ROUGUE: DHCP service drops network.

gjacobse

This morning fun-escaped was half the network was down for some reason. Won't recount most of it, but it boils down to an Linksys WRX54 device was sending out DHCP in the 192.168 arena. Our network is configured to 10.0, so the change in IP was throwing people into oblivian when trying to get to servers or the internet. Others were 'ok' for most things.

Searched around the office for the offending device (person) but wasn't able to locate it. I had a PC that was pulling DHCP from it which is how I knew what type of device it was. Using a browser I attempted to log in... but failed.

It took about 20 minutes of cycling USERID and passwords to come upon the default USERID (blank) and password. I was in and could take it down.

I don't know where it is,.. but I've turned off DHCP, the wireless and changed the Admin Password. There were no listed DHCP leases.

It's been a fun morning.

Question: Is there some way to prevent this from occurring?

A Former User

@g.jacobse said:

This morning fun-escaped was half the network was down for some reason. Won't recount most of it, but it boils down to an Linksys WRX54 device was sending out DHCP in the 192.168 arena. Our network is configured to 10.0, so the change in IP was throwing people into oblivian when trying to get to servers or the internet. Others were 'ok' for most things.

Searched around the office for the offending device (person) but wasn't able to locate it. I had a PC that was pulling DHCP from it which is how I knew what type of device it was. Using a browser I attempted to log in... but failed.

It took about 20 minutes of cycling USERID and passwords to come upon the default USERID (blank) and password. I was in and could take it down.

I don't know where it is,.. but I've turned off DHCP, the wireless and changed the Admin Password. There were no listed DHCP leases.

It's been a fun morning.

Question: Is there some way to prevent this from occurring?

dont use dhcp.

JaredBusch

@Hubtech said:

dont use dhcp.

Which is a silly thing to do, so basically, no.

A Former User

Don't use home grade devices with DHCP out in the network. Leave DHCP to Servers.
But are you using AD? http://technet.microsoft.com/en-us/library/cc754792.aspx

Mac Address Locking of ports. and Rouge device detection helps as well.

thanksajdotcom

@Hubtech said:

@g.jacobse said:

This morning fun-escaped was half the network was down for some reason. Won't recount most of it, but it boils down to an Linksys WRX54 device was sending out DHCP in the 192.168 arena. Our network is configured to 10.0, so the change in IP was throwing people into oblivian when trying to get to servers or the internet. Others were 'ok' for most things.

Searched around the office for the offending device (person) but wasn't able to locate it. I had a PC that was pulling DHCP from it which is how I knew what type of device it was. Using a browser I attempted to log in... but failed.

It took about 20 minutes of cycling USERID and passwords to come upon the default USERID (blank) and password. I was in and could take it down.

I don't know where it is,.. but I've turned off DHCP, the wireless and changed the Admin Password. There were no listed DHCP leases.

It's been a fun morning.

Question: Is there some way to prevent this from occurring?

dont use dhcp.

DHCP is standard in an environment. No real good way to avoid using it unless you want to manage static IPs for every device and workstation. That's way more hassle than it's worth.

It's likely someone plugged in the device thinking it was a switch, or to bypass the company wifi, or to just get a wifi signal for their phone where they can't normally get one.

thanksajdotcom

I know there are options that you can, in firewalls, create a list of approved devices, and create a deny all for anything else. If something gets plugged into your network, it gets shut down immediately basically, assuming it's not on the approved list. Otherwise, rogue DHCP is just one fun thing IT gets to deal with as I can't think of any real good ways to prevent it outside of company policy. If you find a way, let us know.

A Former User

@ajstringham DHCP by default isn't going through the firewall (without a IP Helper/Forwarder) It's broadcast traffic on the local subnet.

thanksajdotcom

@thecreativeone91 said:

@ajstringham DHCP by default isn't going through the firewall (without a IP Helper/Forwarder) It's broadcast traffic on the local subnet.

True but a lot of devices that I've seen allow you to create allow/deny lists for DHCP. Even if it's manually, it's the only option I can think of.

Dashrender

You should be able to find this rogue device if you have managed switch (or just slightly smart ones with an interface). Look for what port has the MAC of the Linksys on it.

