It’s never fun when your network suddenly stops working, especially when the problem turns out to be more subtle than those configuration changes you just saved.  Even worse: your network seems to be smoothly humming along, but you’ve been compromised unknowingly. What could cause such catastrophic behavior?  Rogue DHCP servers on your network.

DHCP is one of those Layer 2 protocols you never notice until it crashes or misbehaves.  But, while DHCP may often be treated like the proverbial ugly stepchild, neglecting DHCP security comes with significant risk.  After all, DHCP provides clients connecting to your network with IP addresses and configuration parameters such as subnet mask, default gateway, and DNS server information.

If these parameters become corrupted, the smooth flow of network traffic can abruptly halt.  Worse, if a setting such as the default gateway is maliciously defined, network security is immediately jeopardized but you may not immediately notice.  This makes detecting rogue DHCP servers paramount, especially given the ease with which they can be deployed.

Meraki’s switches operate at the same TCP/IP layer as the DHCP protocol and record which devices are sending DHCP server traffic.  You can easily see if a non-authorized device is replying to DHCP requests from connecting clients.

View a list of all network devices replying to DHCP requests for the last month.

The image above shows that a device named Godzilla is replying to DHCP requests made by several clients on Meraki’s network.  You can see Godzilla’s MAC address, as well as the VLANs and subnets it is servicing DHCP requests for.  To get a more detailed view of any particular reply, you can click view packet:

View individual replies to client DHCP requests and learn what IP parameters may be corrupted.

This view provides the details of a DHCP server reply, including the IP address being offered to the connecting client and additional parameters such as lease time, subnet mask, default gateway, and DNS server information.

If Godzilla were not an authorized DHCP server, we could easily contain it.  Simply search for Godzilla’s MAC address in the Monitor > Clients page to determine which switch and port it is connected to.  Click into the connected switch and drill down to the individual port.

Port-level view of Godzilla, giving more details about the device.

Click “Edit configuration” and disable the port servicing Godzilla.  This immediately disconnects the device from your LAN.

Port configuration settings allow you to disable a port and make several other useful changes

Detecting and disabling a rogue DHCP server is as simple as that.  With the immediate threat contained, you can now track down the physical location of the rogue device.  Re-enabling the port is as simple as repeating the steps above and selecting “enabled” in the port configuration menu.

Recent updates have made this DHCP server visibility possible at the switch level, so stay tuned for more posts detailing new features!