I run a 3 nic linux gateway at home and was running tcpdump on the outside/public interface and saw a bunch of lines like these:
Code:
20:20:39.159399 IP 10.128.32.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length: 316
20:20:39.160390 IP 10.128.32.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length: 316
20:20:39.160739 IP 10.128.32.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length: 316
From what I can tell they are dhcp replys from a private ip over my public interface. Obviously this has some sort of malicous intent trying to pull dhcp clients onto a network.
Now to my real question... I dont see the point in this attack as even if some dhcp client had just sent a dhcp request out it wouldnt be able to contact the server as its using private ip addresses. I would see it as more of a threat is it was a public ip, but I do not see any threat from this. What if any is the point of this attack or was it just some kid scanning ranges?