One of the ways attackers can infiltrate a network is through the use of a rogue dhcp. In an attack popularly referred to as the man-in-the-middle attack, a rogue dhcp sever is installed on the network to trick unsuspecting network hosts into believing they are communicating with the real dhcp server. These network hosts are then made to send all outbound packets through the rogue dhcp server. These packets will be processed and key information stolen by the attackers. In this post, I will share with us on how to enable rogue dhcp detection on Mikrotik routerOS to guard against the scenario described above.
The first step is to set up a script that will generate logging messages to warn us of the presence of a rogue dhcp server on the network once detected. See script below.
/system script add name=rogue-dhcp source=”:log warning message=\”Rogue DHCP server detected!\””
Or via GUI
Then, run the script we just created above with the command /system script run rogue-dhcp. You can verify that the script is running by using the command /log print. This will display warnings including the one included in our script.
Next, we configure dhcp alerts.
DHCP Alerts
/ip dhcp-server alert add interface=ether2 on-alert=rogue-dhcp disabled=no
This must be the interface that leads to the broadcast domain on which a trusted dhcp server is connected. As can been seen in the commands above, the script that was created in step one was referenced. What this means is that once a rogue dhcp is detected on ether2, the script called rogue-dhcp will execute. The execution of this script simply display a warning message that reads “Rogue DHCP server detected!.
Finally, we need to tell the router what dhcp server we trust and permit to operate on ether2 by getting and entering their mac addresses. See command below.
You may also like: How to create Vlan on Mikrotik
Configuring trusted dhcp servers
/ip dhcp-server alert set ether2 valid-server=04:94:6B:67:43:0B
Removing a detected DHCP server.
To remove an already detected rogue dhcp server on the network is easy. The mac address of the rogue dhcp server will be displayed in the warning message, with the mac address we can get the IP address and the interface it is plugged to by using the command /ip arp print on a Mikrotik router.