Rogue DHCP Server
What is Rogue DHCP Server?
Rogue DHCP ServerAn unauthorized DHCP server connected to a network that hands out IP configurations to clients, intentionally or accidentally redirecting traffic to attacker-controlled infrastructure.
A rogue DHCP server is any DHCP service that operates on a network without authorization. It can be malicious (a Raspberry Pi planted in a meeting room, a virtual machine on a compromised host, or a router brought from home) or simply a misconfigured device. Because clients accept the first DHCPOFFER they receive, the rogue server can dictate gateway, DNS, NTP, WPAD, and other options, enabling MITM, DNS hijacking, and credential capture. Rogue DHCP is often the second stage after DHCP starvation. Defenses: DHCP snooping defining a trusted port for the legitimate server, RA Guard for IPv6, network access control (802.1X) before any DHCP traffic, and continuous discovery scans for unexpected DHCP responders.
● Examples
- 01
A planted Raspberry Pi running dnsmasq as DHCP and DNS to MITM corporate traffic.
- 02
A user's home router connected to an office port advertising itself as DHCP server.
● Frequently asked questions
What is Rogue DHCP Server?
An unauthorized DHCP server connected to a network that hands out IP configurations to clients, intentionally or accidentally redirecting traffic to attacker-controlled infrastructure. It belongs to the Attacks & Threats category of cybersecurity.
What does Rogue DHCP Server mean?
An unauthorized DHCP server connected to a network that hands out IP configurations to clients, intentionally or accidentally redirecting traffic to attacker-controlled infrastructure.
How does Rogue DHCP Server work?
A rogue DHCP server is any DHCP service that operates on a network without authorization. It can be malicious (a Raspberry Pi planted in a meeting room, a virtual machine on a compromised host, or a router brought from home) or simply a misconfigured device. Because clients accept the first DHCPOFFER they receive, the rogue server can dictate gateway, DNS, NTP, WPAD, and other options, enabling MITM, DNS hijacking, and credential capture. Rogue DHCP is often the second stage after DHCP starvation. Defenses: DHCP snooping defining a trusted port for the legitimate server, RA Guard for IPv6, network access control (802.1X) before any DHCP traffic, and continuous discovery scans for unexpected DHCP responders.
How do you defend against Rogue DHCP Server?
Defences for Rogue DHCP Server typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Rogue DHCP Server?
Common alternative names include: Unauthorized DHCP server, Malicious DHCP.
● Related terms
- attacks№ 312
DHCP Spoofing
An attack in which an adversary replies to DHCP requests with crafted offers to push a malicious gateway, DNS server, or other options to victim clients.
- attacks№ 313
DHCP Starvation
A Layer-2 denial-of-service attack that floods a DHCP server with bogus DISCOVER requests using spoofed MAC addresses until the address pool is exhausted.
- attacks№ 062
ARP Spoofing
A local-network attack that sends forged ARP messages to bind the attacker's MAC address to another host's IP, redirecting traffic through the attacker.
- attacks№ 343
DNS Spoofing
An attack that injects falsified DNS responses to redirect victims from a legitimate domain to an attacker-controlled IP address.
- attacks№ 1207
VLAN Hopping
A switch attack that lets a host send or receive frames in a VLAN it should not belong to by abusing trunking negotiation or 802.1Q double tagging.
● See also
- № 363DTP Attack
- № 492HSRP / VRRP Attack