MonitorWare Knowledge Base

Hi, All!

Twice we've encountered a problem in our C-class subnet. All servers and workstaions (platforms: WinNT 4 WS, WinNT 4 ES, Win2000 Ws, Win2000 AS, WinXP, Win2003 ES) were affected withe the following error:

Event Type: Error
Event Source: Tcpip
Event Category: None
Event ID: 4199
Date: <dd.mm.yyyy>
Time: <hh:mm:ss>
User: N/A
Computer: <NetBios_Name>
Description:
The system detected an address conflict for IP address <IP_Adress> with the system having network hardware address <Hardware_Adress>. Network operations on this system may be disrupted as a result.

* where
<dd.mm.yyyy> and <hh:mm:ss> - when it had happened (almost at the same time at all systems);
<NetBios_Name> - machine NetBios Name, e.g. SYS_VILYA;
<IP_Adress> - machine ip address, e.g. 10.1.12.12 - unique at every system
<Hardware_Adress> - 00-00-xx-00-00-00 - unique at every system, differed with xx

duration - a few seconds
result - network is down

Was it a hardware manfunction, an OS bug or an attack?
What is possible to do to investigate this event and prevent it in the future?

Several details about network:
no DHCP available, all IP addresses are static
Win2003 ES as PDC, Win2003 ES as BDC
several Intel Express 460T Standalone Switches
several 3Com SuperStack Switches
one Intel NetStructure 470T Switch