MonitorWare Knowledge Base

Hi, All!

Twice we've encountered a problem in our C-class subnet. All servers and workstaions (platforms: WinNT 4 WS, WinNT 4 ES, Win2000 Ws, Win2000 AS, WinXP, Win2003 ES) were affected withe the following error:

Event Type: Error
Event Source: Tcpip
Event Category: None
Event ID: 4199
Date: <dd.mm.yyyy>
Time: <hh:mm:ss>
User: N/A
Computer: <NetBios_Name>
Description:
The system detected an address conflict for IP address <IP_Adress> with the system having network hardware address <Hardware_Adress>. Network operations on this system may be disrupted as a result.

* where
<dd.mm.yyyy> and <hh:mm:ss> - when it had happened (almost at the same time at all systems);
<NetBios_Name> - machine NetBios Name, e.g. SYS_VILYA;
<IP_Adress> - machine ip address, e.g. 10.1.12.12 - unique at every system
<Hardware_Adress> - 00-00-xx-00-00-00 - unique at every system, differed with xx

duration - a few seconds
result - network is down

Was it a hardware manfunction, an OS bug or an attack?
What is possible to do to investigate this event and prevent it in the future?

Several details about network:
no DHCP available, all IP addresses are static
Win2003 ES as PDC, Win2003 ES as BDC
several Intel Express 460T Standalone Switches
several 3Com SuperStack Switches
one Intel NetStructure 470T Switch

no conclusions yet on this let me know--I read yseterday about how DHCP was a wide open door for crackers but havent confirmed that yet...I wouldnt be parinoid just yet it's prolly something simple you just overlooked..
here are my first stabs at this one>>>>

http://www.computing.net/networking/www ... 16512.html

http://www.monitorware.com/en/events/de ... ls_id=3318

http://support.microsoft.com/?kbid=164903 <this looks like a good hit?