DHCP
The Dynamic Host Configuration Protocol (DHCP) is a network management protocol used on Internet Protocol (IP) networks. Its primary purpose is to automate the process of configuring devices on IP networks, enabling them to use network services such as DNS, NTP, and any communication protocol based on UDP or TCP. DHCP dynamically assigns IP addresses to devices (known as hosts) on the network. This assignment process reduces the need for a network administrator or a user to manually assign IP addresses to all network devices. By automating this process, DHCP plays a critical role in the efficient management of IP address allocations, thereby helping maintain the smooth operation of networked devices.
DHCP operates as a client-server protocol where clients request configuration settings and servers respond to these requests. It is a request/response protocol, meaning a DHCP client on a network will send a request message to the server, and the server responds with the necessary information or acknowledgment. This communication typically includes several steps: IP lease request, IP lease offer, IP lease selection, and acknowledgment of the IP lease. By analyzing the DHCP request and response messages across a network, IT professionals can detect and troubleshoot disruptions in DHCP service. This analysis is crucial for maintaining network stability, as problems in the DHCP process can lead to devices not being able to communicate on the network, resulting in significant disruptions in network services.
Low DHCP Request/Response Ratio
The Low DHCP Request/Response Ratio anomaly detection job is designed to identify a low ratio of DHCP responses to requests, monitoring and analyzing the rate at which DHCP response messages are sent in comparison to the number of DHCP request messages received.
The condition, where the number of responses is significantly lower than the number of requests, can be indicative of several potential issues:
-
The DHCP server is overloaded or malfunctioning: This could be due to a surge in the number of clients attempting to connect to the network, leading to the server being unable to cope with the high volume of requests. Such a scenario can cause delays or failures in IP address allocation, impacting network connectivity for new or reconnecting devices.
-
Network Configuration Errors or Outages: Network disruptions, such as broken links, misconfigured routers or switches, or even issues related to network security (like firewall settings blocking DHCP traffic), could lead to requests not reaching the server or responses not reaching the clients.
-
A Cyber-Attack, such as a Denial of Service (DoS) Attack, Targeting the DHCP Server: In such attacks, the server might be bombarded with a flood of malicious request packets, overwhelming its capacity to respond adequately.
Attributes
Attribute | Information |
---|---|
Analysis | temporal |
Downloads
Schema | Link |
---|---|
CODEX | elastiflow_codex_avail_dhcp_resp_ratio_low |
ECS | elastiflow_ecs_avail_dhcp_resp_ratio_low |
High DHCP Broadcast Messages
The High DHCP Broadcast Messages anomaly detection job is designed to monitor and identify instances where there is an unusually high volume of DHCP broadcast messages on the network. DHCP broadcast messages are typically sent by clients that are trying to discover DHCP servers, requesting an IP address and other network configuration details. Under normal network conditions, the frequency of these broadcast messages is relatively steady and predictable, based on the number of clients and typical network usage patterns.
An unusually high volume of DHCP broadcast messages can indicate several potential issues:
-
Network Configuration Errors or Outages: If new devices are incorrectly configured or if there has been a significant change in the network infrastructure, such as the addition of new subnets or changes in routing configurations, this can lead to a surge in DHCP discovery messages. Devices unable to locate the DHCP server or those that are not receiving responses might continuously broadcast requests.
-
Malfunctioning Devices: Devices with malfunctioning network interfaces or corrupted firmware might continuously send out DHCP discovery messages. Such behavior can congest the network and disrupt normal DHCP operations.
-
Denial of Service (DoS) Attacks: An abnormally high number of DHCP broadcasts could be indicative of a Denial of Service attack. In a DHCP flood attack, an attacker deliberately floods the network with DHCP requests with the intent to exhaust the address space available on the DHCP servers, leading to denial of service for legitimate clients.
-
Rogue Devices: Unauthorized or rogue devices connected to the network might be attempting to access network services, resulting in an increase in DHCP discovery traffic.
Attributes
Attribute | Information |
---|---|
Analysis | temporal |
Downloads
Schema | Link |
---|---|
CODEX | elastiflow_codex_avail_dhcp_broadcast_high |
ECS | elastiflow_ecs_avail_dhcp_broadcast_high |
Low DHCP Relayed Messages
The Low DHCP Relayed Messages anomaly detection job is designed to monitor and flag situations where there is an unusually low volume of DHCP relayed messages within a network. In a typical network setup, especially in larger or segmented networks, DHCP relay agents are used to forward requests and responses between DHCP clients and servers across different network segments or subnets. These relayed messages are crucial for the DHCP process to function correctly in environments where clients and the DHCP server are not on the same local network.
A significant drop in the volume of DHCP relayed messages could indicate several types of issues:
-
Network Connectivity Problems: If there are issues with network connectivity, especially involving the segments where the DHCP relay agents operate, this can lead to a decrease in relayed messages. Problems could include faulty routers, switches, or other network hardware, misconfigured network settings, or physical connectivity issues.
-
DHCP Relay Agent Failure: The anomaly may be due to malfunctions or misconfigurations in the DHCP relay agents themselves. If these agents are not operating correctly, they may fail to forward DHCP requests or responses as expected, leading to a decrease in relayed message traffic.
-
Changes in Network Topology or Configuration: If there have been recent changes in the network's topology or configuration settings that inadvertently impact the relay agents' operation or the routing of DHCP messages, this could result in a lower number of relayed messages. For example, changes in routing paths that bypass the relay agent can lead to this issue.
-
Decreased Network Usage: A less technical and more straightforward reason could be a significant decrease in network usage, such as during non-business hours or holidays. However, this should be consistent with known usage patterns and not an unexpected drop.
Attributes
Attribute | Information |
---|---|
Analysis | temporal |
Downloads
Schema | Link |
---|---|
CODEX | elastiflow_codex_avail_dhcp_relay_low |
ECS | elastiflow_ecs_avail_dhcp_relay_low |
Low DHCP Responses
The "Low DHCP Responses" anomaly detection job is specifically designed to monitor the volume of DHCP response messages within a network and identify instances where these responses are unusually low. DHCP response messages, which include offers, acknowledgments, and other status messages, are integral to the DHCP process, facilitating the assignment and management of IP addresses and other network configuration details to clients.
An unusually low volume of DHCP response messages can be indicative of several potential issues in the network:
-
DHCP Server Overload or Failure: One of the primary reasons for a low number of DHCP responses could be issues with the DHCP server itself. This could include server overload, where the server is receiving more requests than it can handle, leading to a failure in responding to all incoming requests. It could also be a result of server malfunction or failure, where the server is incapable of processing requests due to hardware or software issues.
-
Network Connectivity Issues: Problems in network connectivity can prevent DHCP requests from reaching the server or block responses from reaching the clients. This could be due to faulty networking hardware (like routers or switches), misconfigured network settings, or disruptions in the physical network infrastructure.
-
Security Incidents: A low response rate might also be a sign of security-related incidents, such as Denial of Service (DoS) attacks targeted at the DHCP server. Such attacks aim to overwhelm the server with a flood of requests, leading to a situation where legitimate requests go unanswered.
-
Configuration Errors: Misconfigurations in the network, particularly settings related to DHCP scopes, lease times, or relay configurations, can lead to a situation where the server is unable to provide adequate responses to all requests.
Attributes
Attribute | Information |
---|---|
Analysis | temporal |
Downloads
Schema | Link |
---|---|
CODEX | elastiflow_codex_avail_dhcp_resp_low |
ECS | elastiflow_ecs_avail_dhcp_resp_low |