Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ManoelMartins
Staff
Staff

Created on ‎10-24-2023 11:44 PM Edited on ‎10-25-2023 07:18 AM By Moderator

Article Id 280642

Technical Tip: How to detect ROGUE DHCP on the network

Description This article describes a case where the messages from a DHCP server (OFFER and ACK) to the clients are unicast, and explains the necessity of focusing on the broadcast messages that arrive on FortiGate.
Scope

FortiOS, DHCP Service.

 

Topology:

Topology.jpg

 
Solution

This article presents 3 options to confirm the presence of a ROGUE DHCP Server (not expected Server) on the network.

 

1. Extract the optional 'Server Identifier' from the DHCP Request message.

 

From the packet captured on the FortiGate, open the DHCP Request message (broadcasted from the client) and look for the option 'Server Identifier' as shown below.

 

server identifier.jpg

 

From the RFC 2131, this option should exist on the message, or at least the Vendor Class Identifier

 

2. Using the packet capture from the FortiGate.

      

In cases where there is no information about the server available from the option above, it is necessary to try another approach.

From the Wireshark, it is expected that at least the following packets were captured:

 

pcap01pcap01

 

As shown in the image above, there are no DHCP Server messages (Offer or Ack), but there is another device (50:00:00:02:00:01) sending an ARP Request for the IP 192.168.30.7 and there is an ARP Announcement afterward.

 

This means that some DHCP Servers are verifying if already has the IP 192.168.30.7 on the network to decide if is Offered to the client, then it is the confirmation that no one answered and the client sends the ARP Announcement.

 

From this example, if some devices already have this specific IP assigned, the communication between the clients will not be visible because it is unicast, but it will show a DHCP Declined message broadcasted from the client and the process of Discover, Offer, etc, will restart.

 

Note: In a large-scale environment, there may be many ARP Request messages that may not be a DHCP Server. In these cases, it is necessary to look for the messages surrounding the ARP Announcement and then dismiss the irrelevant ones by process of elimination, possibly through tracking the MAC address.

 

3. Just disable the DHCP Service on the FortiGate.

 

This option is simpler than the first option: disable the status of the DHCP Server on the interface, and retry obtaining IP from the client


If the client receives the IP assignment, all necessary information has been obtained. It will then only be necessary to get the DHCP Server MAC address to confirm that there is a Rogue DHCP Server and to confirm who it is from that address.
1310
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.