From owner-freebsd-questions@FreeBSD.ORG Thu Sep 28 23:27:36 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9824316A40F for ; Thu, 28 Sep 2006 23:27:36 +0000 (UTC) (envelope-from derek@computinginnovations.com) Received: from betty.computinginnovations.com (dsl081-227-250.chi1.dsl.speakeasy.net [64.81.227.250]) by mx1.FreeBSD.org (Postfix) with ESMTP id E55F743D45 for ; Thu, 28 Sep 2006 23:27:35 +0000 (GMT) (envelope-from derek@computinginnovations.com) Received: from p28.computinginnovations.com (dhcp-10-20-30-100.computinginnovations.com [10.20.30.100]) (authenticated bits=0) by betty.computinginnovations.com (8.13.6/8.12.11) with ESMTP id k8SNRFkN028124; Thu, 28 Sep 2006 18:27:15 -0500 (CDT) Message-Id: <6.0.0.22.2.20060928182152.020fdfc8@mail.computinginnovations.com> X-Sender: derek@mail.computinginnovations.com X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Thu, 28 Sep 2006 18:26:54 -0500 To: Robin Becker , freebsd-questions@freebsd.org From: Derek Ragona In-Reply-To: <451C5270.1010404@jessikat.plus.net> References: <451C5270.1010404@jessikat.plus.net> Mime-Version: 1.0 X-ComputingInnovations-MailScanner-Information: Please contact the ISP for more information X-ComputingInnovations-MailScanner: Found to be clean X-ComputingInnovations-MailScanner-From: derek@computinginnovations.com X-Spam-Status: No Content-Type: text/plain; charset="us-ascii"; format=flowed X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: IP address impersonation X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Sep 2006 23:27:36 -0000 Taking over an IP is a known way to inspect traffic. Essentially if done well the spoofing server will act like a proxy server, inspecting the data and sending it along to the correct server. Another way, particularly at a data center is to setup a server running the NIC in promiscuous mode so that nic will catch any packets on the netowrk. Is the data center bringing up a server with a duplicate IP? Or are they attempting to change your server's IP when they bring up a server on your assigned address? It also could be just bad book keeping on the data center's part, having re-used an IP and not taken it completely out of another server's configuration files. -Derek At 05:53 PM 9/28/2006, Robin Becker wrote: >We have a remotely hosted 6.0 server that has apparently been impersonated >by a colocated server. The provider allows root access and we have set up >our server from a base 6.0 installation. We were allocated an ip address >and mostly we have had a good experience with this setup. However, twice >in three weeks we have had difficulty in logging in and have had to crash >boot the server. Analysis of the logs revealed that another machine on the >hoster's network had assigned itself our ip address. Even when we provided >the suspect mac address it seemed the hoster had trouble in finding >out/appreciating what the problem was. > >I have little experience of this sort of thing, but can anyone else offer >some advice on > >1) is this a recognized form of attack? I can see that it could be used >for password harvesting and traffic interception, but are there other >implications. > >2) Are there ways to mitigate this kind of problem? We have other hosted >servers on machines with similar (root) access. They presumably could also >be impersonated. We found this out by inspection of our own log files; >could the provider be doing something more to prevent this? >-- >Robin Becker >_______________________________________________ >freebsd-questions@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-questions >To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > >-- >This message has been scanned for viruses and >dangerous content by MailScanner, and is >believed to be clean. >MailScanner thanks transtec Computers for their support. > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. MailScanner thanks transtec Computers for their support.