ROUGUE: DHCP service drops network.
-
@Hubtech said:
@g.jacobse said:
This morning fun-escaped was half the network was down for some reason. Won't recount most of it, but it boils down to an Linksys WRX54 device was sending out DHCP in the 192.168 arena. Our network is configured to 10.0, so the change in IP was throwing people into oblivian when trying to get to servers or the internet. Others were 'ok' for most things.
Searched around the office for the offending device (person) but wasn't able to locate it. I had a PC that was pulling DHCP from it which is how I knew what type of device it was. Using a browser I attempted to log in... but failed.
It took about 20 minutes of cycling USERID and passwords to come upon the default USERID (blank) and password. I was in and could take it down.
I don't know where it is,.. but I've turned off DHCP, the wireless and changed the Admin Password. There were no listed DHCP leases.
It's been a fun morning.
Question: Is there some way to prevent this from occurring?
dont use dhcp.
DHCP is standard in an environment. No real good way to avoid using it unless you want to manage static IPs for every device and workstation. That's way more hassle than it's worth.
It's likely someone plugged in the device thinking it was a switch, or to bypass the company wifi, or to just get a wifi signal for their phone where they can't normally get one.
-
I know there are options that you can, in firewalls, create a list of approved devices, and create a deny all for anything else. If something gets plugged into your network, it gets shut down immediately basically, assuming it's not on the approved list. Otherwise, rogue DHCP is just one fun thing IT gets to deal with as I can't think of any real good ways to prevent it outside of company policy. If you find a way, let us know.
-
@ajstringham DHCP by default isn't going through the firewall (without a IP Helper/Forwarder) It's broadcast traffic on the local subnet.
-
@thecreativeone91 said:
@ajstringham DHCP by default isn't going through the firewall (without a IP Helper/Forwarder) It's broadcast traffic on the local subnet.
True but a lot of devices that I've seen allow you to create allow/deny lists for DHCP. Even if it's manually, it's the only option I can think of.
-
You should be able to find this rogue device if you have managed switch (or just slightly smart ones with an interface). Look for what port has the MAC of the Linksys on it.
-
If you want a Paid option look at OpUtils for rouge device detection and Inventory of your network from your Managed switches.
http://www.manageengine.com/products/oputils/features.html -
You could fix this with network level authentication - but I'm sure it's not worth the expense, or issues.
-
I had one of these pop up at a client a month or so ago. whoever configured the switches didn't leave their login info so i wasn't able to use the management. ended up super sleuthing and found it by using a "sniffer" that basically just polled the stregnth of the AP. old school
-
@Dashrender said:
You could fix this with network level authentication - but I'm sure it's not worth the expense, or issues.
I was thinking that RADIUS was an option. Or do I have that wrong?
-
DHCP doesn't use RADIUS, or vice versa. I know there is the possibility of some type of tie together.. but not normally for general networks.
-
@ajstringham said:
@Hubtech said:
@g.jacobse said:
This morning fun-escaped was half the network was down for some reason. Won't recount most of it, but it boils down to an Linksys WRX54 device was sending out DHCP in the 192.168 arena. Our network is configured to 10.0, so the change in IP was throwing people into oblivian when trying to get to servers or the internet. Others were 'ok' for most things.
Searched around the office for the offending device (person) but wasn't able to locate it. I had a PC that was pulling DHCP from it which is how I knew what type of device it was. Using a browser I attempted to log in... but failed.
It took about 20 minutes of cycling USERID and passwords to come upon the default USERID (blank) and password. I was in and could take it down.
I don't know where it is,.. but I've turned off DHCP, the wireless and changed the Admin Password. There were no listed DHCP leases.
It's been a fun morning.
Question: Is there some way to prevent this from occurring?
dont use dhcp.
DHCP is standard in an environment. No real good way to avoid using it unless you want to manage static IPs for every device and workstation. That's way more hassle than it's worth.
** It's likely someone plugged in the device** thinking it was a switch, or to bypass the company wifi, or to just get a wifi signal for their phone where they can't normally get one.
Oops - I may have left that out. That is what I suspect - I havea EdgeMAX lite running DHCP currently. This just popped up out of no where..
-
@g.jacobse said:
@ajstringham said:
** It's likely someone plugged in the device** thinking it was a switch, or to bypass the company wifi, or to just get a wifi signal for their phone where they can't normally get one.
Oops - I may have left that out. That is what I suspect - I havea EdgeMAX lite running DHCP currently. This just popped up out of no where..
yeah most of us have had this happen to us at one point or another.
-
@Hubtech said:
I had one of these pop up at a client a month or so ago. whoever configured the switches didn't leave their login info so i wasn't able to use the management. ended up super sleuthing and found it by using a "sniffer" that basically just polled the stregnth of the AP. old school
I would do this. turn the wifi back on and sniff the signal.
