Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 28 Sep 2006 18:26:54 -0500
From:      Derek Ragona <>
To:        Robin Becker <>,
Subject:   Re: IP address impersonation
Message-ID:  <>
In-Reply-To: <>
References:  <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Taking over an IP is a known way to inspect traffic.  Essentially if done 
well the spoofing server will act like a proxy server, inspecting the data 
and sending it along to the correct server.  Another way, particularly at a 
data center is to setup a server running the NIC in promiscuous mode so 
that nic will catch any packets on the netowrk.

Is the data center bringing up a server with a duplicate IP?  Or are they 
attempting to change your server's IP when they bring up a server on your 
assigned address?

It also could be just bad book keeping on the data center's part, having 
re-used an IP and not taken it completely out of another server's 
configuration files.


At 05:53 PM 9/28/2006, Robin Becker wrote:
>We have a remotely hosted 6.0 server that has apparently been impersonated 
>by a colocated server. The provider allows root access and we have set up 
>our server from a base 6.0 installation. We were allocated an ip address 
>and mostly we have had a good experience with this setup. However, twice 
>in three weeks we have had difficulty in logging in and have had to crash 
>boot the server. Analysis of the logs revealed that another machine on the 
>hoster's network had assigned itself our ip address. Even when we provided 
>the suspect mac address it seemed the hoster had trouble in finding 
>out/appreciating what the problem was.
>I have little experience of this sort of thing, but can anyone else offer 
>some advice on
>1) is this a recognized form of attack? I can see that it could be used 
>for password harvesting and traffic interception, but are there other 
>2) Are there ways to mitigate this kind of problem? We have other hosted 
>servers on machines with similar (root) access. They presumably could also 
>be impersonated. We found this out by inspection of our own log files; 
>could the provider be doing something more to prevent this?
>Robin Becker
> mailing list
>To unsubscribe, send any mail to ""
>This message has been scanned for viruses and
>dangerous content by MailScanner, and is
>believed to be clean.
>MailScanner thanks transtec Computers for their support.

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.

Want to link to this message? Use this URL: <>