0

We have been struggling with a rogue DHCP server for quite some time now.

Users are meant to be on a network of 192.168.10.xx with .14 as the DNS, and .254 as the gateway, but this will set users on a subnet of 192.168.30.xx with both DNS and gateway as x.x.30.1.

Our site consists of a Windows Server 2012, with 2 virtual machines also running Server 2012 (an Exchange Server and a Terminal Server).

Our main Draytek router (x.x.10.254) connects to an ISP provided ethernet WAN switch and radio ethernet modem. It points users to the pre-configured .14 DNS/DHCP Windows server.

Then a Netgear R7000 is used as a wireless access point. DHCP is disabled, and points users to x.x.10.14. This provides extra WiFi coverage for the factory laptops.

Initially I suspected it was the R7000, but after putting it on custom firmware, the issue persists.

The issue can happen to both users on the ethernet hardwire, AND both WiFis.

Running some network scans, I can see x.x.30.1 has a MAC address of 00-ac-a8-72-ed-2e. But this doesn't seem to give me any help in finding it. As it doesn't belong to any known manufacturers.

Thanks in advance, and I hope this is enough information.

EDIT: I found the answer!

Turns out there was an old VPN (SoftEther) service that was enabled with a DHCP service for incoming connections. Not sure how, but it mustve got mixed up and was handling half the PC's in the network

Craig White
  • 41
  • 5
  • 1
    `I can see x.x.30.1 has a MAC address of 00-ac-a8-72-ed-2e. But this doesn't seem to give me any help in finding it` - Assuming that's the ip address and MAC address of the rogue DHCP server, look in the MAC address table of your switches and see which port that MAC address is registered on, then trace that port to the end station. – joeqwerty May 30 '18 at 00:56
  • Oh, I've never actually had to interface with our switches before. I'll investigate whether this is possible. You're expecting I should be able to see two IP's registered to that MAC address? @joeqwerty – Craig White May 30 '18 at 01:03
  • I should also note, that I have checked the DHCP and also done network scans, but cannot see anything with an even similar MAC – Craig White May 30 '18 at 01:07
  • I'm not talking about the ARP cache (IP address to MAC address resolution). I'm talking about the MAC address table, which shows which MAC addresses are connected to which ports. If you can find this MAC address in the table then you'll know which port the rogue DHCP server is connected to and can then find the rogue server by tracing the switch port to the wall port it connects. – joeqwerty May 30 '18 at 01:18
  • Random MAC address could be from a cellphone. Check the list of associated stations of the R7000 for that MAC address. – Brian May 30 '18 at 01:22
  • @joeqwerty Thanks for the tip on inspecting the Switch. It turned out to be Port 26, which was connected using a slightly different colored ethernet cable for some reason. This goes into the main server's "link 4". I cant seem to find any other reference to it, I only see one single network connection, do IBM servers have an internal load balancer? – Craig White May 30 '18 at 02:20
  • I'm not understanding what "link 4" is, other than an additional network interface on the server. Can you clarify what you mean? Is there 1 or 2 network cables plugged into the server? Can you show us a picture of this connection? Does the server have an "out of band" management port and could this be the connection you're referring to? – joeqwerty May 30 '18 at 02:26
  • @joeqwerty I've uploaded a few photos which can hopefully give you enough information. [Imgur Album](https://imgur.com/a/myYZoSB) As you can see in the first pic, there is a lighter blue cable going into the back of the system. According to the [Product Page](https://lenovopress.com/tips0850-system-x3650-m4-e5-2600-v2) it has four Gigabit Ethernet ports, and the fifth is an IMM. What's surprising is I can only see one network adapter in the system. – Craig White May 30 '18 at 02:54
  • @joeqwerty Something I did find is that there are 3 HyperV virtual machines and that each one is assigned a ethernet port. One of the virtuals is assigned to that port 4. So, now I've narrowed it down to a single installation. Checked for any DNS or DHCP, none. Can't seem to find the MAC address with ipconfig /all either – Craig White May 30 '18 at 03:02
  • @joeqwerty Turns out there was an old VPN (SoftEther) service that was enabled with a DHCP service for incoming connections. Not sure how, but it mustve got mixed up and was handling half the PC's in the network. – Craig White May 30 '18 at 04:18
  • OK. Glad you got it sorted out. – joeqwerty May 30 '18 at 11:12

1 Answers1

2

Allowing rogue/uncontrolled DHCP servers on your network is a serious security issue. A DHCP server can easily force all traffic through an attacker's server, scanning and manipulating it at will.

You need managed switches. With the DHCP server's MAC address you can track down that address to a switch port and follow the cable.

Additionally, you'll want DHCP snooping on your switches. DHCP snooping is configured with the DHCP server(s) and ports that you actually use and locks out all others.

More additionally, you need a network policy that defines who is allowed to set up or authorize network equipment and services. All users and other people with access to your network have to submit to this policy.

Zac67
  • 8,639
  • 2
  • 10
  • 28
  • While i completly agree, i can only say that in my SMBs there is no budget and resources available to use such switches and to enforce such policies. – eKKiM May 30 '18 at 14:29
  • How many client machines/devices do you have on your network, all VLANs considered? What does the core of your network look like? You can get most of the benefit of managed switches everywhere, with a pair of stacked layer-3 switches at the center of your network. There are ways to get that done for less than $1,000. – Rob Pearson May 30 '18 at 15:08
  • @eKKiM Admins wandering around looking for the cause of a current problem plus the deteriorated network cost a lot more than a few hundred € for a somewhat serious switch that lasts at least five years. Using consumer hardware for your infrastructure is extremely short-sighted if you use it to earn money. – Zac67 May 30 '18 at 17:11