Port 67 68 Filling up my Firewall's Log

[fdoty]

I have a problem with port 67 and 68 broadcasting and coming from a computer on the Internet. It's IP 10.200.8.1 which doesn't make sense because it's coming from the Internet. This action is filling up my logs and causing a kind of DOS attack. Everything crawls and my ISP won't help. Has anyone else had this problem?

 

[Smorgan11]

would suggest denying these ports inbound and out as they sound like potential hacks/attack

 

[ShackDaddy]

Sounds like maybe another client on your ISP has a workstation configured for either DHCP relay or is trying to renew an IP, but it's now on the public network and the address that it puts in its source header is the internal address for the network it used to be on.

Which logs are you getting this on? Your firewall's or your server's? Or are they the same? If they are using up your bandwidth, then your ISP should help. Some ISP's already block those ports, since DHCP traffic has no business on the public net.

ShackDaddy

 

[fdoty]

The Log is from my Firewall: Here is a copy of one line:
Dec 8 00:01:36 instagate PF Global DROP: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:04:9b:ef:f4:54:08:00 SRC=10.200.48.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=21700 PROTO=UDP SPT=67 DPT=68 LEN=308

It is from the outside source since my network is 192.?.?.? not 10.?.?.? AND we have a DHCP server on our network. Also eth1 is the WAN Nic. eth0 would be the local LAN.

Thanks!