Port reference
Port 67 (UDP) – DHCP server
DHCP server port — assigns IP addresses and network configuration to clients.
Quick facts
- Transport
- udp
- Category
- Well-known
- Risk level
- High
Frequently targeted — restrict exposure and harden it.
Default state
Open on DHCP servers and most routers/gateways on the local network. Not routed across the internet by design.
Common attacks
- Rogue DHCP server handing out malicious gateway/DNS settings
- DHCP starvation flooding the pool to cause denial of service
- DHCP spoofing for man-in-the-middle redirection
- Option-field injection and malformed-packet parsing bugs
Hardening
- Enable DHCP snooping on switches to block rogue servers
- Trust only known DHCP server ports; drop server replies on access ports
- Use port security / dynamic ARP inspection to limit starvation
- Segment and monitor DHCP traffic; alert on unexpected OFFER/ACK sources
- Keep the DHCP daemon patched against parsing vulnerabilities
nmap snippet
nmap -sU -p67 --script dhcp-discover <target>Replace <target> with the host or range you're authorized to scan.
How to check if this port is open
ss -tulpn | grep :67
nmap -sU -p 67 <target>netstat -ano | findstr :67
Test-NetConnection <host> -Port 67 # TCP onlylsof -i :67
nmap -sU -p 67 <target>How to block this port
sudo ufw deny 67/udpsudo firewall-cmd --permanent --remove-port=67/udp
sudo firewall-cmd --reloadsudo iptables -A INPUT -p udp --dport 67 -j DROPNew-NetFirewallRule -DisplayName "Block 67" -Direction Inbound -Protocol UDP -LocalPort 67 -Action BlockWhat runs on port 67?
Port 67 is the server side of DHCP (Dynamic Host Configuration Protocol).
DHCP servers listen here for DISCOVER and REQUEST messages from clients and
reply with OFFER and ACK packets that assign an IP address, subnet mask,
default gateway, and DNS servers. Clients send and receive on port 68. The
protocol is broadcast-based and operates within a single broadcast domain.
Why it matters for security
DHCP is unauthenticated by default, so any host on the segment can answer client requests. Whoever wins the race to respond controls a client's gateway and DNS, which is a powerful position for man-in-the-middle interception of all outbound traffic. Because the protocol is local, the threat is an insider or a compromised device rather than the open internet, but the impact — full traffic redirection and credential capture — is severe.
How it's attacked
A rogue DHCP server races the legitimate one to hand out a malicious gateway
and DNS, silently redirecting victims. DHCP starvation floods DISCOVER
messages to exhaust the address pool, denying service to real clients and often
paving the way for the attacker's own rogue server. Spoofing and crafted
option fields can also exploit parsing bugs in the DHCP daemon.
Hardening checklist
Enable DHCP snooping on managed switches so only designated trusted ports may
send server replies, dropping rogue OFFER/ACK traffic. Pair it with dynamic
ARP inspection and port security to curb starvation. Segment and monitor
DHCP, alerting on unexpected server sources, and keep the daemon patched. The nmap
snippet above discovers DHCP servers responding on a segment you are authorized to
test.
Related ports
Frequently asked questions
- What is the difference between port 67 and 68?
- Port 67 is the server side that receives client requests and sends offers/acknowledgements; port 68 is the client side that listens for the server's replies.
- Can DHCP be attacked from the internet?
- DHCP is a local broadcast protocol and is normally not routed across the internet, so attacks come from the local segment — making switch-level DHCP snooping the key control.