Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


December 2000

Detecting a Rogue DHCP Server


From the December 2000 Edition
of Windows IT Pro
L. J. Locher
Feature
InstantDoc #15970
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Security Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!
SideBar    Automatic Private IP Addressing

Win2K's DHCP service protects your network from imposters

DHCP server is a useful tool that automates the assignment of IP addresses to hundreds of workstations in your network. The server maintains a pool of IP addresses that you use to create scopes. (A DHCP scope is a collection of IP addresses and TCP/IP configuration parameters that are available for DHCP clients to lease.) Then, the server automatically allocates these IP addresses and related TCP/IP configuration settings to DHCP-enabled clients in the network. The DHCP service leases the IP addresses to clients for a period that you specify when you create a scope. A lease becomes inactive when it expires. Through the DHCP server, you can reserve specific IP addresses permanently for hardware devices that must have a static IP address (e.g., a DNS server).

An advantage of using DHCP is that the service assigns addresses dynamically. The service returns addresses that are no longer in use to the IP address pool so that the server can reallocate them to other machines in the network. If not for this service, you would have to manually configure IP for new computers, keep track of IP addresses so that you could reassign addresses that clients aren't using, and reconfigure computers that you move from one subnet to another.

An authorized DHCP server can save you a lot of time and effort by eliminating the need to manually track and assign IP addresses for each client on your network. (Administrators of small networks can enjoy the benefits of DHCP through Windows 2000's Automatic Private IP Addressing—APIPA—service. For information about this feature, see the sidebar "Automatic Private IP Addressing.") But beware—an unauthorized (aka rogue) DHCP server can cause problems on your network by assigning incorrect IP addresses, incorrect lease terminations, missing or incorrect DHCP options, or duplicate IP addresses. A rogue DHCP server is a misconfigured or unauthorized server that is usually introduced to the network accidentally by a user experimenting with a DHCP server. However, a malicious operator can also introduce a rogue DHCP server.

When a rogue DHCP server leases incorrect IP addresses to clients, the clients can fail to locate valid domain controllers (DCs), which prevents the clients from successfully logging on to the network. In addition, a rogue server might turn down DHCP clients' requests to renew their current leases. Under usual circumstances, the DHCP service grants renewals when clients request them.

To prevent rogue DHCP servers from infiltrating your network and causing these types of problems, the Win2K DHCP service includes a conflict-detection feature. To comprehend how a Win2K DHCP server detects rogue DHCP servers, you must be familiar with how transactions pass between the client and server, as well as understand the server authorization process.

Client and Server DHCP Transactions
The first time that a DHCP client attempts to log on to the network, it initiates a request for an IP address by broadcasting a DHCPDiscover message to locate a DCHP server. The client doesn't have an assigned IP address, so the client sends an IP address of 0.0.0.0 with the DHCPDiscover packet.

All the DHCP servers in the network, including rogue DHCP servers, reply to the DHCPDiscover message with a DHCPOffer message that contains an unleased IP address and IP configuration information, such as the subnet mask. To accept the settings that the first server to reply offers, the client broadcasts a DHCPRequest packet to the DHCP server.

To acknowledge the client's acceptance of the IP address, the selected DHCP server responds with a DHCPAcknowledge packet (aka a DHCPAck packet). After the client receives this packet, it can participate in the TCP/IP network.

If a problem exists with the assigned IP address (e.g., the IP address is no longer available because another client is using it), the DHCP server sends the client a DHCPNak packet. When a client receives a DHCPNak packet, it must begin again the process to locate an available IP address. If a rogue DHCP server has leased the client an incorrect IP address or subnet mask, the DHCP client won't be able to successfully log on to the network.

A DHCP client can send two additional packets to DHCP servers. If a client determines that the offered configuration parameters aren't valid (e.g., if the client discovers that another client has the IP address that the DHCP server has offered), the client sends the DHCP server a DHCPDecline packet. The client then starts at the beginning of the IP address location process. To release its current IP address and cancel the remaining lease, a client sends a DHCPRelease packet to the server. For more information about DHCP messages, scopes, and the lease process, see "Related Articles in Previous Issues."

Detecting Address Conflicts
By default, the Win2K DHCP service doesn't perform conflict detection because each conflict detection attempt adds time to the IP address lease negotiation between clients and servers. In addition, conflict detection is usually not necessary. However, if you suspect that DHCP servers are assigning duplicate addresses on your network (e.g., if clients can't log on to the network for a time and are later able to log on with no problems), you might want to enable conflict detection for troubleshooting purposes.

If you enable conflict detection on a Win2K DHCP server, the server pings an IP address before offering that address to a client. If a computer in the network responds to the ping, the server detects a conflict and doesn't offer the address to another client in the network. In addition, the server attaches a BAD_ADDRESS value to that IP address, then attempts to lease the next available address after checking for a conflict. The server removes the BAD_ADDRESS value from the IP address when the address becomes available again. DHCP servers don't ping IP addresses for clients requesting a renewal of their IP address leases.

