Link Logger Home ZyXel Banner Binary Visions
Netgear
LinkSYS
Router

Ports 67/68
Link Logger for Windows
Home Home Product Info Product Info Download Download/Purchase Support Support  
Link Logger for Windows

NewsLatest News

Screen ShotsScreenshots

Customer CommentsFeedback

Common ScansScans

Additional ResourcesResources

UDP Ports 67 and 68

Common Use

Port 67 Bootps

Port 68 Bootpc

Inbound Scan

Typically this traffic is related to normal DHCP operation and is not an attack on your network.  DHCP (Dynamic Host Configuration Protocol) is how your computer gets its unique IP address.  When a system starts up on a network it must first request an IP address (assume it is not using a static IP address), and it does this by broadcasting a request to the DHCP server:

UDP 0.0.0.0:68 -> 255.255.255.255:67

since the requesting system doesn't have an IP address (why it is asking) it uses 0.0.0.0 and since its new to the network it doesn't know where the DHCP server is, so it broadcasts the request to the entire network (255.255.255.255).  On some networks you will see these requests bounce off of your firewall (depending on your provider's network configuration and if your router/firewall logs these requests), or your firewall/router might log this traffic between it and your providers DHCP server when it is getting or renewing its WAN IP address.

The DHCP server then responds with something like:

UDP 192.168.1.1:67 -> 255.255.255.255:68

This is typically a DHCP offer.  NOTE it has to be broadcasted (255.255.255.255) as the requesting system doesn't yet have an IP address (its contained in the offer).  The data in this transmission contains the IP and other network configuration information that the requesting system needs to connect to the network (lease time, Subnet Mask, etc).  Again on some networks you will see these bounce off of your firewall (depending on your provider's network configuration and if your router/firewall logs these), or your firewall/router might log this traffic between it and your providers DHCP server when it is getting or renewing its WAN IP address.

Sometimes you will see something like:

UDP 192.168.1.101:67 -> 192.168.1.1:68

as a request, followed by a reply

UDP 192.168.1.1:68 -> 192.168.1.101:67

These are typically IP renewal requests, where a system has an IP address and is asking to renew it (ie get the lease extended), or if its not possible to renew the IP address to receive a new IP address from the DHCP server.  Since the requesting system knows where the DHCP server is and it already has a current IP address the requests don't need to use 0.0.0.0 and 255.255.255.255.

Outbound Scan

Most routers/firewalls don't log this traffic, but given most routers/firewalls are also the local DHCP server you might see traffic logged between your router/firewall and connecting systems as they ask for and are assigned an IP Address on your network.  It is not common to have your DHCP server on the WAN side of your firewall so in those cases perhaps you should investigate the configuration of your network.

Additional Information

DHCP FAQ

Page last updated on February 27, 2006