IP address impersonation

Derek Ragona derek at computinginnovations.com
Thu Sep 28 16:27:36 PDT 2006 

Taking over an IP is a known way to inspect traffic.  Essentially if done 
well the spoofing server will act like a proxy server, inspecting the data 
and sending it along to the correct server.  Another way, particularly at a 
data center is to setup a server running the NIC in promiscuous mode so 
that nic will catch any packets on the netowrk.

Is the data center bringing up a server with a duplicate IP?  Or are they 
attempting to change your server's IP when they bring up a server on your 
assigned address?

It also could be just bad book keeping on the data center's part, having 
re-used an IP and not taken it completely out of another server's 
configuration files.

         -Derek

At 05:53 PM 9/28/2006, Robin Becker wrote:
>We have a remotely hosted 6.0 server that has apparently been impersonated 
>by a colocated server. The provider allows root access and we have set up 
>our server from a base 6.0 installation. We were allocated an ip address 
>and mostly we have had a good experience with this setup. However, twice 
>in three weeks we have had difficulty in logging in and have had to crash 
>boot the server. Analysis of the logs revealed that another machine on the 
>hoster's network had assigned itself our ip address. Even when we provided 
>the suspect mac address it seemed the hoster had trouble in finding 
>out/appreciating what the problem was.
>
>I have little experience of this sort of thing, but can anyone else offer 
>some advice on
>
>1) is this a recognized form of attack? I can see that it could be used 
>for password harvesting and traffic interception, but are there other 
>implications.
>
>2) Are there ways to mitigate this kind of problem? We have other hosted 
>servers on machines with similar (root) access. They presumably could also 
>be impersonated. We found this out by inspection of our own log files; 
>could the provider be doing something more to prevent this?
>--
>Robin Becker
>_______________________________________________
>freebsd-questions at freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>
>--
>This message has been scanned for viruses and
>dangerous content by MailScanner, and is
>believed to be clean.
>MailScanner thanks transtec Computers for their support.
>

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.

More information about the freebsd-questions mailing list