RE: msft 169.254.173.250 IP address

Malware - its all malware if you "don't" get networking 101
 
Since you didn't look at the highlighted portion in my response
 
Here is some basic 101 networking information for you.
 
If you need me to break down further, send me an email privately and I will be
happy to draw a picture of how it works and not clutter the thread up. (this
is a ccie thread)
 
 
 - Automatic Private IP Addressing (APIPA) is a feature of Windows-based
operating systems (included in Windows 98, ME, 2000, and XP) that enables a
computer to automatically assign itself an IP address when there is no Dynamic
Host Configuration Protocol (DHCP) server available to perform that function.
APIPA serves as a DHCP server failover mechanism and makes it easier to
configure and support small local area networks (LANs).
If no DHCP server is currently available (either because the server is
temporarily down or because none exists on the network), the computer selects
an IP address from a range of addresses (from 169.254.0.0 - 169.254.255.255)
reserved by the Internet Assigned Numbers Authority (IANA) for that purpose.
The client uses Address Resolution Protocol (ARP) to ensure that the chosen
address is not already being used by another network computer. Once the
computer has assigned itself an IP address, it can communicate over TCP/IP
with other computers on the LAN that are either configured for APIPA or are
manually set to the correct address range and a subnet mask value of
255.255.0.0. APIPA is enabled by default, but can be disabled in some cases.
DHCP messages notify the user when they are switched between DHCP addressing
and APIPA.

--- On Wed, 4/8/09, Ryan West <rwest_at_zyedge.com> wrote:

From: Ryan West <rwest_at_zyedge.com>
Subject: RE: msft 169.254.173.250 IP address
To: "scott_at_securelabs.net" <scott_at_securelabs.net>, "Sadiq Yakasai"
<sadiqtanko_at_gmail.com>, "Cisco certification" <ccielab_at_groupstudy.com>, "Cisco
certification" <security_at_groupstudy.com>
Date: Wednesday, April 8, 2009, 3:27 PM

If you bothered to read the first post, I said that malware can cause DHCP to
die (or operate improperly), where does it say that you get a new IP address
each time you reboot? I was offering different possible explanations for what
might be happening. What are you offering, wrong information?
 
-ryan
 

From: scott_at_securelabs.net [mailto:scott_at_securelabs.net]
Sent: Wednesday, April 08, 2009 3:23 PM
To: Sadiq Yakasai; Cisco certification; Cisco certification; Ryan West
Subject: RE: msft 169.254.173.250 IP address
 

Let me make it easier for you --->

 
To configure TCP/IP for automatic addressing

Open Network and Dial-up Connections
Right-click the network connection that you want to configure, and then click
Properties.
On the General tab (for a local area connection) or the Networking tab (all
other connections), click Internet Protocol (TCP/IP), and then click
Properties.
Click Obtain an IP address automatically, and then click OK.
 Note

To open Network and Dial-up Connections, click Start, point to Settings, and
then click Network and Dial-up Connections.
You must be logged on as an administrator or a member of the Administrators
group in order to complete this procedure.
Windows 2000 uses Automatic Private IP Addressing (APIPA) to automate Internet
Protocol (IP) configuration of network connections.

By default, the computer first tries to contact a DHCP server on the network
and dynamically obtain configuration for each installed network connection, as
follows:

If a DHCP server is reached and leased configuration is successful, TCP/IP
configuration is completed.
If a DHCP server is not reached or leased configuration fails, the computer
uses APIPA to automatically configure TCP/IP. When APIPA is used, Windows 2000
determines an address in the Microsoft-reserved IP addressing range from
169.254.0.1 through 169.254.255.254. This address is used until a DHCP server
is located. The subnet mask is set to 255.255.0.0.
The range of IP addresses (from 169.254.0.1 through 169.254.255.254) used for
APIPA is reserved by the Internet Assigned Numbers Authority (IANA). Any IP
addresses within this range are not used on the Internet.

