dhcp attack

Unanswered Question
Feb 28th, 2008
User Badges:

i have a dhcp server on valn 3 and somebody has put somekind of vmware software on pc with dhcp on that... am not able to find that dhcp server now.. I have the macaddress of that server... i am not able to ping that server too..please let me know how to find that another server

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Thu, 02/28/2008 - 10:03
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Gopi


If you have the mac address then you should be able to look in the mac-address-table (or the cam depending on the model of switch) and find what port that mac address is located on. That should lead you to where the server is.


HTH


Rick

gopinath.krishn... Thu, 02/28/2008 - 10:09
User Badges:

our network is a huge network where i have two core switch (primary and secondary), more than 30 distribution switch and more than 150 access switches. am not able to trace exactly where is the mac address is coming from. pleas let me know elaborately to mitigate this issue

Edison Ortiz Thu, 02/28/2008 - 10:05
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

If you have the mac-address of that server, at the switch issue: show mac-address-table and should point to the switchport this device is connected to.


If the switchport listed is connected to another switch, hop onto that switch and execute the same command until you find the culprit device.


I also recommend configuring dhcp snooping if you switch supports it. What type of switch do you have ?



__


Edison.

gopinath.krishn... Thu, 02/28/2008 - 10:16
User Badges:

core - 6000 , distribution - 3750 and access - 2960.. I tried show mac adddress table but no use... how effective would dhcp snooping would be... will enabling dhcp snooping will have any effect on core switches or the whole network performance

Edison Ortiz Thu, 02/28/2008 - 10:27
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

You need to configure DHCP snooping on all switches in your network for it to be effective.


You would have trusted and untrusted ports. Trusted ports will be the ones connected to valid DHCP servers and inter-switch links. Untrusted ports will be the ones connected to every device in your network.


For more information in general configuration on this feature see:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/snoodhcp.html


HTH,


__


Edison.

gopinath.krishn... Thu, 02/28/2008 - 10:33
User Badges:

i understand by enabling dhcp snooping the rogue dhcp server can be stopped from offerind dhcp ip addresses on that lan... but how to narrow down that rogue dhcp server

Edison Ortiz Thu, 02/28/2008 - 10:59
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

We already gave you the suggestion. I understand that's a huge task given the size of your network. That's the reason features such as DHCP snooping were implemented, to avoid this kind of headaches. I'm afraid you will have to rally up the troops and hop onto each switch until you find the culprit.


After that, formulate a plan and deploy DHCP snooping.


HTH,


__


Edison.

Actions

This Discussion