Interpreting problems caused by unauthorized DHCP

We often complain about many network problems, but we do not know many problems and hidden risks that cause many faults. How can we solve this problem? Here we will look at the problems caused by unauthorized DHCP.

I. Prerequisites:

Generally, the company has a DHCP server to provide necessary network parameter information to employees' computers, such as IP addresses, subnet masks, gateways, and DNS, in many cases, routers can take on this responsibility. Each time an employee's computer starts, it will send a broadcast packet to the network to find the DHCP server (provided that the computer is set to automatically obtain the IP address), and the broadcast packet is randomly sent to the network, when a DHCP server receives the broadcast packet, it sends a Response Message to the computer with the source MAC address of the packet, and extracts an IP address from the address pool and assigns it to the computer.

Valid DHCP servers can provide correct data, whereas unauthorized DHCP servers provide incorrect data. How can we obtain network information from employee machines through valid DHCP servers? In a switched network, it is impossible because broadcast packets are sent to all devices in the network, and there is no rule between legal or unauthorized server first response. In this way, the network is completely disrupted. machines that can normally access the INTERNET can no longer connect to the INTERNET.

Ii. Defense Policy:

1. Negative prevention:

Since the broadcast packet is sent to all the devices in the network, there is no rule between legal or unauthorized server first response, so we can temporarily solve this problem by trying to send the broadcast packet multiple times, until the client can obtain the real address.

Run the following command:

Ipconfig/release (this command releases Unauthorized network data)

Run the following command:

Ipconfig/renew (try to get network parameters)

If the error message is still obtained, try the preceding two commands again until the correct information is obtained. However, this method is not permanent, and the number of repeated attempts is not guaranteed. Generally, it takes dozens or even dozens of times, in addition, when the DHCP lease expires, the employee needs to find the DHCP server again to obtain information, and the fault will still occur.

2. Official solution:

Generally, the operating system we use is Windows, and Microsoft provides us with an official solution. In a network built on windows, if an unauthorized DHCP server is also created on Windows, We can filter out an unauthorized DHCP server by using a "domain. Add valid DHCP servers to the Active Directory. This authentication method can effectively stop unauthorized DHCP servers.

The principle is that the DHCP Server that is not added to the domain sends a dhcp inform query packet to other DHCP servers in the network before the corresponding request. If other DHCP servers have a response, therefore, the DHCP Server cannot meet the customer's requirements. That is to say, the priority of the DHCP Server that is added to the domain in the network is higher than that of the DHCP Server that is not added to the domain. In this way, if a valid DHCP address exists, unauthorized DHCP addresses do not play any role.

The process of authorizing a valid DHCP address is as follows:

Step 1: Start-> Program-> management tools-> DHCP

Step 2: Select DHCP root, right-click it, and select the server to be authenticated.

Step 3: click "add" and enter the IP address of the DHCP server to authenticate.

This method works well, but requires domain support. You need to know that "domain" is very useful to many small and medium-sized enterprises. Basically, working groups are enough to deal with daily work. Therefore, this method is recommended by Microsoft and works well, but it is not suitable for the actual situation. In addition, this method is only applicable to the non-authorized DHCP server as a windows system, and may cause problems for non-Windows operating systems or even NT4 systems.

3. Block A route switch device:

Some routing exchange devices have strong functions. For example, they can automatically suppress unauthorized DHCP packets with the extreme function. Without the extreme function, how can we prevent unauthorized DHCP server access in advance?

First, you need to understand the ports used by the DHCP packet. The DHCP service mainly uses UDP port 67 and port 68, and the server side uses port 68 for the response packet, port 67 is used when the client sends a request. Therefore, we can use the access control list on routers and switches to shield all DHCP response packets except valid DHCP servers, that is, port 68 is closed.

The specific command is:

Access-list 108 deny udp any eq 68 any (figure 1)

Figure 1

This method is also only valid for DHCP servers in the WINDOWS operating system. It cannot be completely filtered out for DHCP servers created in other operating systems. In addition, a large number of ACLs will also reduce the performance of the routing switch device and affect the network speed.

4. Alternative Methods to interfere with unauthorized DHCP servers:

In actual use, I found an alternative method. This method works well with the negative defense described above. In this way, you only need to know the IP address of the unauthorized DHCP, and find a computer to set the same IP address as the IP address, which can reduce the number of unauthorized DHCP releases, in this way, the probability of obtaining valid network information is greatly increased when ipconfig/release and ipconfig/renew are executed.

5. administrative methods:

In fact, like many network management methods, formulating standardized, reasonable, and strict rules and regulations is the best way to reduce the generation of network faults. We can use a system to restrict the generation of unauthorized services on the network and impose administrative penalties on users who provide unauthorized services.

6. Implement blocking of unauthorized DHCP servers:

The procedure is as follows:

Step 1: Use ping-a ip to reverse view the host name of an unauthorized DHCP server.

Step 2: query the MAC address of the computer based on the ARP command, or view the MAC address of the IP address in the cache pool on the valid DHCP server.

(Note: To shield unauthorized DHCP servers, you must start with the MAC address, because the IP address can be modified and there are many ways to automatically obtain the IP address, and the obtained parameters will also change .)

Step 3: after knowing the MAC address, log on to the switch and execute sh mac address to display the correspondence between all MAC addresses and switch ports. (Figure 2)

Figure 2

Step 4: we can view the corresponding MAC port number from the displayed ing list, if there are many ports, you can use the format "sh mac address add 0011.5b5c.6214" to query

The port corresponding to the MAC address. (3)

Figure 3

Step 5: Find the corresponding port, run the int command to enter the interface, and then use shutdown to close the interface, thus blocking the connection between the computer and the outside world. (4)

Figure 4

This method has a problem, that is, if you use a hub to connect to the device below, multiple MAC addresses will be learned from one port on the switch, if we directly shut down the port through the shutdown command, all devices connected to the hub will not be able to use the network. In this case, you can use the MAC address-Based Access Control List to control the access control list. The specific command is:

The following is a reference clip:

Mac accesss-list extended softer

Deny host 0011.5b5c.6214 any

Permit any

Then, run the following command on the switch port where the unauthorized DHCP is located:

Mac access-group softer in

After the configuration, the computer with the MAC address 0011.5b5c.6214 is blocked from accessing the Internet without affecting the connection to other devices on the same hub.

Figure 5

Iii. Summary:

In fact, the biggest danger of network security comes from the internal network, which is filled with the crisis caused by unauthorized use of the network. Therefore, we need to make reasonable plans for the network structure at ordinary times, the network parameter settings must also contain detailed filing information. In this way, when the problem is discovered, we can quickly identify the key points of the problem based on the retained data.