-
@JaredBusch said:
@Hubtech said:
I had one of these pop up at a client a month or so ago. whoever configured the switches didn't leave their login info so i wasn't able to use the management. ended up super sleuthing and found it by using a "sniffer" that basically just polled the stregnth of the AP. old school
I would do this. turn the wifi back on and sniff the signal.
smells like rogue wifi to me!
-
@JaredBusch said:
@Hubtech said:
I had one of these pop up at a client a month or so ago. whoever configured the switches didn't leave their login info so i wasn't able to use the management. ended up super sleuthing and found it by using a "sniffer" that basically just polled the stregnth of the AP. old school
I would do this. turn the wifi back on and sniff the signal.
Since it looks like I"ll be here half the weekend, I may do this. of course that is if I can reach it... I'm about to dig out a unused box to see if I can still reach it and go from there. My hope is that someone will figure out they aren't getting what they used to and call someone and ask - or call me about it. that would be nice and 'fast'.
Otherwise it'll have to be sniffed. Which I don't really have gear for.. If I can find my kindle, it may help being a poor mans triangulation... -
@Dashrender said:
DHCP doesn't use RADIUS, or vice versa. I know there is the possibility of some type of tie together.. but not normally for general networks.
Are you referring to 802.1x authentication?
-
@thecreativeone91 said:
@Dashrender said:
DHCP doesn't use RADIUS, or vice versa. I know there is the possibility of some type of tie together.. but not normally for general networks.
Are you referring to 802.1x authentication?
Uh.. maybe, I never dug into the protocol.
-
@g.jacobse said:
@JaredBusch said:
@Hubtech said:
I had one of these pop up at a client a month or so ago. whoever configured the switches didn't leave their login info so i wasn't able to use the management. ended up super sleuthing and found it by using a "sniffer" that basically just polled the stregnth of the AP. old school
I would do this. turn the wifi back on and sniff the signal.
Since it looks like I"ll be here half the weekend, I may do this. of course that is if I can reach it... I'm about to dig out a unused box to see if I can still reach it and go from there. My hope is that someone will figure out they aren't getting what they used to and call someone and ask - or call me about it. that would be nice and 'fast'.
Otherwise it'll have to be sniffed. Which I don't really have gear for.. If I can find my kindle, it may help being a poor mans triangulation...Ping the IP of the Linksys, then type arp -a | findstr IPADDRESS
this will tell you the MAC of the device. Then go to your switch(es) and look through their MAC tables to find what port that MAC is on. Then look at your building map for that port location, done. -
@Dashrender said:
@g.jacobse said:
@JaredBusch said:
@Hubtech said:
I had one of these pop up at a client a month or so ago. whoever configured the switches didn't leave their login info so i wasn't able to use the management. ended up super sleuthing and found it by using a "sniffer" that basically just polled the stregnth of the AP. old school
I would do this. turn the wifi back on and sniff the signal.
Since it looks like I"ll be here half the weekend, I may do this. of course that is if I can reach it... I'm about to dig out a unused box to see if I can still reach it and go from there. My hope is that someone will figure out they aren't getting what they used to and call someone and ask - or call me about it. that would be nice and 'fast'.
Otherwise it'll have to be sniffed. Which I don't really have gear for.. If I can find my kindle, it may help being a poor mans triangulation...Ping the IP of the Linksys, then type arp -a | findstr IPADDRESS
this will tell you the MAC of the device. Then go to your switch(es) and look through their MAC tables to find what port that MAC is on. Then look at your building map for that port location, done.If I wasn't still someone miffed and other choice words I won't use I'd laugh...
Uhm... I don't have one. It would really be nice to have one,.. but with all the spot fires and 'crash' calls... I don't get time to address things like that.... Some day maybe... if I survive that long.
-
@g.jacobse said:
@JaredBusch said:
@Hubtech said:
I had one of these pop up at a client a month or so ago. whoever configured the switches didn't leave their login info so i wasn't able to use the management. ended up super sleuthing and found it by using a "sniffer" that basically just polled the stregnth of the AP. old school
I would do this. turn the wifi back on and sniff the signal.
Since it looks like I"ll be here half the weekend, I may do this. of course that is if I can reach it... I'm about to dig out a unused box to see if I can still reach it and go from there. My hope is that someone will figure out they aren't getting what they used to and call someone and ask - or call me about it. that would be nice and 'fast'.
Otherwise it'll have to be sniffed. Which I don't really have gear for.. If I can find my kindle, it may help being a poor mans triangulation...naw man. you can get close by using a laptop and a yagi or just your laptop.