Weird traffic

Stayjax · October 6, 2020, 6:02pm

Hey everyone !
I noticed recently traffic on every connected device, even there is no activity. They are downloading like 5.4-6Kbps on every device. I used torch to track where is coming from and i find out it’s port 67 and 68, i blocked it in firewall but it did nothing. Can you please help me how to solve it ? I have Mikrotik RB4011iGS+ with firmware version 6.47.4

tdw · October 6, 2020, 6:26pm

UDP port 67 & 68 are used for bootp and DHCP, devices will periodically renew their leases after half of the lease period.

Stayjax · October 6, 2020, 8:10pm

So what can i do to stop that ? it’s doing it even on static IPs, also when i restart router

tippenring · October 6, 2020, 8:16pm

You could add a rule such as

add chain=input action=drop dst-address-type=broadcast

. You might experience some other side effects though, so be prepared to correct any unforeseen issues.

tdw · October 6, 2020, 8:53pm

It’s odd that you are seeing it from devices with static addresses. Using the packet sniffer rather than torch may reveal more.

BIND on linux uses raw rather than IP sockets so traffic cannot be blocked by IP firewall rules, I don’t know if the same is true for the Mikrotik implementation.

sindy · October 7, 2020, 5:27am

It’s broadcast traffic, so it is clear that it is visible also at interfaces with static IP addresses. Notice that the understanding of source and destination in torch is from the perspective of the outgoing traffic - 255.255.255.255 cannot be a source IP address normally, but torch shows it like that because it shows both Rx and Tx on the same row, so SRC is the address at the router’s side of the connection, DST is the address at the remote side.

What surprises me more is the amount of the traffic, as once the DHCP client gets an address, it renews it using unicast messages, so this looks like some client device which hasn’t ever got a lease.

As already suggested, use sniff instead of torch, you’ll see the source MAC address(es) of those DHCPDISCOVER requests.

The other traffic shown as 802.2 is likely some flavor of STP.

And yes, the communication of the DHCPv4 client process cannot be blocked by firewall, but the packets are seen in the firewall so can be e.g. logged there (they can be even dropped but it has no effect).

Stayjax · October 8, 2020, 8:43am

I don’t know what was causing that, but i did factory reset, set up it just like before and it seems i solved that problem.