Security Incidents mailing list archives
Re: 169.254.x.x
From: bugtraq () NETWORKICE COM (Robert Graham)
Date: Wed, 29 Mar 2000 14:02:31 -0800
This is done by both Win98 and MacOS 8.5 and above. The range of 169.254.x.x has been reserved for this purpose. The idea is that when DHCP fails, it still gives clients a way to communicate with TCP/IP. It is, off course, not intended to production use, but it will give the client a chance to use TCP/IP in order to recover. For example, on a widely switched Ethernet backbone, it could enable the user to at least e-mail MIS saying that their network connection is flaky. It actually would work great in a home when you have roughly 10 machines. The home user doesn't have to worry about configuring any IP addresses; the communication "just works". Rob. PS: There may even be an RFC detailing this technique; I haven't been paying attention lately. -----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () securityfocus com]On Behalf Of Pavel Kankovsky Sent: Wednesday, March 29, 2000 1:10 AM To: INCIDENTS () securityfocus com Subject: Re: 169.254.x.x (Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity) On Sat, 25 Mar 2000, Jeffrey D. Carter wrote:
There is one other anomoly in the data below: 4 of the probe clumps include an interleaved series of a remote address and an address in the 169.254.0.0 netblock....
169.254.0.0/16 is the netblock of choice for another silly Windows feature called "IP autoconfiguration". Windows pick up a more or less random address from this range and start using it if they fail to get an IP address by DHCP...or when they have a bad day or something. FYI: I have heard the following patch to registry would disable it... ---- REGEDIT4 [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\DHCP] "IPAutoconfigurationEnabled"=dword:00000000 ---- --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation."
Current thread:
- Syn and Fin in different packets together, (continued)
- Syn and Fin in different packets together Stuart Staniford-Chen (Mar 21)
- Re: Syn and Fin in different packets together Simple Nomad (Mar 22)
- Re: Syn and Fin in different packets together Granquist, Lamont (Mar 24)
- Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity Jeffrey D. Carter (Mar 25)
- Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service) probeactivity Bryan Andersen (Mar 28)
- Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service) probeactivity Christoph Schneeberger (Mar 29)
- Re: Dramatic increase in UDP Port 137 (NetBIOS Name Service)probeactivity Bill Pennington (Mar 29)
- Re: 169.254.x.x (Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity) Pavel Kankovsky (Mar 29)
- Re: 169.254.x.x (Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity) Joshua Krage (Mar 29)
- Re: 169.254.x.x (Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity) Greg A. Woods (Mar 29)
- Re: 169.254.x.x Robert Graham (Mar 29)
- Re: 169.254.x.x Pavel Kankovsky (Mar 30)
- Cracked by the Brazilians Seth Milder (Mar 30)
- Re: Cracked by the Brazilians Michael Damm (Mar 30)
- Re: Cracked by the Brazilians Seth Milder (Mar 30)
- Re: Cracked by the Brazilians Robert Graham (Mar 30)
- Re: Cracked by the Brazilians Seth Milder (Mar 30)
- Re: Cracked by the Brazilians Michael H. Warfield (Mar 30)
- Re: Cracked by the Brazilians Omachonu Ogali (Mar 30)
- Re: Cracked by the Brazilians Blaise St-Laurent (Mar 30)
- Re: Cracked by the Brazilians Ralf Spenneberg (Mar 30)