Hardening DHCP Services: Dynamic Host Configuration Protocol (DHCP) is used in many networks to automate the assignment of IP addresses to workstations.
DHCP services can be provided by many different types of devices, including routers, switches, and servers.
The DHCP process involves leasing TCP/IP address to a workstation for a specified time. DHCP can also provide other network configuration options to a workstation.
In a given network or segment, only one DHCP server should be running. If more than one is running, they will clash with each other over which one provides the address.
This can cause duplication of TCP/IP addresses and potentially lead to addressing conflicts.
A Network Address Translation (NAT) server can service DHCP-enabled clients.
DHCP usage should be limited to workstation systems.
Dealing with Strange IP Addresses
Some of your computer users have suddenly started calling you to indicate that, after rebooting their systems, they can no longer access network services or the Internet.
After investigating the situation, you discover that the IP addresses they are using are invalid for your network.
The IP addresses are valid, but they are not part of your network. You have inspected your DHCP server and can’t find a reason for this. What should you investigate next?
You should investigate whether someone has configured another server or device in your network with an Active DHCP server. If so, the illicit DHCP server is now leasing addresses to the users instead of the addresses coming from your server, or the systems can’t reach your DHCP server and are getting an Automate Private IP addressing (APIPA) address.
This happens when administrators or developers are testing pilot systems. Make sure that all test systems are isolated from your production network either by a router or by some other mechanism.
These servers are referred to as rogue server, and they can cause much confusion in a DHCP environment.
Many devices, such as routers and modems, have the ability to act also as DHCP servers.
A user trying to skirt IP and add their own wireless routers to their computer could potentially add a rogue DHCP server to the network that an intruder could use to gain access.
Use IDSs to look for rogue servers, and disable them immediately.
NOTE: AN exception to having only one DHCP server running in the network would be if you were implementing redundant DHCP services without overlapping scopes.