A Former User

If you want a Paid option look at OpUtils for rouge device detection and Inventory of your network from your Managed switches.
http://www.manageengine.com/products/oputils/features.html

Dashrender

You could fix this with network level authentication - but I'm sure it's not worth the expense, or issues.

A Former User

I had one of these pop up at a client a month or so ago. whoever configured the switches didn't leave their login info so i wasn't able to use the management. ended up super sleuthing and found it by using a "sniffer" that basically just polled the stregnth of the AP. old school

thanksajdotcom

@Dashrender said:

You could fix this with network level authentication - but I'm sure it's not worth the expense, or issues.

I was thinking that RADIUS was an option. Or do I have that wrong?

Dashrender

DHCP doesn't use RADIUS, or vice versa. I know there is the possibility of some type of tie together.. but not normally for general networks.

gjacobse

@ajstringham said:

@Hubtech said:

@g.jacobse said:

This morning fun-escaped was half the network was down for some reason. Won't recount most of it, but it boils down to an Linksys WRX54 device was sending out DHCP in the 192.168 arena. Our network is configured to 10.0, so the change in IP was throwing people into oblivian when trying to get to servers or the internet. Others were 'ok' for most things.

Searched around the office for the offending device (person) but wasn't able to locate it. I had a PC that was pulling DHCP from it which is how I knew what type of device it was. Using a browser I attempted to log in... but failed.

It took about 20 minutes of cycling USERID and passwords to come upon the default USERID (blank) and password. I was in and could take it down.

I don't know where it is,.. but I've turned off DHCP, the wireless and changed the Admin Password. There were no listed DHCP leases.

It's been a fun morning.

Question: Is there some way to prevent this from occurring?

dont use dhcp.

DHCP is standard in an environment. No real good way to avoid using it unless you want to manage static IPs for every device and workstation. That's way more hassle than it's worth.

** It's likely someone plugged in the device** thinking it was a switch, or to bypass the company wifi, or to just get a wifi signal for their phone where they can't normally get one.

Oops - I may have left that out. That is what I suspect - I havea EdgeMAX lite running DHCP currently. This just popped up out of no where..

Dashrender

@g.jacobse said:

@ajstringham said:

** It's likely someone plugged in the device** thinking it was a switch, or to bypass the company wifi, or to just get a wifi signal for their phone where they can't normally get one.

Oops - I may have left that out. That is what I suspect - I havea EdgeMAX lite running DHCP currently. This just popped up out of no where..

yeah most of us have had this happen to us at one point or another.

JaredBusch

@Hubtech said:

I had one of these pop up at a client a month or so ago. whoever configured the switches didn't leave their login info so i wasn't able to use the management. ended up super sleuthing and found it by using a "sniffer" that basically just polled the stregnth of the AP. old school

I would do this. turn the wifi back on and sniff the signal.

A Former User

@JaredBusch said:

@Hubtech said:

I had one of these pop up at a client a month or so ago. whoever configured the switches didn't leave their login info so i wasn't able to use the management. ended up super sleuthing and found it by using a "sniffer" that basically just polled the stregnth of the AP. old school

I would do this. turn the wifi back on and sniff the signal.

smells like rogue wifi to me!

gjacobse

@JaredBusch said:

@Hubtech said:

I had one of these pop up at a client a month or so ago. whoever configured the switches didn't leave their login info so i wasn't able to use the management. ended up super sleuthing and found it by using a "sniffer" that basically just polled the stregnth of the AP. old school

I would do this. turn the wifi back on and sniff the signal.

Since it looks like I"ll be here half the weekend, I may do this. of course that is if I can reach it... I'm about to dig out a unused box to see if I can still reach it and go from there. My hope is that someone will figure out they aren't getting what they used to and call someone and ask - or call me about it. that would be nice and 'fast'.
Otherwise it'll have to be sniffed. Which I don't really have gear for.. If I can find my kindle, it may help being a poor mans triangulation...

A Former User

@Dashrender said:

DHCP doesn't use RADIUS, or vice versa. I know there is the possibility of some type of tie together.. but not normally for general networks.

Are you referring to 802.1x authentication?