How can operators identify rogue DHCP servers on the network

Having a Dynamic Host Configuration Protocol (DHCP) Server on a network that is not managed by an IT department can be a huge security concern, and can cause significant operational challenges for network admins. This blog will briefly cover what a rogue DHCP server is and some highly differentiated features of Big Monitoring Fabric (BMF) that will assist in finding and tracking down the rogue DHCP devices.

Rogue DHCP

A rogue DHCP server is a DHCP server on a network, which is not under the administrative control of the network staff. It is a network device (i.e., VM, router, IP camera with DHCP service, laptop, etc…) connected to the network by a user who may be either unaware of the consequences of their actions or may be knowingly using it for network attacks such as man in the middle (MITM) attacks by providing incorrect or unauthorized host IP information such as IP addresses & default gateways. Some kind of computer viruses or malicious software have been found to set up a rogue DHCP server, especially for those classified in the "Rootkit" category.

As clients connect to the network, both the rogue and authorized DHCP server will offer them IP addresses as well as default gateway, DNS servers, and other info such as how to get a config manifest from the network. If the information provided by the rogue DHCP differs from the authorized DHCP server, clients accepting IP addresses from it may experience network outage problems. In addition, if a rogue DHCP is set to provide as default gateway an IP address of a machine controlled by a misbehaving user, he can sniff all the traffic sent by the clients to other networks, violating network security policies as well as user privacy.

Finding Rogue DHCP servers with BMF

Often, when people think of visibility fabrics or Network Packet Brokers (NPBs), they think of getting data from production network, and moving it efficiently to all the security and performance monitoring tools. This is what traditional NPB usually do. However, with BMF SDN architecture, besides steering the traffic to the right set of tools, the system can correlate all the data that is collected from the production network, and provide analytics and network telemetry including flow analysis and device trackers. BMF also provides real time and historical analytic trends on all the ARP, ICMP, DNS, DHCP, HOSTS packets that have been traversing in the production network. By doing that, BMF, in addition to being a NPB, becomes another tool that provides value added information that operators find critical for debugging and monitoring the networks. 

DHCP Server Tracking

One of the features that BMF supports is called DHCP Tracker. Once this feature is enabled, BMF will start monitoring all the DHCP request/response traffic that is coming form the network taps and spans, and then creates a real time list of all the production network active DHCP servers.

BMF does the DHCP sniffing without probing any devices in the production network. The process is completely passive to the production network.

Network admins can take advantage of the DHCP database that BMF created by comparing it against their own trusted DHCP server list. If there are any differences between BMF’s list and the Network admin’s list, then there is a potential rogue DHCP server showing up in the network. The Network admins can automate this process and get real time notifications. The BMF controller that builds this dhcp database is 100 percent REST API driven. This means network admins can automate their queries and create triggers to get notified by email, SMS, hipchat message, etc… whenever a rogue dhcp server shows up on the network. A sample script is provided at the end of the blog as an example of how to get email notifications for new discovered DHCP servers.

  • BMF solution can also help network admins in discovering:
  • What IP addresses are handed by the rogue DHCP server and to which clients on the network
  • Which DHCP options are set in the DHCP message
  • What is the lease time

BMF solution provides a historical DHCP time view where you can filter by DHCP message type (i.e., DHCP Offer, DHCP Discover, DHCP Acknowledge, DHCP Request), or by DHCP server address, or DHCP client address


To know the physical location of the rogue DHCP, the network admin can type the DHCP server in the host tracker database, and can see which span or tap port that is connected to this host.

In addition to discover DHCP rogue servers, BMF can also discover DNS rogue Servers, DNS misconfiguration, track devices, monitor host activity, detect black listed websites, generate sflow records from the production network, and provide network analysis with the embedded sflow collector (i.e., top talker, network bandwidth, etc…) for network capacity planning.

To Learn More

  • Discovering rogue DHCP demo with BMF: View Demo (start from 26:30 mins)
  • Python email script for detecting rogue DHCP Server:View Script


Mostafa Mansour

 Sr. Technical Marketing Engineer, Big Switch Networks