Apparently, my computer occasionally receives a wrong IP address
because another device on my network is the first one to provide a
response to a DHCP request. Instead of the 10.x.x.x address I normally
get from my ISP, I get a 192.168.x.x address. That means that there’s
probably a misconfigured device somewhere on the network. Is there any
way to protect me from those unauthorized attempts?
Is there a danger involved in auto assigning an IP address via DHCP?
How do I know the issuing device is trustworthy at all, if ANY device
on the network can actually do this?
And how come DHCP negotiations are so easy?
The last question is perhaps the easiest to answer: because TCP/IP
wasn’t really designed to do and be everything we currently rely on it
to do. In particular, it wasn’t really designed to protect us from
But it is what it is, and what it is is the backbone of our internet
Let’s review the situation and see what, if anything, you can do to
Become a Patron of Ask Leo! and go ad-free!
To review: when your computer connects to the internet it needs to
have an IP address assigned to it, so that it can be located on the
IP addresses can be assigned manually, typically by your ISP, and
then configured manually, typically by you or your network
administrator. These are called “static” IP addresses because they
The more common approach among ISPs and consumer internet
connections is to use what’s called “Dynamic” IP address assignment. If
your machine is configured to use dynamic IPs when it connects to the
internet, it sends out a request to the local network, a broadcast to
anyone who’ll listen, asking for an IP address to be assigned to it.
Somewhere on that local network should be a DHCP server, who’s
job it is to respond and tell your machine “this is your IP address”.
In home networks your router is most often your DHCP server.
The question boils down to this: what if there are two or more DHCP
servers on a network, and they all try to respond to your machine’s
request for an IP?
To be clear, it shouldn’t happen. There should be only one DHCP
server responding. If there are more then, to quote many computer
manuals: “results are unpredictable”.
But at least one thing is relatively clear: the first DHCP server to
respond is the one that your computer will assume is the authoritative
The real concern is if someone did this intentionally, in order to
capture and sniff your internet traffic. In order to do so, they would
actually have to provide internet access, or you’d notice right away
that nothing was working. Also, even if they did provide internet
access, any attempts to communicate to other machines on the same
network would likely also fail, assuming that they got their IP address
from the “correct” DCHP server.
To be honest, this is a difficult situation to detect and
proactively protect against. We have to place a certain amount of trust
in the ISP that they will detect and remove any rogue DHCP servers on
their network, since more often than not, they actually cause
noticeable disruptive problems. Similarly, when connecting to another
network, we have to kind of assume that the network administrators are
also doing the right things.
The good news is that this is a relatively difficult spoof to pull off
without being noticed somehow.
In your case it may not be malicious at all. It could simply be some
other customer connecting their router incorrectly – connecting the
WAN/internet cable to a LAN/local network port. But I’d expect that to
result in their network not functioning properly, and thus I’d
expect them to fix it relatively quickly.
Since you did notice, and can identify exactly what IP
address you’re being assigned, and likely by whom (the “gateway”
address also assigned), you have a little more to work with. In your
shoes, I’d be looking at installing a firewall – hardware or software –
and explicitly blocking the 192.168.x.x range at the interface.
Presumably, this will cause your machine to ignore responses from the
rogue DHCP server.
And, of course, you could arrange with your ISP to get a static IP
address, thereby bypassing the entire DHCP assignment process.
I’d be interested to know if readers have better approaches to this