{"id":55,"date":"2011-08-27T00:17:39","date_gmt":"2011-08-26T22:17:39","guid":{"rendered":"http:\/\/blog.copcea.ro\/?p=55"},"modified":"2011-09-21T07:02:44","modified_gmt":"2011-09-21T05:02:44","slug":"dhcp-rogue-detection-and-elimination","status":"publish","type":"post","link":"http:\/\/blog.copcea.ro\/?p=55","title":{"rendered":"DHCP Rogue Detection and Elimination (EN only)"},"content":{"rendered":"<div class=\"02a7dab7e6fe5a0fbf433999ff85f046\" data-index=\"1\" style=\"float: none; margin:10px 0 10px 0; text-align:center;\">\n<script type=\"text\/javascript\"><!--\r\ngoogle_ad_client = \"ca-pub-2343103762362018\";\r\n\/* 336x280 *\/\r\ngoogle_ad_slot = \"8815738048\";\r\ngoogle_ad_width = 336;\r\ngoogle_ad_height = 280;\r\n\/\/-->\r\n<\/script>\r\n<script type=\"text\/javascript\"\r\nsrc=\"http:\/\/pagead2.googlesyndication.com\/pagead\/show_ads.js\">\r\n<\/script>\n<\/div>\n<p>After having spent several nights searching in a 1500-users network  for a rogue dhcp server, coming from a \u201csmart\u201d user who bought a junk  router for Christmas, I have decided it\u2019s time to use our knowledge  instead of using our nights to solve this issue.<\/p>\n<p>How it was done:<\/p>\n<p>Two different services work aggregated for this issue:<\/p>\n<p>1. DHCPD ROGUE DETECTOR<\/p>\n<p>it is a smart component which is able to transform any network  adapter into a dhcp client adapter, for a limited amount of time. The  really smart thing is that it DOES NOT interfere with the IP addresses  already assigned to that specific interface, which usually works as  gateway &#8211; such as during the sniff, the same interface works as gateway  as previously assigned.<\/p>\n<p>The component asks for an IP address and remembers the IP address and  MAC Address of the DHCP server only if this one is different than that  already present on the same interface. The component will NOT bind the  IP address asssigned by the dhcp server to the interface, instead it  will write to a log and send an email. All parameters are configurable  (from, to, mail server etc) and the component is easily distributable as  compiled noarch ELF on both i386 and x86_64 architectures.<\/p>\n<p>2. DHCP Slapper<\/p>\n<p>The first component only tells us about a rogue dhcp server in the  network, but it does not interfere with it. Without the second  component, the rogue dhcp server is able to do its dirty work without  any problem.<\/p>\n<p>This is where the dhcp slapper comes into action.<\/p>\n<p>A regular DHCP traffic is as follows:<\/p>\n<p><em>client looks for dhcp server using broadcast<\/em><\/p>\n<p>DHCPDISCOVER from MACADDRESS via ethx<\/p>\n<p><em>dhcp server offers client via broadcast an IP address<\/em><\/p>\n<p>DHCPOFFER on IPADDRESS to MACADDRESS via ethx<\/p>\n<p><em>client requests IP address via broadcast<\/em><\/p>\n<p>DHCPREQUEST for IPADDRESS (DHCPIPADDRESS) from MACADDRESS via ethx<\/p>\n<p><em>dhcp server acknowledges and lends the IP address to the client via broadcast<\/em><br \/>\nDHCPACK on IPADDRESS to MACADDRESS via ethx<\/p>\n<p>The last message can also be the following:<\/p>\n<p><em>dhcp server does not acknowledge the IP address to the client via broadcast because it detects an IP conflict<\/em><br \/>\nDHCPNACK on IPADDRESS to MACADDRESS via ethx<\/p>\n<p>What did we do?<\/p>\n<p>In simple terms, a <em>broadcast <\/em>is a communication between two computers using MAC addresses instead of using <em>unicast<\/em>, i.e IP Adresses<\/p>\n<p>Broadcast communication may be computed by any computer in the same  subnet because broadcast is essentially a \u201cnoise on the wire\u201d. It gets  in all the subnet and data is transmitted through all possible ports to  all network devices, including computers.<\/p>\n<p>What if we could define a dhcp server authoritative ont for an IP subnet (or several) but instead on an <em>interface<\/em> and tell this dhcp server to fight any other dhcp server it hears.  Since a rogue dhcp server is using the same schematic to talk to a  client, it would be enough if, after the rogue DHCP server transmits a  DHCPACK signal, our DHCP server would transmit to the same client a  DHCPNAK signal. DHCP theory (the RFC defining DHCP operation) states  that, in this case, the client should restart all the process with  DHCPDISCOVER and so on.<\/p>\n<p>Practice showed that our clients will receive correct IP addresses  from this DHCP server after a maximum of 3 DHCPDISCOVERs. Our DHCP  server starts to answer quicker and quicker until the client will hear  the authoritative DHCP server instead of the rogue one.<\/p>\n<p>While this process comes with a broadcast overhead, it is not  important enough as to disturb the network in such a manner as to make  communications impossible. It does though kill all rogue DHCP servers,  long enough to let us go on the field and disconnect physically the  cable going to the rogue DHCP server (the next day) and also allows a  correct operation of the clients.<\/p>\n\n<div style=\"font-size: 0px; height: 0px; line-height: 0px; margin: 0; padding: 0; clear: both;\"><\/div>","protected":false},"excerpt":{"rendered":"<p>After having spent several nights searching in a 1500-users network for a rogue dhcp server, coming from a \u201csmart\u201d user who bought a junk router for Christmas, I have decided it\u2019s time to use our knowledge instead of using our nights to solve this issue. How it was done: Two different services work aggregated for <a href='http:\/\/blog.copcea.ro\/?p=55' class='excerpt-more'>[&#8230;]<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[6],"tags":[62,63],"_links":{"self":[{"href":"http:\/\/blog.copcea.ro\/index.php?rest_route=\/wp\/v2\/posts\/55"}],"collection":[{"href":"http:\/\/blog.copcea.ro\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/blog.copcea.ro\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/blog.copcea.ro\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/blog.copcea.ro\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=55"}],"version-history":[{"count":5,"href":"http:\/\/blog.copcea.ro\/index.php?rest_route=\/wp\/v2\/posts\/55\/revisions"}],"predecessor-version":[{"id":301,"href":"http:\/\/blog.copcea.ro\/index.php?rest_route=\/wp\/v2\/posts\/55\/revisions\/301"}],"wp:attachment":[{"href":"http:\/\/blog.copcea.ro\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=55"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/blog.copcea.ro\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=55"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/blog.copcea.ro\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=55"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}