Date: Thu, 28 Sep 2006 18:26:54 -0500 From: Derek Ragona <derek@computinginnovations.com> To: Robin Becker <robin@reportlab.com>, freebsd-questions@freebsd.org Subject: Re: IP address impersonation Message-ID: <6.0.0.22.2.20060928182152.020fdfc8@mail.computinginnovations.com> In-Reply-To: <451C5270.1010404@jessikat.plus.net> References: <451C5270.1010404@jessikat.plus.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Taking over an IP is a known way to inspect traffic. Essentially if done well the spoofing server will act like a proxy server, inspecting the data and sending it along to the correct server. Another way, particularly at a data center is to setup a server running the NIC in promiscuous mode so that nic will catch any packets on the netowrk. Is the data center bringing up a server with a duplicate IP? Or are they attempting to change your server's IP when they bring up a server on your assigned address? It also could be just bad book keeping on the data center's part, having re-used an IP and not taken it completely out of another server's configuration files. -Derek At 05:53 PM 9/28/2006, Robin Becker wrote: >We have a remotely hosted 6.0 server that has apparently been impersonated >by a colocated server. The provider allows root access and we have set up >our server from a base 6.0 installation. We were allocated an ip address >and mostly we have had a good experience with this setup. However, twice >in three weeks we have had difficulty in logging in and have had to crash >boot the server. Analysis of the logs revealed that another machine on the >hoster's network had assigned itself our ip address. Even when we provided >the suspect mac address it seemed the hoster had trouble in finding >out/appreciating what the problem was. > >I have little experience of this sort of thing, but can anyone else offer >some advice on > >1) is this a recognized form of attack? I can see that it could be used >for password harvesting and traffic interception, but are there other >implications. > >2) Are there ways to mitigate this kind of problem? We have other hosted >servers on machines with similar (root) access. They presumably could also >be impersonated. We found this out by inspection of our own log files; >could the provider be doing something more to prevent this? >-- >Robin Becker >_______________________________________________ >freebsd-questions@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-questions >To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. >MailScanner thanks transtec Computers for their support. > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6.0.0.22.2.20060928182152.020fdfc8>