Not every DHCP use case needs L7 visibility. For example detection of DHCP rogue server. DHCP rogue server is unauthorized server that also offers client’s IP addresses and other network parameters like default gateway and DNS server IP addresses. Such server represents not only operational but also security risks.
From operational point of view, clients may experience problems with network access or communicating with other hosts due to incorrect IP or gateway. From security point of view, DHCP rogue server can be used by attackers for various network attacks (man-in-the-middle, sniffing and reconnaissance attacks).
Learn more: What is LAN?
DHCP rogue server detection can be handled by both Flowmon Monitoring Center and Flowmon ADS. Let’s start with Flowmon ADS. Flowmon ADS is equipped with DHCPANOM detection method. This method automatically detects non-legitimate DCHP servers, reports and alerts on such event. Using learned behavior of network nodes, the method can also detect anomalies in DHCP traffic.