RE: msft 169.254.173.250 IP address

If you bothered to read the first post, I said that malware can cause DHCP to
die (or operate improperly), where does it say that you get a new IP address
each time you reboot? I was offering different possible explanations for what
might be happening. What are you offering, wrong information?

-ryan

From: scott_at_securelabs.net [mailto:scott_at_securelabs.net]
Sent: Wednesday, April 08, 2009 3:23 PM
To: Sadiq Yakasai; Cisco certification; Cisco certification; Ryan West
Subject: RE: msft 169.254.173.250 IP address

Let me make it easier for you --->

To configure TCP/IP for automatic addressing

 1. Open Network and Dial-up Connections
 2. Right-click the network connection that you want to configure, and then
click Properties.
 3. On the General tab (for a local area connection) or the Networking tab
(all other connections), click Internet Protocol (TCP/IP), and then click
Properties.
 4. Click Obtain an IP address automatically, and then click OK.

[http://www.microsoft.com/windows/windows2000/en/advanced/help/note.gif] Note

 * To open Network and Dial-up Connections, click Start, point to Settings,
and then click Network and Dial-up Connections.
 * You must be logged on as an administrator or a member of the
Administrators group in order to complete this procedure.
 * Windows 2000 uses Automatic Private IP Addressing (APIPA) to automate
Internet Protocol (IP) configuration of network connections.
By default, the computer first tries to contact a DHCP server on the network
and dynamically obtain configuration for each installed network connection, as
follows:

    * If a DHCP server is reached and leased configuration is successful,
TCP/IP configuration is completed.
    * If a DHCP server is not reached or leased configuration fails, the
computer uses APIPA to automatically configure TCP/IP. When APIPA is used,
Windows 2000 determines an address in the Microsoft-reserved IP addressing
range from 169.254.0.1 through 169.254.255.254. This address is used until a
DHCP server is located. The subnet mask is set to 255.255.0.0.
 * The range of IP addresses (from 169.254.0.1 through 169.254.255.254) used
for APIPA is reserved by the Internet Assigned Numbers Authority (IANA). Any
IP addresses within this range are not used on the Internet.

--- On Wed, 4/8/09, Ryan West <rwest_at_zyedge.com> wrote:

From: Ryan West <rwest_at_zyedge.com>
Subject: RE: msft 169.254.173.250 IP address
To: "scott_at_securelabs.net" <scott_at_securelabs.net>, "Sadiq Yakasai"
<sadiqtanko_at_gmail.com>, "Cisco certification" <ccielab_at_groupstudy.com>, "Cisco
certification" <security_at_groupstudy.com>
Date: Wednesday, April 8, 2009, 3:18 PM
http://www.ietf.org/rfc/rfc3927.txt

A.3. Microsoft Windows 98/98SE

   Windows 98/98SE systems choose their IPv4 Link-Local address on a
   pseudo-random basis. The address selection algorithm is based on
   computing a hash on the interface's MAC address, so that a large
   collection of hosts should obey the uniform probability distribution
   in choosing addresses within the 169.254/16 address space. Deriving

Cheshire, et al. Standards Track [Page 29]

RFC 3927 IPv4 Link-Local May 2005

   the initial IPv4 Link-Local address from the interface's MAC address
   also ensures that systems rebooting will obtain the same
   autoconfigured address, unless a conflict is detected.

   When in INIT state, the Windows 98/98SE DHCP Client sends out a total
   of 4 DHCPDISCOVERs, with an inter-packet interval of 6 seconds. When
   no response is received after all 4 packets (24 seconds), it will
   autoconfigure an address.

   The autoconfigure retry count for Windows 98/98SE systems is 10.
   After trying 10 autoconfigured IPv4 addresses, and finding all are
   taken, the host will boot without an IPv4 address.

   Autoconfigured Windows 98/98SE systems check for the presence of a
   DHCP server every five minutes. If a DHCP server is found but
   Windows 98 is not successful in obtaining a new lease, it keeps the
   existing autoconfigured IPv4 Link-Local address. If Windows 98/98SE
   is successful at obtaining a new lease, it drops all existing
   connections without warning. This may cause users to lose sessions
   in progress. Once a new lease is obtained, Windows 98/98SE will not
   allocate further connections using the autoconfigured IPv4 Link-Local
   address.

   Windows 98/98SE systems with an IPv4 Link-Local address do not send
   packets addressed to an IPv4 Link-Local address to the default
   gateway if one is present; these addresses are always resolved on the
   local segment.

   Windows 98/98SE systems by default send all outgoing unicast packets
   with a TTL of 128. TTL configuration is performed by setting the
   Windows Registry Key
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services:\Tcpip\
   Parameters\DefaultTTL of type REG_DWORD to the appropriate value.
   However, this default TTL will apply to all packets. While this
   facility could be used to set the default TTL to 255, it cannot be
   used to set the default TTL of IPv4 Link-Local packets to one (1),
   while allowing other packets to be sent with a TTL larger than one.

   Windows 98/98SE systems do not implement media sense. This means
   that network connectivity issues (such as a loose cable) may prevent
   a system from contacting the DHCP server, thereby causing it to
   auto-configure. When the connectivity problem is fixed (such as when
   the cable is re-connected) the situation will not immediately correct
   itself. Since the system will not sense the re-connection, it will
   remain in autoconfigured mode until an attempt is made to reach the
   DHCP server.

I guess I should still check out MS though?

From: scott_at_securelabs.net [mailto:scott_at_securelabs.net]
Sent: Wednesday, April 08, 2009 3:07 PM
To: Sadiq Yakasai; Cisco certification; Cisco certification; Ryan West
Subject: RE: msft 169.254.173.250 IP address

checkout microsoft support.

it will give itself a 169 address if dhcp doesnt work....and it will change
every time you reboot...no magic, no malware...

--- On Wed, 4/8/09, Ryan West <rwest_at_zyedge.com> wrote:

From: Ryan West <rwest_at_zyedge.com>
Subject: RE: msft 169.254.173.250 IP address
To: "Sadiq Yakasai" <sadiqtanko_at_gmail.com>, "Cisco certification"
<ccielab_at_groupstudy.com>, "Cisco certification" <security_at_groupstudy.com>
Date: Wednesday, April 8, 2009, 9:40 AM
IPv4 link-local address. Have you verified there is no malware on the
machine. I've seen DHCP die because of corrupt LSPs.

-----Original Message-----
From:
nobody@groupstudy.com<http://us.mc11.mail.yahoo.com/mc/compose?to=nobody@grou
pstudy.com>
[mailto:nobody@groupstudy.com<http://us.mc11.mail.yahoo.com/mc/compose?to=nob
ody_at_groupstudy.com>] On Behalf Of Sadiq Yakasai
Sent: Wednesday, April 08, 2009 9:27 AM
To: Cisco certification; Cisco certification
Subject: msft 169.254.173.250 IP address

Hi Guys,

I have done abit of googling but to no avail...but does anyone have any
information about this IP address on Windows XP please?

The PC is doing DHCP straight away but I am still seeing traffic sourced
from this IP address on a wireshark trace, which is kinda weird. Appears to
me like the PC assigns itself this IP address right before assigning the IP
address from the DHCP server.

PS: There is no delay what so ever from the DHCP server and the client does
NOT timeout on DHCP.

Thanks in advance,

Sadiq

Blogs and organic groups at http://www.ccie.net<http://www.ccie.net/>
Received on Wed Apr 08 2009 - 15:27:43 ART