the same by searching on Google. I am not sure how much valid this is, but surely help you to figure out your current status. It is not easy to figure the rogue DHCP as some of the spoofing attacks works under networking policies. That is goes to legal method of using unauthorized hacks.