Home / server / Questions / 101778
Accepted
Mark Henderson
Asked: 2010-01-12 17:26:19 +0800 CST

Locate rogue DHCP server [duplicate]

  • 772

Possible Duplicate:
How do I find if there is a rogue DHCP server on my Network?

I know this is a serious long shot, but here we go.

In the past week or so, for users connected to a particular switch in our network (there are four dumb switches all connected, and it only affects SOME, not all, users on the one switch) are getting DHCP addresses from a rogue DHCP server.

I have physically checked every cable plugged into the switch in question to make sure that none of them have a router or wifi point attached to it. I know the IP of the DHCP server, but I cannot ping it, and it does not have a web interface.

Does anyone have any suggestions on what I can do to locate it or shut it down? Unfortuantely all the switches are unmanaged, and as mentioned, there's no physical device (that I can find) plugged in to anything.

It's getting critical, because it's screwing up the PXE boot of a whole bunch of thin clients.

networking dhcp

5 Answers

  1. Best Answer

    Try to nmap it using the -O to detect the operating system, may give you a better idea of what server it is? Also running a standard port scan might help figure out what it is

    • 19

  2. The fact that you can't ping it isn't a problem.

    (This procedure is mostly for managed switches, in the case of your dumb switches, it isn't as helpful, since you can't inspect the cam table... but anyway.)

    1. run ipconfig /all(or look at syslog), note the IP address listed for "DHCP Server". Generally this is the same as the default gateway.
    2. attempt to ping this ip address, ignore the result.
    3. run arp -a. The mac address listed for the IP is your rogue DHCP server.

    So, in your case, you can't follow this up with locating the switchport and disabling it, but you could have at least looked up the mac address vendor and would have found that the vendor was something like vmware or virtualbox.

    If you have a box lying around, you can install https://roguedetect.bountysource.com/ on it, which will notify you if a problem like this occurs in the future.

    • 11

  3. Well, you can always try to ping the crap out of it and check the blinky lights on the routers. =P

    Does traceroute show you anything?

    • 9

  4. I know this has already been solved but another means, when you really can't find the machine (knowing it's a VM doesn't tell you what host it's on) is to keep sending it DHCP requests and unplug each cable in turn till it shuts up. Sometimes you just have to get back to crude basics.

    • 7

  5. Run Wireshark to get the MAC address of the server. It should at least tell you the manufacturer (MAC addresses are centrally allocated and each manufacturer is allocated a set of addresses).

    • 4