[lug] XP floods linux network, ideas ?

chuck morrison cmorrison at greeleynet.com
Mon May 2 18:38:23 MDT 2005

On Monday 02 May 2005 05:56 pm, David Anselmi wrote:
> chuck morrison wrote:
> [...]
> > When a laptop returns to the network after being on a different network,
> > a cute little MS "feature" called apipa kicks in. When the laptop can't
> > reaffirm it's last (dhcp supplied) IP address, apipa kicks in and assigns
> > the laptop a 169.254.x.x address and proceeds to flood the network with
> > UDP (NBNS) packets advertising its new address and trying to re-establish
> > old connections via Netbios.
> Have you sniffed the DHCP conversation to see whether the client gets a
> NAK when it tries to renew a bad address?  Perhaps your DHCP server is
> misconfigured:

I've done a lot of sniffing in the last month. The issue isn't that dhcp 
doesn't work, it does, and very well. Depending on how much havoc the PC(s) 
in question cause, it always gets a valid dhcp lease eventually.

One way that APIPA works, although not well documented, is that if the PC 
(usually a laptop) plugs into a different network than it was last on, and is 
not rebooted (just put in sleep mode or moved from one network to another) it 
will attempt to renew it's lease from its original dhcp server. When that 
fails (and it always will in this case since it can't get to that server... 
different network) it grabs a 169.254.x.x address from apipa and doesn't 
attempt a new dhcp lease for 5 minutes. During that 5 minutes it's spewing 
packets at and clogging bandwidth. If another PC attempts to 
connect to the dhcp server and fails during this time (and I've seen it 
happen) then things get out of control quickly.

In some ways it's a people training issue. Lots of folks don't like to reboot 
or release/renew network connections. It's not an issue for linux clients 
except that they're affected by slow network access too. Until we can get all 
those apps running on linux...

> http://www.isc.org/index.pl?/sw/dhcp/authoritative.php
> Dave
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug

More information about the LUG mailing list