Win XP IP address hijack?

[Curt Wilson <cwsecgeek () yahoo com>]

I was doing some experimentation in my home lab 
recently and came across something I thought was 
interesting. I would enjoy any comments on this 
potential issue, which may be known already but is a 
new one for me.

I was running a desktop with Win XP pro using a 
static IP address. I booted up a laptop running Win98 
with a duplicate IP address; the duplicate IP address 
message appeared on the 98 box and the 98 
interface was disabled. XP connectivitiy worked as 
normal. (this is standard operation so far). I shut 
down the win98 box.

Next, I booted a RedHat 7.0 system using the same 
static IP address. XP lost it's IP, showing 0.0.0.0, did 
not display any message about this, and the Linux 
box hummed away happily, receiving connections 
destined for that IP. Perhaps the RH system 
implements it's ARP/duplicate IP address check in a 
different manner that is not recognized by XP, at least 
in this particular instance.

I did not test this with any other version of windows 
but, having never tried this particular scenario, I  was 
wondering if this is normal operation? If this is of any 
interest I'll grab a sniff of the traffic.

Secgeek