Slashdot Mirror

← Back to Stories (view on slashdot.org)

SCO Group Web Site Attacked Again

Posted by ryuzaki0 on from the bad-boy-come-again dept.

FreeLinux writes "With not much SCO news today, it seemed that this story was needed - Reuters is reporting that, SCO is again suffering under a DDoS attack that has crippled their web site and email system since Wednesday morning. For the third time this year, the SCO Group's Web site came under attack, apparently by hackers unhappy with the company's legal threats against users of the Linux operating system. The denial-of-service attack started at 6:20 a.m. EST Wednesday and continued through the day, said Blake Stowell, spokesman for the Lindon-based company."

14 of 564 comments (clear)

  1. And groklaw... by gnuadam · · Score: 5, Informative

    ...and the happy folks at Groklaw already have a statement up with arguments to effect that SCO is fibbing. They think the attack could be a hoax.

    --
    You say :wq, I say ZZ. Why can't we all just get along?
    1. Re:And groklaw... by Anonymous Coward · · Score: 5, Informative

      SCO's ISP has also been contacted by zdnet. Although SCO claim to have contacted them and to be working with them on the attack with law enforcement officials, it's the first they'd heard of it.

      And a DDoS doesn't have a timeframe. SCO claimed they will be able to get up and going again within 12 hours. So they know it's a DDoS, and don't know who's doing it, but know when it'll stop?

      Good one SCO. Makes us chuckle.

    2. Re:And groklaw... by SkArcher · · Score: 4, Informative

      I submitted a version of this story with links to Groklaw and various technical resources and got rejected. Wish the /. editors team would pick decent story writers.

      Anyhow folks, the consensus at Groklaw is that either SCO are lying through their teeth and this is all FUD, or their network admin staff are a bunch of incompetents.

      There are no prizes for guessing what the /. theory will be.

      In specific, the outage at www.sco.com started before the reported time by several hours, was already under analysis by Groklaw before the claimed time, the pattern of the servers shutoff is NOT consistent with a SYN DDOS (the claimed attack), but it is consistent with either a planned shutdown, or a network cable being unplugged.

      There was no slowdown of service - see netcraft for the stats. SCO claim e-mail and other services were compromised which do not use the TCP SYN/ACK and are not therefore vulnerable to this attack (when on different servers (which they are, see groklaw for a list). ftp.sco.com remained up, despite being on the same subnet, and smtp.sco.com would respond throughout the duration of the supposed 'attack'.

      The above is a synopsis of Work presented for analysis at Groklaw, any mistakes are my own, any credit is due to the authors on Groklaw and to PJ.

      --

      An infinite number of monkeys will eventually come up with the complete works of /.
  2. Or not. by Meowing · · Score: 5, Informative

    There's been a ton of discussion of this on Groklaw today -- consensus is that either this is no attack, or their network is run by doofuses.

  3. More SCO FUD by RobGarth · · Score: 5, Informative

    http://www.groklaw.net/article.php?story=200312101 63721614

    If it is a DDoS attack, SCO are incompetent for not blocking it. Or it is just more FUD.

  4. Self Inflicted by bstadil · · Score: 5, Informative

    Head over to Netcraft News and see how this server "died". If this is a DDOS attach I am Queen of Spain.

    --
    Help fight continental drift.
  5. FUD by SkArcher · · Score: 5, Informative

    This is a load of rubbish. See Groklaw for a much deeper and more insightful look at what really happened, a full explanation of the technicalities of the DDOS attack (claimed as a SYN attack that took up all the bandwidth and flattened their e-mail - and yet you can still get to ftp.sco.com (on same subnet), smtp.sco.com all other XO.net fed servers. Groklaw also noticed that the machine was down well before the press release claims and that it went straight down - no hiccups or other indications of a DDOS attack, just a straight gone - switched off or unplugged most likely.

    See the netcraft stats for that little bit. If SCO make any claim that this is a DDOS, they are lying through their teeth and the evidence was collected as it happened - see the members zone at Groklaw for the raw Traceroute returns.

    --

    An infinite number of monkeys will eventually come up with the complete works of /.
  6. Re:Come on guys... by rebeka+thomas · · Score: 5, Informative

    > Grow up. Settle it by the law.

    Yes. SCO should do that instead of lying about their downtime

    --
    RST
  7. Improper use of "Hacker" by gaijin99 · · Score: 5, Informative
    Launching a DDoS does not require the slightest bit of hacking. Unless downloading and using a simple program counts as hacking. The proper term to use would have been "criminal", or perhaps "script-kiddie" (though I've always prefered "script-monkey" myself).

    I expect the blatient misuse of hacker as a synonym for computer criminal in the mainstream press, but I woulda hoped that Slashdot would do better.

    --
    "Mission Accomplished" -- George W. Bush May 1, 2003
  8. It's not even a very good hoax by iabervon · · Score: 5, Informative

    According to Groklaw, not only is it implausible that this is a real attack, it's not even competently done. SCO blames a SYN flood, which is trivial to ignore. Their ISP hasn't had anything to do about it. While they say their email server was down, it actually wasn't. Their FTP server on the next IP over (and on the same block of addresses) had no problems. Their internal network almost certainly isn't anywhere near their Web server, network wise, and, if it was, it would almost certainly have a firewall that's not the web server.

