re: Technical Lab Analysis: ISC DHCP

fluke — Wed, 26 Jul 2006 21:52:10 GMT

This guide is a nice start. I look forward to seeing the next set of guides.

"Rogue detect" is no longer available. The Freshmeat page still exists but both of the links provided go to 404. But since it is under the GPL, you can put up your own mirror of the package.

A rogue dhcp server will usually cause ISC DHCPD to log entries as clients attempt to request a lease for the invalid IP. It will appear as:

dhcpd: DHCPREQUEST for 192.168.1.101 from 00:1a:2b:3c:4d:5f via 10.200.200.1: ignored (not authoritative).

Note that in the example the 192.168.1.101 is the IP address of the *client* and not the IP address of the rogue dhcp server.

You can also use snort to log rogue DHCP servers:

var DHCP_SERVERS [10.200.200.5,10.200.250.8]

alert udp !$DHCP_SERVERS 67 -> any 68 (msg: "Rogue DHCP server...");

The best method of addressing rogue DHCP servers is to block them at the switch such as using Cisco DHCP snooping feature.

I was expecting to see something in the guide about DHCP option 60 and option 43 such as:

option space MSFT;

option MSFT.DisableNetBIOS code 1 = unsigned integer 32;

option MSFT.ReleaseOnShutdown code 2 = unsigned integer 32;

option MSFT.DefaultRouteMetric code 3 = unsigned integer 32;

if substring (option vendor-class-identifier, 0, 4) = "MSFT" {

vendor-option-space MSFT;

option MSFT.DisableNetBIOS = 1;

}

Another interesting feature is being able to allow or deny "known clients" from different subnet pools. This is the basis by which Southwestern University's NetReg system works. It is available under the GPL from netreg.org