Powered by Zoomin Software. For more details please contactZoomin

Flowmon ADS User Guide

Table of Contents

DHCPANOM - DHCP Anomaly

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: April 5, 2026
  • 3 minute read
    • Flowmon Products
    • Flowmon Anomaly Detection System
    • Documentation

Method description

This detection method identifies suspicious communication in the DHCP traffic. The method can highlight the increased DHCP network traffic such as overloaded DHCP servers and clients that generate a large amount of DHCP traffic. It is based on monitoring the long-term behavior of a network node and compares the current data transfer with statistics of the respective node and also the global statistics of the network. Additionally, it can detect fake DHCP servers by observing the UDP traffic from servers (port 67) towards clients (port 68) from addresses that are not marked as legitimate DHCP servers by a filter. Also, this method performs advanced detection of fake DHCP servers by learning the pair of IP and MAC address of the legitimate DHCP server used in the monitored network. If the learned MAC address for the respective IP address changes, the method generates an event.

Using the TimeWindow parameter, you can set the time window (in hours) for collecting and processing the long-term statistics. The DHCPServers filter defines the DHCP servers that are used in the network. This filter is needed to properly detect bogus DHCP servers. The DhcpThreshold parameter specifies the maximum allowed increase of observed DHCP traffic. The TrafficSizeThreshold parameter specifies the minimal amount of DHCP traffic for an individual IP address that can be considered a flood attack. It is possible to exclude communication of DHCP servers from detection of anomalously increased DHCP traffic (servers defined by the DHCPServers filter).

This method consists of the following submethods:

  • FakeServer: Reports fake DHCP servers detected based on the user-defined filter of known DHCP servers. An event is generated if any DHCP server whose IP is not included in the filter is detected. This detection is active if the DHCPServers parameter is set.

  • ServerOverloadIP: Reports that the communication with a DHCP server has significantly increased in comparison with previous DHCP traffic statistics of the respective server.

  • ServerOverloadNetwork: Reports that the communication with a DHCP server has significantly increased in comparison with previous DHCP traffic statistics of the whole monitored network.

  • OversendingClientIP: Reports that the amount of DHCP traffic generated by a device in the monitored network has significantly increased in comparison with previous DHCP traffic statistics of the respective device.

  • OversendingClientNetwork: Reports that the amount of DHCP traffic generated by a device in the monitored network has significantly increased in comparison with previous DHCP traffic statistics of the whole monitored network.

  • ServerChange: Reports fake DHCP servers detected based on the change of the MAC address of the existing DHCP server.

Method configuration

It is recommended to apply this method network-wide for all traffic of the network regardless of IP addresses and additionally set a filter defining the DHCP servers. The right place for traffic monitoring is the central switch.

Method parameters

General

  • DHCPServers: Name of the filter that defines IP addresses of the DHCP servers used in the monitored network.

ServerChange

  • AdvFakeExpiration: If a monitored DHCP server is inactive for the number of days specified by this parameter, it is deleted from the method's database. This parameter is only used for the advanced detection of fake DHCP servers.

ServerOverload, OversendingClient

  • MinimumHistoryCoverage: Specifies the percentual value of the TimeWindow parameter. If the method has collected statistics from the time period specified by this percentage of the TimeWindow parameter, it is possible to start the detection of increased DHCP network traffic.

  • TimeWindow: Number of hours (the length of the sliding time window) the statistics of the DHCP traffic is stored for.

  • DhcpThreshold: Threshold for an increase of the DHCP traffic (in percentage). It is used for comparison of the previous statistics of the given IP address to the network average.

  • TrafficSizeThreshold: Minimal amount of DHCP traffic (in KiB).

  • ExcludeDhcpServers: Omission of the outgoing traffic from the DHCP servers during the detection of increased DHCP traffic.

Assigned filter

Only flows whose source or destination IP address matches the assigned filter will be processed.

Interpretation of results

The method can detect flood attacks in the DHCP traffic and suspicious increases in the volume of communication. A typical example is the DHCP discover flooding which aims to exhaust the resources of the DHCP server. Detection of the fake DHCP server can indicate an attempted man-in-the-middle attack or incorrect configuration of a network device.

TitleResults for “How to create a CRG?”Also Available inAlert