Typically this traffic is related to normal DHCP operation and is not an
attack on your network. DHCP (Dynamic Host Configuration Protocol) is how
your computer gets its unique IP address. When a system starts up on a
network it must first request an IP address (assume it is not using a static IP
address), and it does this by broadcasting a request to the DHCP server:
UDP 0.0.0.0:68 -> 255.255.255.255:67
since the requesting system doesn't have an IP address (why it is asking) it
uses 0.0.0.0 and since its new to the network it doesn't know where the DHCP
server is, so it broadcasts the request to the entire network (255.255.255.255).
On some networks you will see these requests bounce off of your firewall
(depending on your provider's network configuration and if your router/firewall
logs these requests), or your firewall/router might log this traffic between it
and your providers DHCP server when it is getting or renewing its WAN IP
The DHCP server then responds with something like:
UDP 192.168.1.1:67 -> 255.255.255.255:68
This is typically a DHCP offer. NOTE it has to be broadcasted
(255.255.255.255) as the requesting system doesn't yet have an IP address (its
contained in the offer). The data in this transmission contains the IP and
other network configuration information that the requesting system needs to
connect to the network (lease time, Subnet Mask, etc). Again on some
networks you will see these bounce off of your firewall (depending on your
provider's network configuration and if your router/firewall logs these), or
your firewall/router might log this traffic between it and your providers DHCP
server when it is getting or renewing its WAN IP address.
Sometimes you will see something like:
UDP 192.168.1.101:67 -> 192.168.1.1:68
as a request, followed by a reply
UDP 192.168.1.1:68 -> 192.168.1.101:67
These are typically IP renewal requests, where a system has an IP address and
is asking to renew it (ie get the lease extended), or if its not possible to
renew the IP address to receive a new IP address from the DHCP server.
Since the requesting system knows where the DHCP server is and it already has a
current IP address the requests don't need to use 0.0.0.0 and 255.255.255.255.