bruteforce attacks bootp

[gpatrick]

I looked at my pflog a moment ago and it is filled with nothing but the messages below. The IP denoted with x.x.x.x is because it is different each time. The xid is also a different hex value each time.

Jun 01 13:01:09.157404 rule 16/(match) block in on axe0: xx.xxx.xx.x.67 > 255.255.255.255.68: hops:1 xid:0x214cdae flags:0x8000 Y:xx.xxx.xx.xxxx S:xx.xxx.xx.x [|bootp]

My rule that is blocking these:

block drop in quick on axe0 from <bruteforce> to any

Anyone know what these are?

 

[kpa]

Those are DHCP request from client computers to the broadcast address 255.255.255.255, that type of requests are used when the client computer has no valid DHCP leases in its lease database. Block them but don't log or react to them in any way, they are perfectly normal.

Edit: Actually that traffic has port numbers reversed, the usual initial DHCP request as seen from the DHCP server is like this:

2012-06-02 20:13:12.834373 rule 25..16777216/0(match): pass in on re0: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request [|bootp]

I'm not sure if what you're seeing is malicious but I'd say you can still block it and forget it.

Where does your <bruteforce> table come from and what does it contain?

Edit2: I think the traffic is actually replies to various DHCP clients from a DHCP server on your WAN (axe0 is you WAN connection?), the DHCP server sends the reply to the client requesting a lease using the broadcast address 255.255.255.255 because the client does not have an IP address in the first place.

Here's my pf(4) rules for allowing DHCP in and out on my WAN connection so that I can get a lease from my ISP's DHCP server. I don't think you go any stricter on these rules because DHCP doesn't play well with stateful filtering.

# Allow DHCP on WAN
pass in  log quick on $WAN inet proto udp from any port = bootps to any port = bootpc
pass out log quick on $WAN inet proto udp from any port = bootpc to any port = bootps