dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1
share rss forum feed


Chubbzie

@nc.us
reply to BryanC1968

Re: monthly cap is back, according to SL local rep?

Wow, you have a bootstrap protocol server running over your WAN ports? First time I've seen that approach...



BryanC1968

join:2003-06-10
Elkins, WV

You had me curious so I did some digging to see what BOOTPS was...
The traffic you see using BOOTPS port 67 is most likely DHCP Traffic... This is what I found during my googleing...

UDP Ports 67 and 68
Common Use

Port 67 Bootps

Port 68 Bootpc

Inbound Scan

Typically this traffic is related to normal DHCP operation and is not an attack on your network. DHCP (Dynamic Host Configuration Protocol) is how your computer gets its unique IP address. When a system starts up on a network it must first request an IP address (assume it is not using a static IP address), and it does this by broadcasting a request to the DHCP server:

UDP 0.0.0.0:68 -> 255.255.255.255:67

since the requesting system doesn't have an IP address (why it is asking) it uses 0.0.0.0 and since its new to the network it doesn't know where the DHCP server is, so it broadcasts the request to the entire network (255.255.255.255). On some networks you will see these requests bounce off of your firewall (depending on your provider's network configuration and if your router/firewall logs these requests), or your firewall/router might log this traffic between it and your providers DHCP server when it is getting or renewing its WAN IP address.

The DHCP server then responds with something like:

UDP 192.168.1.1:67 -> 255.255.255.255:68

This is typically a DHCP offer. NOTE it has to be broadcasted (255.255.255.255) as the requesting system doesn't yet have an IP address (its contained in the offer). The data in this transmission contains the IP and other network configuration information that the requesting system needs to connect to the network (lease time, Subnet Mask, etc). Again on some networks you will see these bounce off of your firewall (depending on your provider's network configuration and if your router/firewall logs these), or your firewall/router might log this traffic between it and your providers DHCP server when it is getting or renewing its WAN IP address.

Sometimes you will see something like:

UDP 192.168.1.101:67 -> 192.168.1.1:68

as a request, followed by a reply

UDP 192.168.1.1:68 -> 192.168.1.101:67

These are typically IP renewal requests, where a system has an IP address and is asking to renew it (ie get the lease extended), or if its not possible to renew the IP address to receive a new IP address from the DHCP server. Since the requesting system knows where the DHCP server is and it already has a current IP address the requests don't need to use 0.0.0.0 and 255.255.255.255.

Outbound Scan

Most routers/firewalls don't log this traffic, but given most routers/firewalls are also the local DHCP server you might see traffic logged between your router/firewall and connecting systems as they ask for and are assigned an IP Address on your network. It is not common to have your DHCP server on the WAN side of your firewall so in those cases perhaps you should investigate the configuration of your network.