Summary: DHCP is a fundamental technology to assign IP addresses to computers connected to a network. There are scenarios where DHCP might be spoofed.
In a recent article you said that using DHCP, IP addresses are assigned by broadcasting a request to the network and having the DHCP server responsible respond.
Apparently, my computer occasionally receives a wrong IP address because another device on my network is the first one to provide a response to a DHCP request. Instead of the 10.x.x.x address I normally get from my ISP, I get a 192.168.x.x address. That means that there's probably a misconfigured device somewhere on the network. Is there any way to protect me from those unauthorized attempts?
Is there a danger involved in auto assigning an IP address via DHCP? How do I know the issuing device is trustworthy at all, if ANY device on the network can actually do this?
And how come DHCP negotiations are so easy?
•
The last question is perhaps the easiest to answer: because TCP/IP wasn't really designed to do and be everything we currently rely on it to do. In particular, it wasn't really designed to protect us from malicious folk.
But it is what it is, and what it is is the backbone of our internet infrastructure.
Let's review the situation and see what, if anything, you can do to protect yourself.
•
To review: when your computer connects to the internet it needs to have an IP address assigned to it, so that it can be located on the network.
IP addresses can be assigned manually, typically by your ISP, and then configured manually, typically by you or your network administrator. These are called "static" IP addresses because they don't change.
The more common approach among ISPs and consumer internet connections is to use what's called "Dynamic" IP address assignment. If your machine is configured to use dynamic IPs when it connects to the internet, it sends out a request to the local network, a broadcast to anyone who'll listen, asking for an IP address to be assigned to it. Somewhere on that local network should be a DHCP server, who's job it is to respond and tell your machine "this is your IP address". In home networks your router is most often your DHCP server.
The question boils down to this: what if there are two or more DHCP servers on a network, and they all try to respond to your machine's request for an IP?
To be clear, it shouldn't happen. There should be only one DHCP server responding. If there are more then, to quote many computer manuals: "results are unpredictable".
But at least one thing is relatively clear: the first DHCP server to respond is the one that your computer will assume is the authoritative one.
The real concern is if someone did this intentionally, in order to capture and sniff your internet traffic. In order to do so, they would actually have to provide internet access, or you'd notice right away that nothing was working. Also, even if they did provide internet access, any attempts to communicate to other machines on the same network would likely also fail, assuming that they got their IP address from the "correct" DCHP server.
To be honest, this is a difficult situation to detect and proactively protect against. We have to place a certain amount of trust in the ISP that they will detect and remove any rogue DHCP servers on their network, since more often than not, they actually cause noticeable disruptive problems. Similarly, when connecting to another network, we have to kind of assume that the network administrators are also doing the right things.
The good news is that this is a relatively difficult spoof to pull off without being noticed somehow.
In your case it may not be malicious at all. It could simply be some other customer connecting their router incorrectly - connecting the WAN/internet cable to a LAN/local network port. But I'd expect that to result in their network not functioning properly, and thus I'd expect them to fix it relatively quickly.
Since you did notice, and can identify exactly what IP address you're being assigned, and likely by whom (the "gateway" address also assigned), you have a little more to work with. In your shoes, I'd be looking at installing a firewall - hardware or software - and explicitly blocking the 192.168.x.x range at the interface. Presumably, this will cause your machine to ignore responses from the rogue DHCP server.
And, of course, you could arrange with your ISP to get a static IP address, thereby bypassing the entire DHCP assignment process.
I'd be interested to know if readers have better approaches to this issue.
Related:
-
Ask Leo! - What is DHCP?
-
Ask Leo! - What is "Limited Connectivity" and how do I fix it?
-
Ask Leo! - How should I set up my home network?
Article C3428 - June 28, 2008
The reader may not have anything unconventional happening at all. Let's say they're connecting via a home router. If they check their IP via their network status on their machine, it will be 192.168.xxx.xxx, which is normal for home routers. It's actually one of the firewall methods you recommend most... NAT.
If they check their IP address online, via a website reporting their IP address back to them, it's going to be 10.xxx.xxx.xxx, because only their PC and the router see the 192.168.xxx.xxx address. The rest of the world sees the 10.xxx.xxx.xxx coming from the router.
It would be good to know how they're connecting to their ISP and whether it's hardwired or wireless. You could probably get some good clues right there.
Posted by: Greg Bulmash at June 29, 2008 2:37 AM-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
My assumption (adminitedly an assumption) is that he's
connecting directly to the internet connection provided, OR
he's reporting the IP address assigned to his router. The
KEY clue is that he *sometimes* get what he expects (10.)
and othertimes not (192.). Regardless of what interface he's
looking at or how, the issue seems to be a rogue DHCP
server.
Regardless, the questions asked are still valid - rogue DCHP
servers can cause ... issues. :-)
Leo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
iD8DBQFIaB/JCMEe9B/8oqERAlTUAJsG2/U84GOw4CT/R9aG73RnZNcsQQCfdPms
Posted by: Leo at June 29, 2008 4:50 PMU33jzB/yffvjaOk36UZQGgw=
=EzsJ
-----END PGP SIGNATURE-----
Let's be on the same page here: "a website reporting their IP address back to them" is unlikely to report a 10.0.0.0/8 address since, per [RFC 1918], this range, together with 172.16.0.0/12 and 192.168.0.0/16, are reserved for LAN use only, which means no router will forward this source IP over the Internet (though the address will be reported if the website in question is in the same LAN as the user, of course).
Similarly, and for completeness, per [RFC 3330], 127.0.0.0/8 is "assigned for use as the Internet host loopback address. A datagram sent by a higher level protocol to an address anywhere within this block should loop back inside the host. This is ordinarily implemented using only 127.0.0.1/32 for loopback, but no addresses within this block should ever appear on any network anywhere [RFC1700, page 5]."
Posted by: Octav at July 1, 2008 10:20 AMPC World had a very good article in their July 2006 magazine giving instructions for tracing addresses. They reference Microsoft's documentation page on their site at: "find.pcworld.com/52612".
Posted by: Bud at July 1, 2008 2:31 PMLeo:
Since he got a 192.168.x.x address back which is a private address, it probably means he had a DHCP failure and so Windows defaulted to giving the machine the 192.168 address. If you go into the Internet Protocol (TCP/IP) Properties page and look at Alternate Configuration, you will probably see it set to Automatic Private IP Address.
So what probably happened is the machine requested a DHCP assigned IP address, got no response and assigned the private IP address.
There is probably no rogue device on the network.
Posted by: Robert at July 2, 2008 2:39 PM-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I don't think so. Windows assigns a 169.x.x.x when DHCP
fails.
Leo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
iD8DBQFIbTluCMEe9B/8oqERAsAvAJ44l8pr5a9Ia/5AIr+Q5BwcwyV+oACfTFnN
Posted by: Leo at July 3, 2008 1:41 PMbJm3K3YqfEfay6YZJgnai9M=
=uMSn
-----END PGP SIGNATURE-----
I don't have a way of posting a screen shot, but if you go into your TCP/IP settings (In Vista, you have to select Version 4), you have the general tab which allows you to set your static IP address. There is also a tab named "Alternate Configuration". If Windows cannot get a DHCP address, this is what it will use. You can choose 'Automatic private IP address' or specify your own.
I ran into this once at a convention that was not using DHCP. It took forever to track down when they kept getting AN ip address, but not the right one.
--ziggs
Posted by: Ziggie at July 3, 2008 7:20 PM