Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Is DHCP safe?

Question:

In a recent article you said that using DHCP, IP addresses are
assigned by broadcasting a request to the network and having the DHCP
server responsible respond.

Apparently, my computer occasionally receives a wrong IP address
because another device on my network is the first one to provide a
response to a DHCP request. Instead of the 10.x.x.x address I normally
get from my ISP, I get a 192.168.x.x address. That means that there’s
probably a misconfigured device somewhere on the network. Is there any
way to protect me from those unauthorized attempts?

Is there a danger involved in auto assigning an IP address via DHCP?
How do I know the issuing device is trustworthy at all, if ANY device
on the network can actually do this?

And how come DHCP negotiations are so easy?

The last question is perhaps the easiest to answer: because TCP/IP
wasn’t really designed to do and be everything we currently rely on it
to do. In particular, it wasn’t really designed to protect us from
malicious folk.

But it is what it is, and what it is is the backbone of our internet
infrastructure.

Let’s review the situation and see what, if anything, you can do to
protect yourself.

Become a Patron of Ask Leo! and go ad-free!

To review: when your computer connects to the internet it needs to
have an IP address assigned to it, so that it can be located on the
network.

IP addresses can be assigned manually, typically by your ISP, and
then configured manually, typically by you or your network
administrator. These are called “static” IP addresses because they
don’t change.

The more common approach among ISPs and consumer internet
connections is to use what’s called “Dynamic” IP address assignment. If
your machine is configured to use dynamic IPs when it connects to the
internet, it sends out a request to the local network, a broadcast to
anyone who’ll listen, asking for an IP address to be assigned to it.
Somewhere on that local network should be a DHCP server, who’s
job it is to respond and tell your machine “this is your IP address”.
In home networks your router is most often your DHCP server.

“There should be only one DHCP server
responding.”

The question boils down to this: what if there are two or more DHCP
servers on a network, and they all try to respond to your machine’s
request for an IP?

To be clear, it shouldn’t happen. There should be only one DHCP
server responding. If there are more then, to quote many computer
manuals: “results are unpredictable”.

But at least one thing is relatively clear: the first DHCP server to
respond is the one that your computer will assume is the authoritative
one.

The real concern is if someone did this intentionally, in order to
capture and sniff your internet traffic. In order to do so, they would
actually have to provide internet access, or you’d notice right away
that nothing was working. Also, even if they did provide internet
access, any attempts to communicate to other machines on the same
network would likely also fail, assuming that they got their IP address
from the “correct” DCHP server.

To be honest, this is a difficult situation to detect and
proactively protect against. We have to place a certain amount of trust
in the ISP that they will detect and remove any rogue DHCP servers on
their network, since more often than not, they actually cause
noticeable disruptive problems. Similarly, when connecting to another
network, we have to kind of assume that the network administrators are
also doing the right things.

The good news is that this is a relatively difficult spoof to pull off
without being noticed somehow.

In your case it may not be malicious at all. It could simply be some
other customer connecting their router incorrectly – connecting the
WAN/internet cable to a LAN/local network port. But I’d expect that to
result in their network not functioning properly, and thus I’d
expect them to fix it relatively quickly.

Since you did notice, and can identify exactly what IP
address you’re being assigned, and likely by whom (the “gateway”
address also assigned), you have a little more to work with. In your
shoes, I’d be looking at installing a firewall – hardware or software –
and explicitly blocking the 192.168.x.x range at the interface.
Presumably, this will cause your machine to ignore responses from the
rogue DHCP server.

And, of course, you could arrange with your ISP to get a static IP
address, thereby bypassing the entire DHCP assignment process.

I’d be interested to know if readers have better approaches to this
issue.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

7 comments on “Is DHCP safe?”

  1. The reader may not have anything unconventional happening at all. Let’s say they’re connecting via a home router. If they check their IP via their network status on their machine, it will be 192.168.xxx.xxx, which is normal for home routers. It’s actually one of the firewall methods you recommend most… NAT.

    If they check their IP address online, via a website reporting their IP address back to them, it’s going to be 10.xxx.xxx.xxx, because only their PC and the router see the 192.168.xxx.xxx address. The rest of the world sees the 10.xxx.xxx.xxx coming from the router.

    It would be good to know how they’re connecting to their ISP and whether it’s hardwired or wireless. You could probably get some good clues right there.

    Reply
  2. —–BEGIN PGP SIGNED MESSAGE—–
    Hash: SHA1

    My assumption (adminitedly an assumption) is that he’s
    connecting directly to the internet connection provided, OR
    he’s reporting the IP address assigned to his router. The
    KEY clue is that he *sometimes* get what he expects (10.)
    and othertimes not (192.). Regardless of what interface he’s
    looking at or how, the issue seems to be a rogue DHCP
    server.

    Regardless, the questions asked are still valid – rogue DCHP
    servers can cause … issues. :-)

    Leo

    —–BEGIN PGP SIGNATURE—–
    Version: GnuPG v1.4.7 (MingW32)

    iD8DBQFIaB/JCMEe9B/8oqERAlTUAJsG2/U84GOw4CT/R9aG73RnZNcsQQCfdPms
    U33jzB/yffvjaOk36UZQGgw=
    =EzsJ
    —–END PGP SIGNATURE—–

    Reply
  3. Let’s be on the same page here: “a website reporting their IP address back to them” is unlikely to report a 10.0.0.0/8 address since, per [RFC 1918], this range, together with 172.16.0.0/12 and 192.168.0.0/16, are reserved for LAN use only, which means no router will forward this source IP over the Internet (though the address will be reported if the website in question is in the same LAN as the user, of course).

    Similarly, and for completeness, per [RFC 3330], 127.0.0.0/8 is “assigned for use as the Internet host loopback address. A datagram sent by a higher level protocol to an address anywhere within this block should loop back inside the host. This is ordinarily implemented using only 127.0.0.1/32 for loopback, but no addresses within this block should ever appear on any network anywhere [RFC1700, page 5].”

    Reply
  4. PC World had a very good article in their July 2006 magazine giving instructions for tracing addresses. They reference Microsoft’s documentation page on their site at: “find.pcworld.com/52612”.

    Reply
  5. Leo:
    Since he got a 192.168.x.x address back which is a private address, it probably means he had a DHCP failure and so Windows defaulted to giving the machine the 192.168 address. If you go into the Internet Protocol (TCP/IP) Properties page and look at Alternate Configuration, you will probably see it set to Automatic Private IP Address.

    So what probably happened is the machine requested a DHCP assigned IP address, got no response and assigned the private IP address.

    There is probably no rogue device on the network.

    Reply
  6. —–BEGIN PGP SIGNED MESSAGE—–
    Hash: SHA1

    I don’t think so. Windows assigns a 169.x.x.x when DHCP
    fails.

    Leo

    —–BEGIN PGP SIGNATURE—–
    Version: GnuPG v1.4.7 (MingW32)

    iD8DBQFIbTluCMEe9B/8oqERAsAvAJ44l8pr5a9Ia/5AIr+Q5BwcwyV+oACfTFnN
    bJm3K3YqfEfay6YZJgnai9M=
    =uMSn
    —–END PGP SIGNATURE—–

    Reply
  7. I don’t have a way of posting a screen shot, but if you go into your TCP/IP settings (In Vista, you have to select Version 4), you have the general tab which allows you to set your static IP address. There is also a tab named “Alternate Configuration”. If Windows cannot get a DHCP address, this is what it will use. You can choose ‘Automatic private IP address’ or specify your own.

    I ran into this once at a convention that was not using DHCP. It took forever to track down when they kept getting AN ip address, but not the right one.

    –ziggs

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.