Helping people with computers... one answer at a time.
DHCP is a fundamental technology to assign IP addresses to computers connected to a network. There are scenarios where DHCP might be spoofed.
In a recent article you said that using DHCP, IP addresses are assigned by broadcasting a request to the network and having the DHCP server responsible respond.
Apparently, my computer occasionally receives a wrong IP address because another device on my network is the first one to provide a response to a DHCP request. Instead of the 10.x.x.x address I normally get from my ISP, I get a 192.168.x.x address. That means that there's probably a misconfigured device somewhere on the network. Is there any way to protect me from those unauthorized attempts?
Is there a danger involved in auto assigning an IP address via DHCP? How do I know the issuing device is trustworthy at all, if ANY device on the network can actually do this?
And how come DHCP negotiations are so easy?
The last question is perhaps the easiest to answer: because TCP/IP wasn't really designed to do and be everything we currently rely on it to do. In particular, it wasn't really designed to protect us from malicious folk.
But it is what it is, and what it is is the backbone of our internet infrastructure.
Let's review the situation and see what, if anything, you can do to protect yourself.
To review: when your computer connects to the internet it needs to have an IP address assigned to it, so that it can be located on the network.
IP addresses can be assigned manually, typically by your ISP, and then configured manually, typically by you or your network administrator. These are called "static" IP addresses because they don't change.
The more common approach among ISPs and consumer internet connections is to use what's called "Dynamic" IP address assignment. If your machine is configured to use dynamic IPs when it connects to the internet, it sends out a request to the local network, a broadcast to anyone who'll listen, asking for an IP address to be assigned to it. Somewhere on that local network should be a DHCP server, who's job it is to respond and tell your machine "this is your IP address". In home networks your router is most often your DHCP server.
The question boils down to this: what if there are two or more DHCP servers on a network, and they all try to respond to your machine's request for an IP?
To be clear, it shouldn't happen. There should be only one DHCP server responding. If there are more then, to quote many computer manuals: "results are unpredictable".
But at least one thing is relatively clear: the first DHCP server to respond is the one that your computer will assume is the authoritative one.
The real concern is if someone did this intentionally, in order to capture and sniff your internet traffic. In order to do so, they would actually have to provide internet access, or you'd notice right away that nothing was working. Also, even if they did provide internet access, any attempts to communicate to other machines on the same network would likely also fail, assuming that they got their IP address from the "correct" DCHP server.
To be honest, this is a difficult situation to detect and proactively protect against. We have to place a certain amount of trust in the ISP that they will detect and remove any rogue DHCP servers on their network, since more often than not, they actually cause noticeable disruptive problems. Similarly, when connecting to another network, we have to kind of assume that the network administrators are also doing the right things.
The good news is that this is a relatively difficult spoof to pull off without being noticed somehow.
In your case it may not be malicious at all. It could simply be some other customer connecting their router incorrectly - connecting the WAN/internet cable to a LAN/local network port. But I'd expect that to result in their network not functioning properly, and thus I'd expect them to fix it relatively quickly.
Since you did notice, and can identify exactly what IP address you're being assigned, and likely by whom (the "gateway" address also assigned), you have a little more to work with. In your shoes, I'd be looking at installing a firewall - hardware or software - and explicitly blocking the 192.168.x.x range at the interface. Presumably, this will cause your machine to ignore responses from the rogue DHCP server.
And, of course, you could arrange with your ISP to get a static IP address, thereby bypassing the entire DHCP assignment process.
I'd be interested to know if readers have better approaches to this issue.
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.