Re: Win XP IP address hijack?

From: Jarek Durak (jdk@tempus.metal.agh.edu.pl)
Date: 12/14/01 

Date: Fri, 14 Dec 2001 21:35:02 +0100
From: Jarek Durak <jdk@tempus.metal.agh.edu.pl>
To: Curt Wilson <cwsecgeek@yahoo.com>

Curt Wilson wrote:
>
> I was doing some experimentation in my home lab
> recently and came across something I thought was
> interesting. I would enjoy any comments on this
> potential issue, which may be known already but is a
> new one for me.
>
> I was running a desktop with Win XP pro using a
> static IP address. I booted up a laptop running Win98
> with a duplicate IP address; the duplicate IP address
> message appeared on the 98 box and the 98
> interface was disabled. XP connectivitiy worked as
> normal. (this is standard operation so far). I shut
> down the win98 box.
>
> Next, I booted a RedHat 7.0 system using the same
> static IP address. XP lost it's IP, showing 0.0.0.0, did
> not display any message about this, and the Linux
> box hummed away happily, receiving connections
> destined for that IP. Perhaps the RH system
> implements it's ARP/duplicate IP address check in a
> different manner that is not recognized by XP, at least
> in this particular instance.
>
> I did not test this with any other version of windows
> but, having never tried this particular scenario, I was
> wondering if this is normal operation? If this is of any
> interest I'll grab a sniff of the traffic.

You have a switch in your network. I got 10 linux boxes running kernel
2.4.12 with the same IP (clons). All of them was able to ping my router
with 80-95% packet lost
J