Lan "moles" unauthorized DHCP server protection policy page 1/3

Reason: some time ago, some problems occurred in the LAN of a friend's organization. I 'd like to help you. According to friends, recently, computers in some departments of the Organization frequently become unable to access the Internet. Ask a friend to learn that these computers have enabled the DHCP service and automatically obtained the IP address. After troubleshooting, they found that their gateway address had problems. The correct address should be 192.168.4.254, but the gateway address obtained by these faulty computers is 192.168.4.65. Some computers use ipconfig/release to release the obtained network parameters and use ipconfig/renew to obtain the real gateway address, while most of the obtained data is still incorrect.

Why can't the network parameters allocated by the real DHCP server be correctly transmitted to the client? The reason is simple. There is another DHCP server in the network. This DHCP server assigns the unauthorized network information to the client set to automatically obtain the IP address. It's really difficult to defend against "moles! The following describes how to effectively prevent unauthorized DCHP servers in a LAN based on my experience.

I. Prerequisites:

Generally, the company has a DHCP server to provide necessary network parameter information to employees' computers, such as IP addresses, subnet masks, gateways, and DNS, in many cases, routers can take on this responsibility. Each time an employee's computer starts, it will send a broadcast packet to the network to find the DHCP server (provided that the computer is set to automatically obtain the IP address), and the broadcast packet is randomly sent to the network, when a DHCP server receives the broadcast packet, it sends a Response Message to the computer with the source MAC address of the packet, and extracts an IP address from the address pool and assigns it to the computer.

Valid DHCP servers can provide correct data, whereas unauthorized DHCP servers provide incorrect data. How can we obtain network information from employee machines through valid DHCP servers? In a switched network, it is impossible because broadcast packets are sent to all devices in the network, and there is no rule between legal or unauthorized server first response. In this way, the network is completely disrupted. machines that can normally access the Internet can no longer connect to the Internet.

Ii. Defense Policy:

1. Negative prevention:

Since the broadcast packet is sent to all the devices in the network, there is no rule between legal or unauthorized server first response, so we can temporarily solve this problem by trying to send the broadcast packet multiple times, until the client can obtain the real address.

Run the following command:

Ipconfig/release (this command releases Unauthorized network data)

Run the following command:

Ipconfig/Renew (try to get network parameters)

If the error message is still obtained, try the preceding two commands again until the correct information is obtained. However, this method is not permanent, and the number of repeated attempts is not guaranteed. Generally, it takes dozens or even dozens of times, in addition, when the DHCP lease expires, the employee needs to find the DHCP server again to obtain information, and the fault will still occur.

2. Official solution:

Generally, the operating system we use is windows, and Microsoft provides us with an official solution. In a network built on Windows, if an unauthorized DHCP server is also created on Windows, We can filter out an unauthorized DHCP server by using a "domain. Add valid DHCP servers to the Active Directory. This authentication method can effectively stop unauthorized DHCP servers.

The principle is that the DHCP server that is not added to the domain sends a DHCP inform query packet to other DHCP servers in the network before the corresponding request. If other DHCP servers have a response, therefore, the DHCP server cannot meet the customer's requirements. That is to say, the priority of the DHCP server that is added to the domain in the network is higher than that of the DHCP server that is not added to the domain. In this way, if a valid DHCP address exists, unauthorized DHCP addresses do not play any role.

The process of authorizing a valid DHCP address is as follows:

Step 1: Start->Program-> Management tools-> DHCP

Step 2: Select DHCP root, right-click it, and select the server to be authenticated.

Step 3: click "add" and enter the IP address of the DHCP server to authenticate.

This method works well, but requires domain support. You need to know that "domain" is very useful to many small and medium-sized enterprises. Basically, working groups are enough to deal with daily work. Therefore, this method is recommended by Microsoft and works well, but it is not suitable for the actual situation. In addition, this method is only applicable to the non-authorized DHCP server as a Windows system, and may cause problems for non-Windows operating systems or even NT4 systems.