On 08/18/2012 10:01 AM, fred smith wrote:
> On Sat, Aug 18, 2012 at 09:20:56AM -0500, Robert Nichols wrote:
>> Those are BOOTP responses from your ISP's DHCP server to clients requesting
>> an IP address. They have to be broadcast because the client does not yet
>> have an IP address. Go yell at whoever set up your firewall to log these
>> harmless packets that are a necessary part of dynamic IPv4 address
>> assignment on a shared medium.
>>
>> SPT=67 source port = BOOTP server
>> DPT=68 dest port = BOOTP client
>> DST=255.255.255.255 dest address = Broadcast
>
> that implies that there are a WHOLE LOT of systems served by this provider
> that are doing dhcp requests, given the volume of these things I'm seeing.
> they're arriving at rates ranging from 4-5 a second, to 1-2 a minute,
> mostly in the one every 1-5 seconds rate.
>
> My firewall is filtering them, which is good. and while there are a lot
> of them it isn't enough to make a dent in my incoming bandwidth. Were I
> still on dialup or DSL, it might be.
>
> The firewall is the built-in firewall in my Asus router. the UI doesn't
> give much flexibility in what it logs (basically you can log none, dropped,
> accepted, or all--I've chosen to log dropped). Of course, I could open a
> shell on the router and hack the iptables rules, but I'd just as soon not.
>
> thanks for the reply!
FWIW, I average about 9 of those per minute on my cable segment. That's
194000 packets counted by my own (non-logging!) iptables rule in the 15+
days this system has been up.
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.