RE: Win XP IP address hijack?

["Burton@SNS" <Burton () SmallNetSolutions com>]

Historically for Microsoft's multiple-user operating systems (e.g. Windows
NT and Windows 2K), those messages are in the event log, not a console
alert.  Did you check there?

-----Burton

-----Original Message-----
From: Curt Wilson [mailto:cwsecgeek () yahoo com]
Sent: Friday, December 14, 2001 3:37 AM
To: vuln-dev () securityfocus com
Subject: Win XP IP address hijack?




I was doing some experimentation in my home lab
recently and came across something I thought was
interesting. I would enjoy any comments on this
potential issue, which may be known already but is a
new one for me.

I was running a desktop with Win XP pro using a
static IP address. I booted up a laptop running Win98
with a duplicate IP address; the duplicate IP address
message appeared on the 98 box and the 98
interface was disabled. XP connectivitiy worked as
normal. (this is standard operation so far). I shut
down the win98 box.

Next, I booted a RedHat 7.0 system using the same
static IP address. XP lost it's IP, showing 0.0.0.0, did
not display any message about this, and the Linux
box hummed away happily, receiving connections
destined for that IP. Perhaps the RH system
implements it's ARP/duplicate IP address check in a
different manner that is not recognized by XP, at least
in this particular instance.

I did not test this with any other version of windows
but, having never tried this particular scenario, I  was
wondering if this is normal operation? If this is of any
interest I'll grab a sniff of the traffic.

Secgeek