Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ManoelMartins
Staff
Staff

Created on ‎10-24-2023 11:44 PM Edited on ‎01-22-2025 07:44 AM By Moderator

Article Id 280642

Technical Tip: How to detect ROGUE DHCP on the network

Description This article describes a case where the messages from a DHCP server (OFFER and ACK) to the clients are unicast and explains the necessity of focusing on the broadcast messages that arrive on FortiGate.
Scope

FortiOS, DHCP Service.

 

Topology:

 

Topology.jpg

 
Solution

This article presents 3 options to confirm the presence of a ROGUE DHCP Server (not expected Server) on the network.

 

  1. Extract the optional 'Server Identifier' from the DHCP Request message.

 

From the packet captured on the FortiGate, open the DHCP Request message (broadcasted from the client) and look for the option 'Server Identifier' as shown below.

 

server identifier.jpg

 

From the RFC 2131, this option should exist on the message, or at least the Vendor Class Identifier

 

  1. Using the packet capture from the FortiGate.

          

    In cases where there is no information about the server available from the option above, it is necessary to try another approach.

    From the Wireshark, it is expected that at least the following packets were captured:

     

    pcap01pcap01

     

    As shown in the image above, there are no DHCP Server messages (Offer or Ack), but there is another device (50:00:00:02:00:01) sending an ARP Request for the IP 192.168.30.7 and there is an ARP Announcement afterward.

     

    This means that some DHCP Servers are verifying if already have the IP 192.168.30.7 on the network to decide if is Offered to the client, then it is the confirmation that no one answered and the client sends the ARP Announcement.

     

    From this example, if some devices already have this specific IP assigned, the communication between the clients will not be visible because it is unicast, but it will show a DHCP Declined message broadcasted from the client and the process of Discover, Offer, etc, will restart.

     

    Note: In a large-scale environment, there may be many ARP Request messages that may not be a DHCP Server. In these cases, it is necessary to look for the messages surrounding the ARP Announcement and then dismiss the irrelevant ones by process of elimination, possibly through tracking the MAC address.

     

     

  2. Just disable the DHCP Service on the FortiGate.

     

     

This option is simpler than the first option: disable the status of the DHCP Server on the interface, and retry obtaining IP from the client


If the client receives the IP assignment, all necessary information has been obtained. It will then only be necessary to get the DHCP Server MAC address to confirm that there is a Rogue DHCP Server and to confirm who it is from that address.

 

Example: Get a new DHCP address on a Windows client. Open CMD and type 'ipconfig /all', it will be possible to check the DHCP server IP address. Now run the command 'arp -a' it will be possible to check the ARP table of the Windows client, and what is the MAC address of the server found with the command 'ipconfig /all'. With this information it will now be possible to discover to which switchport the rogue DHCP server is directly connected to.
3938
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.