/ THREATS — ROGUE DHCP · HIGH

Rogue DHCP

A server you don’t control just volunteered to be your way onto the internet.

/ WHAT IT IS

What it is

When your device joins a network, it broadcasts a DHCP request — “who gives out addresses here, and what’s my gateway and DNS?” Normally your router answers. A rogue DHCP server is a second, unauthorized machine on the network that answers too — handing out itself as your gateway and its own DNS.

your device broadcasts: “who gives out addresses here?”
REAL GATEWAY
192.168.1.1
router → 192.168.1.1
dns → 1.1.1.1
✓ known
UNEXPECTED SERVER
192.168.1.66
router → 192.168.1.66
dns → 10.0.0.9
⚑ ROGUE_DHCP
ROGUE DHCPone broadcast, two answers — a second server volunteers as your gateway

A second server just volunteered to be your way onto the internet.

/ THE ATTACK

How attackers do it

The attacker runs their own DHCP server and races to answer your device’s request. If their reply wins — or your device simply accepts it — you’re configured to send all your traffic through the attacker’s machine and to resolve names with the attacker’s DNS.

It’s a cleaner path to becoming the middleman than ARP spoofing: no cache poisoning, no forged replies to maintain — your device is simply told the wrong gateway from the moment it connects, and every DNS lookup afterward is theirs to answer.

/ DETECTION

How we detect it

WifiThreatWatch passively watches the DHCP replies on your network — the OFFER and ACK messages servers send — and knows which server is your legitimate gateway. A DHCP reply from any other server IP or MAC, pushing a different gateway or DNS, is flagged as a rogue DHCP server.

The watch is passive and rate-limited per server, so it doesn’t add traffic of its own or flood you when a misbehaving server chatters. Where the packet-capture driver isn’t available it steps aside cleanly rather than guessing.

FREE FOREVERFree in every WifiThreatWatch install.
[ dhcp_guard.py — passive OFFER/ACK watch over Npcap ]
/ RESPONSE

How we stop it

Seeing a rogue DHCP server is the tell that the network’s own plumbing is compromised — the point at which you should stop trusting it. WifiThreatWatch surfaces which server made the offer and what gateway and DNS it tried to hand you.

On a subscription, Active Defense routes your traffic through the encrypted tunnel, so even a gateway and DNS chosen by an attacker can’t read or redirect what you send.

ATTACKER GATEWAYrogue DHCP · its own DNSsees only ciphertextYOUyour deviceNETreal internetENCRYPTED TUNNEL — END TO END
SEALED PATHthe attacker made itself your gateway and DNS — so all it gets to forward is ciphertext it can’t read
WITH SUBSCRIPTIONActive Defense + VPN response. Requires subscription (or the free 10-minute trial).

See it in action.
Download WifiThreatWatch.