What is the probable cause for discovering network devices that are configured with IP information outside of the assigned DHCP range?
Static IP conflict
Subnet misconfiguration
IP address exhaustion
Rogue DHCP server
A device that is setup for DHCP but is pulling information that isn’t included with what is assigned in the DHCP scope is more likely a case of the devices connecting to a rogue DHCP server. This DHCP server is placed there without the authorization of the IT staff and can be used for malicious purposes.
A rogue DHCP server is a DHCP server on a network which is not under the administrative control of the network staff. It is a network device such as a modem or a router connected to the network by a user who may be either unaware of the consequences of their actions or may be knowingly using it for network attacks such as man in the middle. Some kind of computer viruses or malicious software have been found to set up a rogue DHCP, especially for those classified in the category. As clients connect to the network, both the rogue and legal DHCP server will offer them IP addresses as well as default gateway, DNS servers, WINS servers, among others. If the information provided by the rogue DHCP differs from the real one, clients accepting IP addresses from it may experience network access problems, including speed issues as well as inability to reach other hosts because of incorrect IP network or gateway. In addition, if a rogue DHCP is set to provide as default gateway an IP address of a machine controlled by a misbehaving user, it can sniff all the traffic sent by the clients to other networks, violating network security policies as well as user privacy (see man in the middle). VMware or virtual machine software can also act as a rogue DHCP server inadvertently when being run on a client machine joined to a network. The VMware will act as a rogue DHCP server handing out
Rogue_DHCP - Wikipedia, the free encyclopediaJoin premium for unlimited access and more features
