Blocking rogue DHCP in network

4

3

I'm living in a dorm that has a large network and lots of people connecting their routers to get wifi (they are technically not allowed to do that but no one will check the rooms for connected routers). These routers also assign a wrong IP to my machine which does not provide me with internet access. We're not allowed to use static IPs in the network. Only assigned IPs from the main gateway.

Is there any way for me under Windows 7 to only accept IP's from a defined MAC / not accept any IP from defined MACs / or to simply not accept any IP of the form 192.168.x.x ?

tonydo

Posted 2015-05-06T20:49:41.523

Reputation: 165

Is there a reason why you want to protect yourself from DHCP? – schroeder – 2015-05-06T21:12:10.387

Are you trying to defend yourself from a malicious attack or are you trying to prevent issues from configuration mistakes made by other users on the network? – None – 2015-05-07T03:35:12.243

I think you mean: you want do something that other people in that network could not ping you, or see you, or maybe if they send any packet to you, your Windows,drop it, because of preventing malicious activities, yes? – None – 2015-05-07T03:45:04.123

no I want to keep DHCP turned on but I need to select the router I will connect to – tonydo – 2015-05-07T17:41:23.707

DHCP is a layer 2 protocol so if u are in same network why u should need another DHCP server (your one) if u have another providing, i think u have some issues in your network like multi NAT in same network and too many routers when they should be configured like switchs(no WAN no NAT,no DHCP). – Francisco Tapia – 2015-05-07T17:54:52.820

thats right. the routers I'm talking about are misconfigured. Unfortunately I don't have physical access to them, so I'm looking for a way to block them – tonydo – 2015-05-07T17:56:53.787

Answers

4

If you have multiple DHCP advertisers on the same network that really is an administrator task, but here's a potential direction without that support.

MAC filtering in Windows 7 is a service provided to third-party vendors via the Windows Filtering Platform (marketing link, technology link). Though I was able to confirm Windows 7 probably supports filter by MAC, it's remarkably difficult to find anything more advanced that doesn't quickly become coding.

The solution by MAC (other than abandoning DHCP) seems to be in downloading any of the common third-party HIPS products that provide their own firewalls (which will then leverage the WFP to do what you want).

Blocking by subnet mask doesn't work because host configuration broadcast occurs over ARP to the broadcast MAC address. Responding systems direct replies back to your MAC address, and the first one your system receives will result in autoconfiguration. By the time you have an IP address sufficient to block a subnet it's too late¹

¹ To create a subnet scope for another reason, which is only effective once you have your proper configuration: screenshot in this thread. In that post they're creating an Inbound Rule, selecting the Scope tab, entering a subnet/mask and configuring access.

ǝɲǝɲbρɯͽ

Posted 2015-05-06T20:49:41.523

Reputation: 288

1I think this might be the answer. Basically you need a firewall, which can filter by MAC address. – domen – 2015-05-07T12:32:41.057

0

@tonydo if I understand correctly, some student has set up a new wifi router in their room unplugs cable from PC and plugs into student's WIFI router local LAN port now DHCP in router is listening to dorm's network. A tech aware student would turn off DHCP in their router but obviously this is not happening, so maybe give every person on your floor a warning notice to make sure they setup correctly with DHCP off. An anonymous note if necessary. If the dorm had smart switches IT could filter all layer 2 DHCP packets (?) they see from any student routers but that would encourage student routers so unlikely that will happen.

Assuming it must be on the LAN port of a rogue student router so it would allocate the wrong gateway address, subnet and DNS server values. Is that what you observed? If so by testing what value you are assigned every time you detect it is not the expected value do a ipconfig /release * and ipconfig /renew until your get the right gateway. A batch script should do it - it may fix 80% of bad addresses cases assuming your Dorm network is using atypical values.

