Rogue DHCP Server

A rogue DHCP server is an unauthorized DHCP server that responds to client requests on a network, potentially disrupting legitimate network operations or creating security vulnerabilities. These can be accidentally deployed (misconfigured devices) or maliciously installed to intercept network traffic.

How Rogue DHCP Servers Cause Problems

IP Address Conflicts: Multiple DHCP servers assigning overlapping IP ranges creates duplicate address assignments
Incorrect Network Configuration: Clients may receive wrong default gateway, DNS servers, or subnet masks
Man-in-the-Middle Attacks: Malicious rogue servers can redirect traffic through attacker-controlled gateways
Network Segmentation Bypass: Clients might receive addresses from wrong VLANs or subnets
Service Disruption: Legitimate clients unable to obtain proper network configuration

Detection Methods

DHCP Snooping Logs: Cisco switches log untrusted DHCP offers when snooping is enabled
Network Monitoring: Tools like Wireshark can capture multiple DHCP OFFER messages from different servers
IP Helper Statistics: Routers track DHCP relay statistics showing multiple server responses
Client Behavior: Users reporting intermittent connectivity or wrong network settings

DHCP Snooping (Primary Defense)

DHCP Snooping is the most effective protection against rogue DHCP servers - it creates trusted and untrusted interfaces on Layer 2 switches.

Configuration Concept

Trusted Ports: Allow DHCP server messages (OFFER, ACK, NAK) - typically uplinks to legitimate DHCP servers
Untrusted Ports: Block DHCP server messages, only allow client messages (DISCOVER, REQUEST) - typically access ports
Binding Database: Tracks legitimate IP-to-MAC-to-Port mappings for additional security features

Key Commands (Cisco)

1
2
3
4


Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan 10,20,30
Switch(config-if)# ip dhcp snooping trust
Switch(config)# ip dhcp snooping binding

Additional Snooping Features

Rate Limiting: Prevents DHCP starvation attacks by limiting requests per second on untrusted ports
Option 82: Adds switch information to DHCP requests for tracking and security
Binding Table: Creates foundation for Dynamic ARP Inspection (DAI) and IP Source Guard

Alternative Protection Methods

Method	Effectiveness	Use Case	Limitations
DHCP Snooping	High	Layer 2 switched networks	Requires switch support
Port Security	Medium	Prevents unauthorized devices	Doesn’t prevent software-based rogues
802.1X Authentication	High	Enterprise environments	Complex deployment
VLAN Segmentation	Medium	Isolate DHCP servers	Doesn’t prevent same-VLAN rogues
Manual IP Assignment	High	Small, controlled networks	Not scalable

Vocabulary

DHCP Snooping: Layer 2 security feature that filters DHCP messages based on port trust state
Binding Database: Table mapping IP addresses to MAC addresses and switch ports
Trusted Interface: Port allowed to send DHCP server responses (OFFER, ACK, NAK)
Untrusted Interface: Port that can only send DHCP client messages (DISCOVER, REQUEST)
DHCP Starvation: Attack exhausting DHCP pool by requesting all available addresses

Notes

Always enable DHCP snooping on access switches in enterprise environments - it’s your primary defense
Trust uplink ports and ports connected to legitimate DHCP servers/relays only
Enable binding database to support DAI and IP Source Guard for comprehensive Layer 2 security
Consider DHCP reservations for critical devices (servers, printers, network equipment) to prevent conflicts
Monitor DHCP pool utilization - rogue servers or attacks can quickly exhaust available addresses
In military/government networks, unauthorized DHCP servers are considered hostile reconnaissance - immediate containment protocols apply
Remember: DHCP operates at Layer 2/3 boundary - protection requires both switch-level controls and network monitoring
Rate limiting on untrusted ports prevents both accidental misconfigurations and intentional attacks