-1

DHCP snooping is a feature that allow switches to prevent DHCP starvation and DHCP poisoning (MITM attacks on LAN).

But these features are not available on cheaper, domestic equipment such as entry-level switches and wifi-routers acting as bridges.

Is there a way for a router, for example one running OPNsense that is the GW of the network to intercept DHCP OFFFER replies from other hosts on the network and alert the admins? Any resources on where to dwelve into this?

Improve this question

1 Answer 1

Reset to default
0

OPNsense has a IDS/IPS feature using Suricata,which can inspect the network traffic. There are many rule sources which might already have a rule for it, or you might need to write a custom rule.

A custom suricata rule might look like this, just an example

alert dhcp any any -> any any (msg:"Potential DHCP Offer from Unauthorized Source"; content:"|02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; offset: 240; depth: 1; sid:1000001; rev:1;)

OPNSense is a special one in this matter, because it's more than a router only.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.