Scott R

Posted 2015-05-06T20:49:41.523

Reputation: 115

0

Ideally the network admins would track down and turn off rogue routers with a hammer, but I get their situation. Unfortunately there is no way to tell a client which DHCP server to use. The DHCP protocol will simply respond to the first DHCP server that responds. If it was my network I'd identify the rogue DHCP server IP, then identify which port their drop is on using the arp tables in the switch, and disable them.

What can you do?

You can identify the IP of your bad DHCP server with 'ipconfig /all' from the command line. Once you have the IP of the rogue DHCP server, block all traffic to/from that address using your firewall software. Given that that the rogue DHCP server could also be receiving a DHCP address, its own address may change at some point, which means you'll have to redo this operation whenever your internet breaks.

Submit a ticket with IT. Good luck.

Alex Atkinson

Posted 2015-05-06T20:49:41.523

Reputation: 2 845

-1

Unless you are the network admin or you have control of DHCP, no. The best way to address this would be to set a static IP Address and Default Gateway.

Matt Lubbers

Posted 2015-05-06T20:49:41.523

Reputation: 1

In other words, don't use DHCP. The potential problem is if you use an IP that the DHCP assigns to another machine. Otherwise, it is the way, as a client, to defend against a DHCP. – schroeder – 2015-05-06T21:11:54.050

right, we're not allowed to use static IPs. I need to block misconfigured routers which try to assign a IP to me, but keep DHCP turned on in order to get an IP from the right gateway. – tonydo – 2015-05-07T17:45:00.393

-1

So I think there may be some confusion. First, yes you can disable DHCP in Windows. Control Panel - Network Settings- Change adapter settings - right click on your NIC and select properties - select IPv4 - Uncheck the DHCP box and enter your chosen IP address, subnet mask, and gateway. I recommend you open a command prompt and run ipconfig and copy your current gateway, IP address, and subnet mask.

Now the other part. You don't "protect yourself from DHCP". I'm not sure what you're trying to accomplish. DHCP prevents users from being assigned the same IP address, which is what you seem to be worried about. Assigning yourself a static IP could cause the conflict you're worried about and prevent you from being able to connect.

Now if you're trying to ensure that you connect to your own WiFi router and no one else does, these settings will be on your router. Look for a white/black list or MAC filtering. If you're trying to make sure that you don't connect to random open WiFi routers there's a setting for that in Windows as well.

Alex

Posted 2015-05-06T20:49:41.523

Reputation: 21

I don't think that the OP has access to the router settings. – schroeder – 2015-05-07T02:50:31.983

1On linux you can edit /etc/dhcp/dhclient.conf and add reject x.x.x.0/24 to block a rouge dhcp server. OP wants to know if this is possible on Windows. – OIS – 2019-03-19T14:20:28.130

-1

I gather you are accepting an IP from a DHCP server ? It should be your gateway. It sounds like you want to only connect to your dorm network and not any of the "subnets" the other (presumably NAT) routers are creating.

Are they using the same SSID's and keys ? Or are they trying to spoof the dorm network ? They can forge the MAC address too.

So you want a way of validating the identity of your network before accepting an IP ? Talk to your admin to confirm there is only one DHCP server and how to guarantee you have connected to their network.

mckenzm

Posted 2015-05-06T20:49:41.523

Reputation: 829

I guess people are not trying to block the network on purpose. just misconfigured private Routers which assign an IP to my machine. – tonydo – 2015-05-07T17:46:59.450

Ok, so rogue DHCP servers on the same subnet, your dhcp client blasts a request to all stations/nodes and race conditions determine the DHCP server. That may even suggest they are running bridges rather than routers or even deliberately running DHCP servers.. They need to be rooted out then. Normally if running multiple DHCP and not for failover purposes, they will divide up the address ranges for the the "clients" they expect. The MAC address filtering will be their problem. – mckenzm – 2015-05-08T00:04:54.730

Asked: 2015-05-06T20:49:41.523

Viewed: 2 961 times

Active: 2018-02-03T07:48:32.867