--- On Wed, 4/8/09, Ryan West <rwest_at_zyedge.com> wrote:

From: Ryan West <rwest_at_zyedge.com>
Subject: RE: msft 169.254.173.250 IP address
To: "scott_at_securelabs.net" <scott_at_securelabs.net>, "Sadiq Yakasai"
<sadiqtanko_at_gmail.com>, "Cisco certification" <ccielab_at_groupstudy.com>, "Cisco
certification" <security_at_groupstudy.com>
Date: Wednesday, April 8, 2009, 3:18 PM

http://www.ietf.org/rfc/rfc3927.txt
 
A.3. Microsoft Windows 98/98SE
 
   Windows 98/98SE systems choose their IPv4 Link-Local address on a
   pseudo-random basis. The address selection algorithm is based on
   computing a hash on the interface's MAC address, so that a large
   collection of hosts should obey the uniform probability distribution
   in choosing addresses within the 169.254/16 address space. Deriving
 
 
 
 
 
Cheshire, et al. Standards Track [Page 29]
 
RFC 3927 IPv4 Link-Local May 2005
 
 
   the initial IPv4 Link-Local address from the interface's MAC address
   also ensures that systems rebooting will obtain the same
   autoconfigured address, unless a conflict is detected.
 
   When in INIT state, the Windows 98/98SE DHCP Client sends out a total
   of 4 DHCPDISCOVERs, with an inter-packet interval of 6 seconds. When
   no response is received after all 4 packets (24 seconds), it will
   autoconfigure an address.
 
   The autoconfigure retry count for Windows 98/98SE systems is 10.
   After trying 10 autoconfigured IPv4 addresses, and finding all are
   taken, the host will boot without an IPv4 address.
 
   Autoconfigured Windows 98/98SE systems check for the presence of a
   DHCP server every five minutes. If a DHCP server is found but
   Windows 98 is not successful in obtaining a new lease, it keeps the
   existing autoconfigured IPv4 Link-Local address. If Windows 98/98SE
   is successful at obtaining a new lease, it drops all existing
   connections without warning. This may cause users to lose sessions
   in progress. Once a new lease is obtained, Windows 98/98SE will not
   allocate further connections using the autoconfigured IPv4 Link-Local
   address.
 
   Windows 98/98SE systems with an IPv4 Link-Local address do not send
   packets addressed to an IPv4 Link-Local address to the default
   gateway if one is present; these addresses are always resolved on the
   local segment.
 
   Windows 98/98SE systems by default send all outgoing unicast packets
   with a TTL of 128. TTL configuration is performed by setting the
   Windows Registry Key
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services:\Tcpip\
   Parameters\DefaultTTL of type REG_DWORD to the appropriate value.
   However, this default TTL will apply to all packets. While this
   facility could be used to set the default TTL to 255, it cannot be
   used to set the default TTL of IPv4 Link-Local packets to one (1),
   while allowing other packets to be sent with a TTL larger than one.
 
   Windows 98/98SE systems do not implement media sense. This means
   that network connectivity issues (such as a loose cable) may prevent
   a system from contacting the DHCP server, thereby causing it to
   auto-configure. When the connectivity problem is fixed (such as when
   the cable is re-connected) the situation will not immediately correct
   itself. Since the system will not sense the re-connection, it will
   remain in autoconfigured mode until an attempt is made to reach the
   DHCP server.
 
I guess I should still check out MS though?
 

From: scott_at_securelabs.net [mailto:scott_at_securelabs.net]
Sent: Wednesday, April 08, 2009 3:07 PM
To: Sadiq Yakasai; Cisco certification; Cisco certification; Ryan West
Subject: RE: msft 169.254.173.250 IP address
 

checkout microsoft support.

it will give itself a 169 address if dhcp doesnt work....and it will change
every time you reboot...no magic, no malware...

--- On Wed, 4/8/09, Ryan West <rwest_at_zyedge.com> wrote:

From: Ryan West <rwest_at_zyedge.com>
Subject: RE: msft 169.254.173.250 IP address
To: "Sadiq Yakasai" <sadiqtanko_at_gmail.com>, "Cisco certification"
<ccielab_at_groupstudy.com>, "Cisco certification" <security_at_groupstudy.com>
Date: Wednesday, April 8, 2009, 9:40 AM

IPv4 link-local address. Have you verified there is no malware on the
machine. I've seen DHCP die because of corrupt LSPs.

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Sadiq
Yakasai
Sent: Wednesday, April 08, 2009 9:27 AM
To: Cisco certification; Cisco certification
Subject: msft 169.254.173.250 IP address

Hi Guys,

I have done abit of googling but to no avail...but does anyone have any
information about this IP address on Windows XP please?

The PC is doing DHCP straight away but I am still seeing traffic sourced
from this IP address on a wireshark trace, which is kinda weird. Appears to
me like the PC assigns itself this IP address right before assigning the IP
address from the DHCP server.

PS: There is no delay what so ever from the DHCP server and the client does
NOT timeout on DHCP.

Thanks in advance,

Sadiq

Blogs and organic groups at http://www.ccie.net
Received on Wed Apr 08 2009 - 13:34:45 ART