Port 67 Bootps
Port 68 Bootpc
Typically this traffic is related to normal DHCP operation and is not an attack on your network. DHCP (Dynamic Host Configuration Protocol) is how your computer gets its unique IP address. When a system starts up on a network it must first request an IP address (assume it is not using a static IP address), and it does this by broadcasting a request to the DHCP server:
UDP 0.0.0.0:68 -> 255.255.255.255:67
since the requesting system doesn’t have an IP address (why it is asking) it uses 0.0.0.0 and since its new to the network it doesn’t know where the DHCP server is, so it broadcasts the request to the entire network (255.255.255.255). On some networks you will see these requests bounce off of your firewall (depending on your provider’s network configuration and if your router/firewall logs these requests), or your firewall/router might log this traffic between it and your providers DHCP server when it is getting or renewing its WAN IP address.
The DHCP server then responds with something like:
UDP 192.168.1.1:67 -> 255.255.255.255:68
This is typically a DHCP offer. NOTE it has to be broadcasted (255.255.255.255) as the requesting system doesn’t yet have an IP address (its contained in the offer). The data in this transmission contains the IP and other network configuration information that the requesting system needs to connect to the network (lease time, Subnet Mask, etc). Again on some networks you will see these bounce off of your firewall (depending on your provider’s network configuration and if your router/firewall logs these), or your firewall/router might log this traffic between it and your providers DHCP server when it is getting or renewing its WAN IP address.
Sometimes you will see something like:
UDP 192.168.1.101:67 -> 192.168.1.1:68
as a request, followed by a reply
UDP 192.168.1.1:68 -> 192.168.1.101:67
These are typically IP renewal requests, where a system has an IP address and is asking to renew it (ie get the lease extended), or if its not possible to renew the IP address to receive a new IP address from the DHCP server. Since the requesting system knows where the DHCP server is and it already has a current IP address the requests don’t need to use 0.0.0.0 and 255.255.255.255.
Most routers/firewalls don’t log this traffic, but given most routers/firewalls are also the local DHCP server you might see traffic logged between your router/firewall and connecting systems as they ask for and are assigned an IP Address on your network. It is not common to have your DHCP server on the WAN side of your firewall so in those cases perhaps you should investigate the configuration of your network.