From owner-freebsd-questions@FreeBSD.ORG  Thu Sep 28 22:53:35 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9819516A591
	for <freebsd-questions@freebsd.org>;
	Thu, 28 Sep 2006 22:53:35 +0000 (UTC)
	(envelope-from robin@reportlab.com)
Received: from pih-relay04.plus.net (pih-relay04.plus.net [212.159.14.131])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 407D143D70
	for <freebsd-questions@freebsd.org>;
	Thu, 28 Sep 2006 22:53:35 +0000 (GMT)
	(envelope-from robin@reportlab.com)
Received: from [87.112.86.15] (helo=[192.168.0.3])
	by pih-relay04.plus.net with esmtp (Exim) id 1GT4l3-0003uW-Rg
	for freebsd-questions@freebsd.org; Thu, 28 Sep 2006 23:53:33 +0100
Message-ID: <451C5270.1010404@jessikat.plus.net>
Date: Thu, 28 Sep 2006 22:53:36 +0000
From: Robin Becker <robin@reportlab.com>
User-Agent: Thunderbird 1.5.0.7 (Windows/20060909)
MIME-Version: 1.0
To: freebsd-questions@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: IP address impersonation
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Sep 2006 22:53:35 -0000

We have a remotely hosted 6.0 server that has apparently been 
impersonated by a colocated server. The provider allows root access and 
we have set up our server from a base 6.0 installation. We were 
allocated an ip address and mostly we have had a good experience with 
this setup. However, twice in three weeks we have had difficulty in 
logging in and have had to crash boot the server. Analysis of the logs 
revealed that another machine on the hoster's network had assigned 
itself our ip address. Even when we provided the suspect mac address it 
seemed the hoster had trouble in finding out/appreciating what the 
problem was.

I have little experience of this sort of thing, but can anyone else 
offer some advice on

1) is this a recognized form of attack? I can see that it could be used 
for password harvesting and traffic interception, but are there other 
implications.

2) Are there ways to mitigate this kind of problem? We have other hosted 
servers on machines with similar (root) access. They presumably could 
also be impersonated. We found this out by inspection of our own log 
files; could the provider be doing something more to prevent this?
-- 
Robin Becker