Helping people with computers... one answer at a time.

DHCP is a fundamental technology to assign IP addresses to computers connected to a network. There are scenarios where DHCP might be spoofed.

In a recent article you said that using DHCP, IP addresses are assigned by broadcasting a request to the network and having the DHCP server responsible respond.

Apparently, my computer occasionally receives a wrong IP address because another device on my network is the first one to provide a response to a DHCP request. Instead of the 10.x.x.x address I normally get from my ISP, I get a 192.168.x.x address. That means that there's probably a misconfigured device somewhere on the network. Is there any way to protect me from those unauthorized attempts?

Is there a danger involved in auto assigning an IP address via DHCP? How do I know the issuing device is trustworthy at all, if ANY device on the network can actually do this?

And how come DHCP negotiations are so easy?

The last question is perhaps the easiest to answer: because TCP/IP wasn't really designed to do and be everything we currently rely on it to do. In particular, it wasn't really designed to protect us from malicious folk.

But it is what it is, and what it is is the backbone of our internet infrastructure.

Let's review the situation and see what, if anything, you can do to protect yourself.

To review: when your computer connects to the internet it needs to have an IP address assigned to it, so that it can be located on the network.

IP addresses can be assigned manually, typically by your ISP, and then configured manually, typically by you or your network administrator. These are called "static" IP addresses because they don't change.

The more common approach among ISPs and consumer internet connections is to use what's called "Dynamic" IP address assignment. If your machine is configured to use dynamic IPs when it connects to the internet, it sends out a request to the local network, a broadcast to anyone who'll listen, asking for an IP address to be assigned to it. Somewhere on that local network should be a DHCP server, who's job it is to respond and tell your machine "this is your IP address". In home networks your router is most often your DHCP server.

"There should be only one DHCP server responding."

The question boils down to this: what if there are two or more DHCP servers on a network, and they all try to respond to your machine's request for an IP?

To be clear, it shouldn't happen. There should be only one DHCP server responding. If there are more then, to quote many computer manuals: "results are unpredictable".

But at least one thing is relatively clear: the first DHCP server to respond is the one that your computer will assume is the authoritative one.

The real concern is if someone did this intentionally, in order to capture and sniff your internet traffic. In order to do so, they would actually have to provide internet access, or you'd notice right away that nothing was working. Also, even if they did provide internet access, any attempts to communicate to other machines on the same network would likely also fail, assuming that they got their IP address from the "correct" DCHP server.

To be honest, this is a difficult situation to detect and proactively protect against. We have to place a certain amount of trust in the ISP that they will detect and remove any rogue DHCP servers on their network, since more often than not, they actually cause noticeable disruptive problems. Similarly, when connecting to another network, we have to kind of assume that the network administrators are also doing the right things.

The good news is that this is a relatively difficult spoof to pull off without being noticed somehow.

In your case it may not be malicious at all. It could simply be some other customer connecting their router incorrectly - connecting the WAN/internet cable to a LAN/local network port. But I'd expect that to result in their network not functioning properly, and thus I'd expect them to fix it relatively quickly.

Since you did notice, and can identify exactly what IP address you're being assigned, and likely by whom (the "gateway" address also assigned), you have a little more to work with. In your shoes, I'd be looking at installing a firewall - hardware or software - and explicitly blocking the 192.168.x.x range at the interface. Presumably, this will cause your machine to ignore responses from the rogue DHCP server.

And, of course, you could arrange with your ISP to get a static IP address, thereby bypassing the entire DHCP assignment process.

I'd be interested to know if readers have better approaches to this issue.

Article C3428 - June 28, 2008 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

7 Comments
Greg Bulmash
June 29, 2008 2:37 AM

The reader may not have anything unconventional happening at all. Let's say they're connecting via a home router. If they check their IP via their network status on their machine, it will be 192.168.xxx.xxx, which is normal for home routers. It's actually one of the firewall methods you recommend most... NAT.

If they check their IP address online, via a website reporting their IP address back to them, it's going to be 10.xxx.xxx.xxx, because only their PC and the router see the 192.168.xxx.xxx address. The rest of the world sees the 10.xxx.xxx.xxx coming from the router.

It would be good to know how they're connecting to their ISP and whether it's hardwired or wireless. You could probably get some good clues right there.

Leo
June 29, 2008 4:50 PM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

My assumption (adminitedly an assumption) is that he's
connecting directly to the internet connection provided, OR
he's reporting the IP address assigned to his router. The
KEY clue is that he *sometimes* get what he expects (10.)
and othertimes not (192.). Regardless of what interface he's
looking at or how, the issue seems to be a rogue DHCP
server.

Regardless, the questions asked are still valid - rogue DCHP
servers can cause ... issues. :-)

Leo


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFIaB/JCMEe9B/8oqERAlTUAJsG2/U84GOw4CT/R9aG73RnZNcsQQCfdPms
U33jzB/yffvjaOk36UZQGgw=
=EzsJ
-----END PGP SIGNATURE-----

Octav
July 1, 2008 10:20 AM

Let's be on the same page here: "a website reporting their IP address back to them" is unlikely to report a 10.0.0.0/8 address since, per [RFC 1918], this range, together with 172.16.0.0/12 and 192.168.0.0/16, are reserved for LAN use only, which means no router will forward this source IP over the Internet (though the address will be reported if the website in question is in the same LAN as the user, of course).

Similarly, and for completeness, per [RFC 3330], 127.0.0.0/8 is "assigned for use as the Internet host loopback address. A datagram sent by a higher level protocol to an address anywhere within this block should loop back inside the host. This is ordinarily implemented using only 127.0.0.1/32 for loopback, but no addresses within this block should ever appear on any network anywhere [RFC1700, page 5]."

Bud
July 1, 2008 2:31 PM

PC World had a very good article in their July 2006 magazine giving instructions for tracing addresses. They reference Microsoft's documentation page on their site at: "find.pcworld.com/52612".

Robert
July 2, 2008 2:39 PM

Leo:
Since he got a 192.168.x.x address back which is a private address, it probably means he had a DHCP failure and so Windows defaulted to giving the machine the 192.168 address. If you go into the Internet Protocol (TCP/IP) Properties page and look at Alternate Configuration, you will probably see it set to Automatic Private IP Address.

So what probably happened is the machine requested a DHCP assigned IP address, got no response and assigned the private IP address.

There is probably no rogue device on the network.

Leo
July 3, 2008 1:41 PM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I don't think so. Windows assigns a 169.x.x.x when DHCP
fails.

Leo


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFIbTluCMEe9B/8oqERAsAvAJ44l8pr5a9Ia/5AIr+Q5BwcwyV+oACfTFnN
bJm3K3YqfEfay6YZJgnai9M=
=uMSn
-----END PGP SIGNATURE-----

Ziggie
July 3, 2008 7:20 PM

I don't have a way of posting a screen shot, but if you go into your TCP/IP settings (In Vista, you have to select Version 4), you have the general tab which allows you to set your static IP address. There is also a tab named "Alternate Configuration". If Windows cannot get a DHCP address, this is what it will use. You can choose 'Automatic private IP address' or specify your own.

I ran into this once at a convention that was not using DHCP. It took forever to track down when they kept getting AN ip address, but not the right one.

--ziggs

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.