On 08/18/2012 10:01 AM, fred smith wrote:
On Sat, Aug 18, 2012 at 09:20:56AM -0500, Robert Nichols wrote:
Those are BOOTP responses from your ISP's DHCP server to clients requesting an IP address. They have to be broadcast because the client does not yet have an IP address. Go yell at whoever set up your firewall to log these harmless packets that are a necessary part of dynamic IPv4 address assignment on a shared medium.
SPT=67 source port = BOOTP server DPT=68 dest port = BOOTP client DST=255.255.255.255 dest address = Broadcastthat implies that there are a WHOLE LOT of systems served by this provider that are doing dhcp requests, given the volume of these things I'm seeing. they're arriving at rates ranging from 4-5 a second, to 1-2 a minute, mostly in the one every 1-5 seconds rate.
My firewall is filtering them, which is good. and while there are a lot of them it isn't enough to make a dent in my incoming bandwidth. Were I still on dialup or DSL, it might be.
The firewall is the built-in firewall in my Asus router. the UI doesn't give much flexibility in what it logs (basically you can log none, dropped, accepted, or all--I've chosen to log dropped). Of course, I could open a shell on the router and hack the iptables rules, but I'd just as soon not.
thanks for the reply!
FWIW, I average about 9 of those per minute on my cable segment. That's 194000 packets counted by my own (non-logging!) iptables rule in the 15+ days this system has been up.