Re: Windows 2000 Static arp not static

[Bob Fleck <bob () securesoftware com>]

On Wed, 2003-02-12 at 18:53, Tim Habex wrote:
> When I looked at the arp cache of Linux, the static entry was there and
> working (?), but on the Windows machine, THE VALUE OF THE STATIC ARP WAS
> CHANGED. When ethercap was disabled, the static arp entry was returned to
> the original value.
As far as I can tell this comes from a difference in what 'static' is
taken to mean.

Linux, BSD, (Win XP):  Won't time out.  Won't change based on observed
ARP replies.

Win 2k and earlier:  Won't time out.

So all static means to Windows is keep this value, use it, and don't
bother to double-check it on a regular basis.  But if an update wanders
by somehow, update the cache.

> If this is a known problem, why hasn't this been fixed. If unknown ... is
> Microsoft reading this? ;o)
> Can some experienced securityadvisors perform more tests on this? eg. Other
> (Windows) OSes, other types of attacks.
This is a known issue. However, XP acts like Linux and other OSes. 
Static keeps it from changing.

Bob