Taking over an IP is a known way to inspect traffic. Essentially if done
well the spoofing server will act like a proxy server, inspecting the data
and sending it along to the correct server. Another way, particularly at a
data center is to setup a server running the NIC in promiscuous mode so
that nic will catch any packets on the netowrk.
Is the data center bringing up a server with a duplicate IP? Or are they
attempting to change your server's IP when they bring up a server on your
assigned address?
It also could be just bad book keeping on the data center's part, having
re-used an IP and not taken it completely out of another server's
configuration files.
-Derek
At 05:53 PM 9/28/2006, Robin Becker wrote:
We have a remotely hosted 6.0 server that has apparently been impersonated
by a colocated server. The provider allows root access and we have set up
our server from a base 6.0 installation. We were allocated an ip address
and mostly we have had a good experience with this setup. However, twice
in three weeks we have had difficulty in logging in and have had to crash
boot the server. Analysis of the logs revealed that another machine on the
hoster's network had assigned itself our ip address. Even when we provided
the suspect mac address it seemed the hoster had trouble in finding
out/appreciating what the problem was.
I have little experience of this sort of thing, but can anyone else offer
some advice on
1) is this a recognized form of attack? I can see that it could be used
for password harvesting and traffic interception, but are there other
implications.
2) Are there ways to mitigate this kind of problem? We have other hosted
servers on machines with similar (root) access. They presumably could also
be impersonated. We found this out by inspection of our own log files;
could the provider be doing something more to prevent this?
--
Robin Becker
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