    It's clear that SCO's run out of technical people; not only are they faking technical problems, they can't even make up a technically sound attack on their own systems.

  9. Perhaps Further Evidence... by weston · · Score: 5, Informative

    I work in the Canopy Group office buildings at another (non-evil) company. We're all serviced by Center7 and the last time there was the confirmed/acknowledged DDOS attack we felt it hard. Getting to hosts outside of the building was very difficult all day.

    No hiccups today. Center7 did promise last time that they could and would isolate everyone else from SCO, so there is another explanation, but...

    --
    Tweet, tweet.
  10. Re:Come on guys... by Frater+219 · · Score: 5, Informative
    Some data:

    ftp.sco.com is 216.250.128.13. www.sco.com is 216.250.128.12. They are on the same network segment. However, the first is completely and normally responsive, while the second is entirely unresponsive. This is not in any way characteristic of any sort of modern flood-type denial-of-service attack -- that is, a DDoS aimed at flooding the network itself. Whatever is disturbing SCO, it is not a DoS of the sort they evidently believe it to be.

    Unfortunately, SCO has taken the "cargo cult security" measure of blocking pings, so it is not possible to gather any information about their disturbance in that fashion. I suspect that the best method to gather information about SCO's disturbance is, in fact, for SCO to fully and legally respond to IBM's discovery requirements.

    ("SYN flood" is obviously wrong. Although some firewalls and IDS still report TCP-based DoS floods as "SYN floods", the condition that used to be associated with SYN floods has been fixed in current operating systems. Unless they are running a system old enough to be called grossly negligent, they aren't susceptible to TCB starvation. The current unavailability of www.sco.com looks more like someone tripped over the Ethernet cable.)

  11. lies by Permission+Denied · · Score: 4, Informative
    www.sco.com is on 216.250.128.12

    The following machines are running currently-reachable FTP servers:

    216.250.128.7
    216.250.128.13
    216.250.128.14
    216.250.128.15
    216.250.128.16
    216.250.128.17

    I was able to download /pub/ls-lR from ftp.sco.com (216.250.128.13) 74.91 KB/s (600 Kb/s). My broadband is rated at 640 Kb/s, so the bottleneck was likely at my end. These machines are almost certainly on the same subnet and are likely connected to the same gear (SCO's subnetting is their choice, but if ftp.sco.com and www.sco.com are on different subnets, their subnet masks are 255.255.255.254 and they must have only two IPs per subnet - I don't believe this is even possible as you need a network and a broadcast IP for each subnet).

    The fact that all of these machines are reachable and that at least one of them can saturate a broadband link indicates that SCO is not having any bandwidth problems. I also performed some ICMP tests and the machine is not sending out port-unreachables, timestamp-replies or netmask-replies - these seem blocked upstream. I'm getting a little nervous sending out these funny packets as I don't want anyone to accuse me of anything, but everything indicates that the machine is completely offline. If they allowed some ICMP replies through upstream, receiving a reply would show that the machine is actually online, but somehow cannot handle TCP requests (and the problem is not bandwidth as shown, so it would have to be something wrong with the host, such as a firewall rule); if they allowed through ICMP replies and the machine did not respond whereas others on the subnet did respond, it would show that the machine is almost definitely offline unless it has a more restrictive firewall than the other machines (very unlikely given that this, as-claimed, could have been prevented with syncookies). As it stands, one can only say that the machine is very likely offline (unplugged or turned off).

    SCO's incoming mail server seems to be working fine. They only have one MX record for sco.com and it resolves to 216.250.130.2 for me at the moment. I only connected to it and saw a banner, but easy way to test this further is to send a message to an invalid address @sco.com and see if a bounce gets back. I don't want to give them an email address.

    All of this is current as of 2003-12-10 21:57, Mountain time (SCO is in Utah). Further investigation lead nowhere; thus the delay in the post.

  12. Re:per groklaw: adjacent hosts are fine by Zocalo · · Score: 4, Informative
    The FTP server being up proves nothing. SCO is claiming that they are under a SYN attack, which has a relatively low bandwidth costs, and if targetted purely at their webserver and not exceeding the total bandwidth will leave the FTP site up. Basically, for those that don't know, a SYN attack works by flooding a server with requests for a new session, usually with a spoofed source IP. The server *has* to allocate some resources to this request, respond with a SYN-ACK and wait for the ACK (which never arrives). Enough SYNs (the packets are only a few dozen bytes) and the server will fall over.

    So, on those grounds, I'd be prepared to accept that SCO is telling the truth and they are indeed under a DDoS SYN attack against their webserver. However, as normal for SCO, they then go and overcook the situation and claim that their internal network and Intranet has been hit as well. The only possible way this could be the case is if they are using the same server(s) for their public web as their Intranet which is one of the dumbest possible things you could do.

    That leaves us with three possibilities:

    1. SCO is simply lying and there is no DDoS at all.
    2. They are telling the truth about the DDoS, but have exaggerated the effects in a sympathy ploy, making themselves *look* clueless.
    3. They are telling the truth about the DDoS and the Intranet, meaning they *are* clueless.
    Take your pick!
    --
    UNIX? They're not even circumcised! Savages!