Windows, Fixed IPv4 Addresses and APIPA

Published: 2022-02-25
Last Updated: 2022-02-25 11:13:33 UTC
by Didier Stevens (Version: 1)
5 comment(s)

APIPA stands for Automatic Private IP Addressing. It’s Microsoft Windows’ mechanism to assign an IPv4 address to a network adapter when no DHCP server is offering an address.

The IP range for APIPA IPv4 addresses is 169.254.0.0/16.

When your Windows machine is configured to use DHCP to configure its network interface, and when there is no DHCP server on the network (or it is not offering an address, for whatever reason), Windows will automatically configure the network interface with an IPv4 address in the APIPA range.

These addresses are recognizable, they all start with 169.254.

 

Recently, I was using a Windows 10 VMware guest with a fixed IPv4 address (10.0.0.2), and I could not connect to it from another machine. After some searching, I discovered that its IP address was not 10.0.0.2, but 169.254.xx.yy. Thus, an APIPA IPv4 address. I proceeded to check the network configuration for the network interface, and it was indeed a fixed IPv4 address, 10.0.0.2. It was not configured to use DHCP.

So why was it not using 10.0.0.2, but an APIPA address?

After some trial and error, it dawned on me: the other machine that I was using to connect to this VM guest, was also using IPv4 address 10.0.0.2.

So, there was an IP addressing conflict. But unlike previous versions of Windows, where I would see a popup Windows with a clear message telling me there is an IP addressing conflict, here on this Windows 10 machine, I didn’t get an alert (although there was most likely an event for this -> 4199).

And instead of using IPv4 address 10.0.0.2 and displaying an alert, this Windows 10 machine did a silent fallback to an APIPA address.

 

If you notice that your Windows 10 machine is using an APIPA address in stead of its fixed IPv4 address, check for IP addressing conflicts.

 

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

Keywords: APIPA windows
5 comment(s)
ISC Stormcast For Friday, February 25th, 2022 https://isc.sans.edu/podcastdetail.html?id=7896

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives