Rogue DHCP Server Viruses

David W. Hankins David_Hankins at
Wed Jan 28 18:25:26 UTC 2009

On Wed, Jan 28, 2009 at 09:52:45AM -0500, Denis Laventure wrote:
> We had this problem here too. Use Wireshark on the same subnet to find the
> IP of the workstation that's sending those wrong ack. We had 2 of those
> infected machine on our network. I don't remember if we found the virus, but
> I think we just formatted the PC.

I don't think this is the OP's issue, he's got fixed-addresses
overlapping his dynamic ranges, but I still want to amplify this a bit
because it seems to be a growing trend...

A rogue DHCP-server-virus like this doesn't even need to succeed in
hijacking the client's lease.  A Windows box will DHCPINFORM later in
running, and will use the domain name servers list provided there.

This is a double-whammy;

1) The rogue server installs itself as the recursive nameserver for
   your other clients.  It is now the man in any man in the middle
   attacks (http-injected viruses, banking, porn adverts, any of it).

2) The rogue server can (it is not known if it does) also supply the
   WPAD option, or install itself as the client's default router and
   either way work to suppress the client from receiving security
   patches, thus increasing the duration of infections.

DHCP services must be secured to thwart this threat.  Anything less
is a stopgap.  Right now that means ethernet level packet filtering,
to suppress DHCP 'server' answers from 'client' ports.

David W. Hankins	"If you don't do it right the first time,
Software Engineer		     you'll just have to do it again."
Internet Systems Consortium, Inc.		-- Jack T. Hankins
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
URL: <>

More information about the dhcp-users mailing list