You can now get MikroTik training direct from Manito Networks. MikroTik Security Guide and Networking with MikroTik: MTCNA Study Guide by Tyler Hart are both available in paperback and Kindle!

MikroTik Rogue DHCP Server Detection

Rogue devices on a network can cause serious issues for ongoing operations and security. An unauthorized device running a DHCP server can be used to hijack local clients and redirect traffic for man-in-the-middle and other attacks. Best-case scenario is a user unknowingly plugging in a device that they brought in from home, not aware that it will cause network problems. Worse-case scenario is a rogue device deliberately planted by an attacker to redirect or sniff traffic.

Either way, it's important to monitor our networks for rogue DHCP servers. In RouterOS there is a handy tool in the IP DHCP-Server menu for just this purpose. We'll first set up a logging script. Then we'll configure DHCP server alerts. Finally, we'll add trusted DHCP server MAC addresses so there won't be false positives in our logs.

Logging Script
DHCP Alerts
Trusted DHCP Servers
Finding Rogue Devices

Logging Script

Create the logging script:
```
/system script add name=rogue-dhcp source=":log warning message=\"Rogue DHCP server detected!\""
```
NOTE: The backslashes ("\") are required because nested quotes must be escaped.
Run the script and verify a log entry is shown:
```
/system script run rogue-dhcp
 /log print
```
This log entry will be shown in addition to the default system log that has the rogue server's MAC and IP addresses.

DHCP Alerts

Configure DHCP server alerts on interface ether2:

/ip dhcp-server alert add interface=ether2 on-alert=rogue-dhcp disabled=no

Trusted DHCP Servers

Get MAC addresses of all trusted DHCP servers on the interface's broadcast domain
Add the trusted MAC addresses to the DHCP server alert instance:
```
/ip dhcp-server alert set ether2 valid-server=00:11:22:aa:bb:cc
```

Finding Rogue Devices

Once a rogue DHCP server has been identified it's important to locate and isolate the device. With the server's MAC address it's easy to locate the physical port that it's plugged into. Use the following command to locate the device in the RouterOS ARP table:

/ip arp print

On switches or devices with a switch chip it's easy as well:

/interface ethernet switch host print

The interface that the rogue DHCP server is connected to can be turned off remotely while someone else hand-over-hands the cable to find the device.

Tyler Hart

Tyler Hart is a networking and security professional who started working in technology in 2002 with the US DoD and moved to the private sector in 2010. He holds a Business degree in IT Management, as well as the CISSP certification and others from Microsoft, CompTIA, Cisco, (ISC)2, Tenable Network Security, and more. For over 15 years he has worked and consulted with large and small organizations including hospitals and clinics, ISPs and WISPs, U.S. Defense organizations, and state and county governments.

Website