Categories


Authors

MikroTik Rogue DHCP Server Alerting

MikroTik Rogue DHCP Server Detection

Rogue devices on a network can cause serious issues for ongoing operations and security. An unauthorized device running a DHCP server can be used to hijack local clients and redirect traffic for man-in-the-middle and other attacks. Best-case scenario is a user unknowingly plugging in a device that they brought in from home, not aware that it will cause network problems. Worse-case scenario is a rogue device deliberately planted by an attacker to redirect or sniff traffic.

Either way, it's important to monitor our networks for rogue DHCP servers. In RouterOS there is a handy tool in the IP DHCP-Server menu for just this purpose. We'll first set up a logging script. Then we'll configure DHCP server alerts. Finally, we'll add trusted DHCP server MAC addresses so there won't be false positives in our logs.

  1. Logging Script
  2. DHCP Alerts
  3. Trusted DHCP Servers
  4. Finding Rogue Devices

Logging Script

  1. Create the logging script:

    /system script add name=rogue-dhcp source=":log warning message=\"Rogue DHCP server detected!\""

    NOTE: The backslashes ("\") are required because nested quotes must be escaped.

  2. Run the script and verify a log entry is shown:

    /system script run rogue-dhcp
     /log print

    This log entry will be shown in addition to the default system log that has the rogue server's MAC and IP addresses.

DHCP Alerts

  1. Configure DHCP server alerts on interface ether2:
    /ip dhcp-server alert add interface=ether2 on-alert=rogue-dhcp disabled=no

Trusted DHCP Servers

  1. Get MAC addresses of all trusted DHCP servers on the interface's broadcast domain
  2. Add the trusted MAC addresses to the DHCP server alert instance:
    /ip dhcp-server alert set ether2 valid-server=00:11:22:aa:bb:cc

Finding Rogue Devices

Once a rogue DHCP server has been identified it's important to locate and isolate the device. With the server's MAC address it's easy to locate the physical port that it's plugged into. Use the following command to locate the device in the RouterOS ARP table:

/ip arp print

On switches or devices with a switch chip it's easy as well:

/interface ethernet switch host print

The interface that the rogue DHCP server is connected to can be turned off remotely while someone else hand-over-hands the cable to find the device.

MikroTik Winbox Security

MikroTik Winbox Security