To enable conflict detection, right-click the DHCP server in the console tree of the Microsoft Management Console (MMC) DHCP snap-in, and select Properties. On the Advanced tab of the server's properties dialog box, which Figure 1 shows, input a number greater than 0 in the Conflict detection attempts box. This number specifies how many times the DHCP server will ping an IP address to determine whether a conflict exists before the server offers the IP address to a client. Each ping delays the DHCP server response by 1 second. Microsoft recommends that you input a value of 2 or less.

Win2K clients can also check for IP address conflicts. If a client detects a conflict, the client sends a DHCPDecline packet to the DHCP server. As occurs in server-side conflict detection, the server then attaches a BAD_ADDRESS value to the IP address in the scope.

Authorizing a Win2K DHCP Server
When you're planning your DHCP server, you must consider which name-resolution service to implement. For Win2K networks, the DNS service is necessary for general name resolution and Active Directory (AD) support. Windows NT 4.0 and earlier clients must use WINS servers for this support. If your network supports a combination of Win2K and NT 4.0 clients, you must implement both DNS and WINS.

You must authorize DHCP servers in the directory service before they can provide DHCP services to clients. For authorization to take place on your network, you must ensure that the first DHCP server that you introduce to the network participates in AD. Thus, you must install this DHCP server in a domain—not a workgroup—on either a Win2K member server or DC. This setup causes AD to create DHCP as an object (i.e., the DhcpServer object). After you define a scope, you can authorize a Win2K DHCP server by selecting Activate from the Action menu of the DHCP snap-in, which Figure 2 shows. You must have enterprise administrator rights to authorize a DHCP server in AD.

The DhcpServer object provides two functions: This object maintains the list of your network's authorized DHCP servers by IP address, and it detects rogue Win2K DHCP servers and prevents them from participating in your network IP address allocation transactions. This built-in integrity security support, called Rogue DHCP Server Detection, is automatically enabled as long as AD is in place. Thus, if you forget to activate a new DHCP server, an authorized DHCP server will report the new server as a rogue.

   Previous  [1]  2  Next 


Top Viewed ArticlesView all articles
Home Tech? Work Tech? Increasingly, It's Just Tech

Paul discusses how the consumer market is influencing business technology in ways that are unprecedented. ...

No Jobs, No Excitement at Apple's Last Macworld Keynote

Apple CEO Steve Jobs made the right move in skipping out on his company's last appearance at Macworld: In a Tuesday keynote address at the conference, Apple had no interesting new products to sell, opting instead to spend mind-numbing amounts of time on ...

Xbox 360 Sales Hit 28 Million

Microsoft on Tuesday announced that sales of its Xbox 360 video game console hit 28 million units by the end of 2008, a year that the company described as the console's "biggest ever." Microsoft also made the dubious claim that it has "expanded the ...
Security Whitepapers The Impact of Messaging and Web Threats

Why SaaS is the Right Solution for Log Management

Protecting (You and) Your Data with Exchange Server 2007
Related Events Security Summit

Virtualization Forum: Optimizing Storage, Networks, Desktops, and Security

Cloud Computing Forum: Integrating Software, Server and Storage as a Service into Your Enterprise IT Delivery Model

Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.



ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Maximize speed, performance and reliablity of your PCs and servers—automatically!
Speed Up Your PC! Try Diskeeper 2008 with InvisiTasking Free Now!

Microsoft Learning Snack - Green IT Through Virtualization
Many organizations face rising operating costs caused by excessive energy consumption. Virtualization and "Green IT" can help cut these costs. Get the information you need to bring Green IT savings to your business.

Order Your Fundamentals CD Today!
Register today for your in-depth copy of one of three Fundamental CDs on the following topics – Exchange, SQL, and SharePoint.

Microsoft Learning Snack - Virtualization With Windows Server 2008
Windows Server 2008 includes virtualization technology that allows many operating systems - including open source - to run on a single host. Come learn the basics of implementing these features.

Microsoft Learning Snack - Virtualization Basics
With virtualization, computing components essentially become on-demand services, freeing each element of a system from the others. This short video explains the needs, benefits, and technologies behind virtualization.


Microsoft Learning Snack - Virtualization Basics
With virtualization, computing components essentially become on-demand services, freeing each element of a system from the others. This short video explains the needs, benefits, and technologies behind virtualization.

Microsoft Learning Snack - Virtualization With Windows Server 2008
Windows Server 2008 includes virtualization technology that allows many operating systems - including open source - to run on a single host. Come learn the basics of implementing these features.

Empower Your Processes with PowerShell 201
Paul Robichaux delves deep into PowerShell how-tos in 3 informative lessons, each followed by live Q&A—all on your own computer! Register today!

Microsoft Learning Snack - Green IT Through Virtualization
Many organizations face rising operating costs caused by excessive energy consumption. Virtualization and "Green IT" can help cut these costs. Get the information you need to bring Green IT savings to your business.

New Release: Windows IT Pro Master CD
13 years of content archives, fast answers with advanced search tools, and full access to WindowsITPro.com—order today!
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technology Resource Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2009 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing