Rogue DHCP
A server you don’t control just volunteered to be your way onto the internet.
What it is
When your device joins a network, it broadcasts a DHCP request — “who gives out addresses here, and what’s my gateway and DNS?” Normally your router answers. A rogue DHCP server is a second, unauthorized machine on the network that answers too — handing out itself as your gateway and its own DNS.
dns → 1.1.1.1
dns → 10.0.0.9
A second server just volunteered to be your way onto the internet.
How attackers do it
The attacker runs their own DHCP server and races to answer your device’s request. If their reply wins — or your device simply accepts it — you’re configured to send all your traffic through the attacker’s machine and to resolve names with the attacker’s DNS.
It’s a cleaner path to becoming the middleman than ARP spoofing: no cache poisoning, no forged replies to maintain — your device is simply told the wrong gateway from the moment it connects, and every DNS lookup afterward is theirs to answer.
How we detect it
WifiThreatWatch passively watches the DHCP replies on your network — the OFFER and ACK messages servers send — and knows which server is your legitimate gateway. A DHCP reply from any other server IP or MAC, pushing a different gateway or DNS, is flagged as a rogue DHCP server.
The watch is passive and rate-limited per server, so it doesn’t add traffic of its own or flood you when a misbehaving server chatters. Where the packet-capture driver isn’t available it steps aside cleanly rather than guessing.
How we stop it
Seeing a rogue DHCP server is the tell that the network’s own plumbing is compromised — the point at which you should stop trusting it. WifiThreatWatch surfaces which server made the offer and what gateway and DNS it tried to hand you.
On a subscription, Active Defense routes your traffic through the encrypted tunnel, so even a gateway and DNS chosen by an attacker can’t read or redirect what you send.
ARP Spoofing
An attacker on your network impersonates your router to silently intercept everything you send.
Read more →Evil Twin
A fake access point broadcasts your network’s name to lure your device onto attacker-controlled hardware.
Read more →Rogue Device
A device you never authorized quietly joins your network and gains a foothold on your LAN.
Read more →