On Tue, Nov 14, 2000 at 12:23:59PM -0800, Vernon Wells wrote:
> >> M$-windows of course pops up a friendly dialog box, indicating that the
> >> has been detected in use by someone else, and courteously disables that
> >> ethernet interface for you :) :)
> > M$ farts out prodigeous numbers of broadcast packets and expects
> >to seen prodigeous numbers of broadcast packets. It spots the fact that
> >someone else sends out a packet with your IP address in the src address.
> >(at least that's one way they detect it). Amusing random acts of terrorism
> >can result including some spectacular denial of service attacks (think
> >about it for a second).
> This is perhaps misworded. As with most systems, Windows sends a
> "gratuitous ARP" for an IP address the IP address is bound (see, e.g.,
> TCP/IP Illustrated Volume 1 for an explanation of gratuitous ARPs) and waits
> for an (Ethernet) unicast ARP reply, which indicates that somebody else is
> using the same address. The denial of service you hint at only works
> locally; machines can't (bugs aside) propagate ARP requests to a remote
Oh, very true... Just like most dhcp address exhaustion attacks
only work locally. It's just that they are a royal bitch to track down
once they happen (and that's when you start in with the rubber hose because
the guilty party is a local). :-)
Michael H. Warfield | (770) 985-6132 | mhw@xxxxxxxxxxxx
(The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!