I run a 3 nic linux gateway at home and was running tcpdump on the outside/public interface and saw a bunch of lines like these:

From what I can tell they are dhcp replys from a private ip over my public interface. Obviously this has some sort of malicous intent trying to pull dhcp clients onto a network.

Now to my real question... I dont see the point in this attack as even if some dhcp client had just sent a dhcp request out it wouldnt be able to contact the server as its using private ip addresses. I would see it as more of a threat is it was a public ip, but I do not see any threat from this. What if any is the point of this attack or was it just some kid scanning ranges?

It's no longer unusual to detect even just at least 10 scans everyday. Mostly these are not hands-on scans. They're bots. Just ignore them anyway.

regards

figured they were bots was just wondering why they bother scanning with private ip addresses

i don't know. they're not all from bad guys though. there are some companies that do these things so that they'll know some problems of the public network ahead of the intruders. for security purpose of course. and there are also some that just take a survey and post the results on a security site.

I am not worried about it I just find it sort of interesting. Anyway I put this rule it to be able to get a count and heres the results only after 2 or 3 hours. ( eth0 is public interface ).

Isps should block this at their routers so we dont have to have it fill our bandwith

yah. it should be hard for isps but yes i agree. it's still their responsibility anyway.

but at least you feel more secure now.

so till next time
regards