Rogue_dhcp

title: Rogue DHCP date: 2004-09-21 14:53:54

One of the pieces of equipment at work is an oscilloscope that runs W2K. "WTF?" I hear you say. "Saint Aardvark, WTFSOF?" But it's true. Don't know why, but it's true.

(We have another oscilloscope that came with an unregistered copy of XP, but that's another story.)

Being the aspiring good sysadmin I aspire to be, I bought some cheap cable routers -- you know, the generic DLinkSys jobbies with a built-in firewall. I hooked it up, told people not to hook it up to the network without it, and forgot about it... ...until today when I was working on our firewall and noticed it was blocking broadcasts to 172.16.0.255, UDP port 137.

That's not a netblock we use, so I was a bit surprised. Good ol' tcpdump showed it was anouncing itself as the local master for workgroup INFINEON. Oh shit, it's the oscilloscope. I checked out the lab and, sure enough, the firewall was being used as a quick-n-dirty switch on the firewalled side, and the oscilloscope was plugged in. Fuck!

To make matters worse, a little bit later someone comes up to me and asks if there's anything "funny" with the network. (I love that question. It's so...definite.) Checked it out, and his laptop has grabbed an IP address from the (fortunately, by-now-disconnected) DHCP server that comes with the router. Double fuck!

I ran off to London Drugs to get a switch, and was lucky enough to find a 16-port Linksys. (SMCs are for shit. SMC? Quality? It is to laugh. Linksys switches are giving me trouble too, but at least it's less trouble.) Set up, and everything is working for now. So here's my mistakes:

1. Not making it perfectly clear how to hook up the router correctly, and not making it impossible (or at least painful) to hook it up any other way.
2. Not making it obvious -- written warnings, flashing neon, whatever-- that the router was not a switch.
3. Not having something, somewhere, to at the very least watch for weird IP addresses and report them, or (better yet) to watch for rogue DHCP servers and report them, or (best of all) to watch for and shoot down with lasers any rogue DHCP servers.

There is, of course, the mistake of not having managed switches that would mitigate all of these mistakes, but with luck we'll be getting those shortly.