Ports

Port 68: DHCP client

Client side of DHCP. Devices use it to request and renew IP configuration.

Where you will see it: You will see this in scans, firewall rules, vulnerability reports, and service configs. Treat open ports as exposure points and verify the service is expected, hardened, and restricted.

What it is

UDP port 68 is the well known client port for DHCP. A port is a transport layer number used together with an IP address and a protocol such as TCP or UDP to direct traffic to the correct service on a host.

A server process binds a socket to a port and listens, while a client typically chooses an ephemeral source port for outbound connections. The combination of source and destination IP addresses, source and destination ports, and the transport protocol uniquely identifies a flow so the operating system can keep many conversations separate.

Firewalls, NAT, and scanners talk about ports because the destination port is the stable rendezvous point that exposes a service to the network. A DHCP client binds to UDP 68 so that replies from servers reliably reach the correct local process during boot.

This is especially important because the client may start with no IP address, sending from 0.0.0.0 to a broadcast destination while still needing to receive an offer. In a typical lease flow, the client on 68 broadcasts discover and request messages, and the server on 67 responds with offer and acknowledgement messages that include an address lease plus settings like DNS and default gateway.

Because the early exchange can be broadcast and unauthenticated, network controls such as switch port security, DHCP snooping, or trusted VLAN boundaries matter a lot. If an attacker can inject DHCP replies to port 68, they can redirect traffic or break connectivity by handing out bad configuration.

How it works in broad strokes

  1. Client sends DHCPDISCOVER from 0.0.0.0 to the broadcast address, source port 68.
  2. Client receives a DHCPOFFER and responds with DHCPREQUEST.
  3. Client applies the DHCPACK settings and renews later before the lease expires.

Concrete example

A VoIP phone boots and immediately sends DHCPDISCOVER from UDP 68. If the switch blocks it due to DHCP snooping misconfig, the phone never gets an IP and appears dead.

Why it matters

In packet captures, seeing UDP 68 traffic helps you diagnose why a host is not getting an address. From a security view, it also helps detect rogue DHCP behavior and miswired segments.

Security angle

  • Use captures on the access switch or host to confirm the discover and offer flow.
  • Lock down DHCP with snooping and trusted uplinks.
  • Document which VLANs use which DHCP scopes so mispatching is obvious.

Common pitfalls

  • Clients stuck in a loop because offers are blocked by VLANs, ACLs, or missing relay agents.
  • Multiple DHCP servers causing flapping between different configurations.
  • Assuming the client is broken when the real issue is upstream switch security or relay configuration.