Warning Signs of a Rogue DHCP Server

by Chris Sanders [Published on 14 March 2007 / Last Updated on 14 March 2007]

Just because you are only supposed to have one DHCP server on your network doesn’t mean it really is the only one

A pretty common rule of thumb for any network using DHCP is to only use one DHCP server, and if you must use more than one to make sure the IP ranges being handed out do not overlap. However, just because you only have one legitimate DHCP server on the network doesn’t mean another one doesn’t exist. There are a couple of telltale signs you can look for when you suspect another DHCP server exists on your network.
  • Several of the computer on the network begin losing their IP addresses or picking up addresses that are not standard on your network.
  • Due to overlapping address ranges being handed out, several machines on your network report IP address conflicts.
  • You see an abnormally large amount of DHCP traffic (UDP ports 67 and 68) flowing through the network when doing a packet capture.
  • Since the chances are that the rogue DHCP server is there for malicious intent, the amount of virus traffic being caught by your network's virus monitoring system could potentially increase dramatically. Along these same lines, you could also see an increase in bandwidth.
Anytime you see any of these things happen you should always consider the fact that there may be a DHCP server that exists in your network without your knowledge.

***

Chris Sanders is the network administrator for one of the largest public school systems in the state of Kentucky. Chris's specialties include general network administration, windows server 2003, wireless networking, and security. You can view Chris' personal website at www.chrissanders.org.

See Also

Featured Links