[c-nsp] Windows Vista, Gratuitous ARP and DHCP conflicts

Kurt Bales kwbales at kwbales.net
Wed May 30 23:44:40 EDT 2007 

Hello All,

Just a follow up to this post. I got into work this morning and found this
problem occuring in overdrive!

Picture this:

1. Telnet to Router
2. "show ip dhcp conflict" shows 100 odd grat arp conflicts
3. "clear ip dhcp conflict *"
4. Sleep 30 seconds
5. "show ip dhcp conflict" shows 20 odd grat arp conflicts
6. WTF?
7. Make coffee
8. WTF?

I've had a good morning so far. So given that I would rather solve the
problem as opposed to just schedule a clear arp/clear conflict process to
run repeatedly, and that I now had a case where it was happening "right
now!", I decided to take some packet captures on the L2 segment and some
debug from the affected IOS DHCP server.

With "debug arp" and "debug ip dhcp server events" enabled, my debugging
(Damn me for not saving it), showed that the OFFER was being made to the
client, and immediately following it was an debug of arp for that offered
address with "martian source", followed by "Offer declined" due to conflict.
I was able to match this to the to the arp table entries and the conflict
entries - each was added at the time of the "martian source" error matching
the MAC of the client requesting the DHCP lease. In this way the affected
client managed to steal my entire pool in a matter of minutes.

I traced the MAC of the offender and shutdown the eth interface. Cleared my
arps and conflicts.

YAY! WORLD IS HAPPY!

Then about 20 mins later, another host starts doing the same thing again.

WTF!!!!

So eventually, my google-fu lead me to
http://support.microsoft.com/kb/928233. Now, at this point Id like to thank
our dear friends at Microsoft for not making it a simple tickbox that our
Helldesk Lackeys could walk somebody through. In fact, I cant even make a
.reg, because the Key is based on the GUID of the interface, therefore
varies depending on the PC and interface. Once again... Thankyou Microsoft. 

I have one of my more trusted lackeys attempting to talk a customer through
changing that value on their interface, but no results yet.

Fingers crossed!

Kurt


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Kurt Bales
Sent: Monday, 26 February 2007 16:17
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Windows Vista, Gratuitous ARP and DHCP conflicts

Hey Guys,

Has anyone else noticed an increase in "Gratuitous ARP" entries under "sh ip
dhcp conflict" lately?

We serve Customer addresses (for better or worse!) via DHCP in some network
designs. The DHCP server is running on the local Cisco Device in the area
(usually an 1811). Lately we have noticed a large number of "conflicts"
listed with "Gratuitous ARP" as the reason. 9 times out of 10 has shown the
offending machine to be a Windows Vista install.

Does anyone know why this is happening, or a way we can combat against it?
We are moving our network away from DHCP addressing for customers, but this
is a slow process. Is there a method to alert when the number of conflicts
reaches a threshold?

Regards,

Kurt Bales

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list