A new method to detect abnormal IP address on DHCP

Abstract

Dynamic host configuration protocol (DHCP) provides a means of allocating and managing IP addresses dynamically over a network. One of important characteristics of DHCP server is that same IP address is not allowed to be simultaneously used among different hosts or network cards in DHCP mechanism. However, anyone can guest the corresponding parameters such as IP address, subnet mask, and default gateway from DHCP mode, then re-configure a static IP to access the network from DHCP mode. According to this nature of DHCP mechanism, we trace the abnormalities of the client IP or MAC address by comparing the ARP table and DHCP binding table in this paper. From the difference between these two tables, the information of illegality will be transmitted to relevant routers or switching devices via the DHCP server to block the illegal user from accessing network resources. No retrieval of source addresses or MAC addresses of the packet is required with the approach provided by this study. Since illegal users can be blocked effectively before a packet is transmitted, the system performance is improved to a significant extent. Our proposed method to detect abnormal hosts is performed on DHCPv4 and DHCPv6.