Re: 169.254.x.x

[bugtraq () NETWORKICE COM (Robert Graham)]

This is done by both Win98 and MacOS 8.5 and above.

The range of 169.254.x.x has been reserved for this purpose. The idea is
that when DHCP fails, it still gives clients a way to communicate with
TCP/IP. It is, off course, not intended to production use, but it will give
the client a chance to use TCP/IP in order to recover. For example, on a
widely switched Ethernet backbone, it could enable the user to at least
e-mail MIS saying that their network connection is flaky.

It actually would work great in a home when you have roughly 10 machines.
The home user doesn't have to worry about configuring any IP addresses; the
communication "just works".

Rob.

PS: There may even be an RFC detailing this technique; I haven't been paying
attention lately.

-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () securityfocus com]On
Behalf Of Pavel Kankovsky
Sent: Wednesday, March 29, 2000 1:10 AM
To: INCIDENTS () securityfocus com
Subject: Re: 169.254.x.x (Dramatic increase in UDP Port 137 (NetBIOS
Name Service) probe activity)

On Sat, 25 Mar 2000, Jeffrey D. Carter wrote:

> There is one other anomoly in the data below: 4 of the probe clumps
> include an interleaved series of a remote address and an address in the
> 169.254.0.0 netblock....

169.254.0.0/16 is the netblock of choice for another silly Windows feature
called "IP autoconfiguration". Windows pick up a more or less random
address from this range and start using it if they fail to get an
IP address by DHCP...or when they have a bad day or something.

FYI: I have heard the following patch to registry would disable it...

----
REGEDIT4

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\DHCP]
"IPAutoconfigurationEnabled"=dword:00000000
----

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."