Slashdot Mirror
SCO Group Web Site Attacked Again
FreeLinux writes "With not much SCO news today, it seemed that this story was needed - Reuters is reporting that, SCO is again suffering under a DDoS attack that has crippled their web site and email system since Wednesday morning. For the third time this year, the SCO Group's Web site came under attack, apparently by hackers unhappy with the company's legal threats against users of the Linux operating system. The denial-of-service attack started at 6:20 a.m. EST Wednesday and continued through the day, said Blake Stowell, spokesman for the Lindon-based company."
...by Eric S. Raymond.
He makes it clear that SCO is attacking everyone, but he opposes DOS'ing them saying that "the open source community must use the truth, not criminal methods, as its weapons." Nicely done
The Army reading list
It certainly was effectively used by the spammers to crush their enemies. I forget the name, but one of the major anti-spam websites was forcibly closed because of DDoS, and nobody was prosecuted.
You can lead a horse to water, but you can't make it dissolve.
You've got a very good point. A DDOS attack has no timetable for recovery. While it isn't very simial in its method, the attack described here helps to illustrate that, going into recovery, there is no way of predicting a timetable.
If my answers frighten you, stop asking scary questions.
While I in no way condone this, it's to be expected. SCO is pissing off a lot of people, and this is the kind of thing that is bound to happen when geeks are rather peeved. Granted, it shouldn't happen, but neither should any criminal activity. Not everybody is as mature is *cough* the /. community here, where we all shun such actions. I'm rather surprised it hasn't happened more, actually...
That being said, SCO is probably revelling in this, even if it is genuine. In fact, DDoS is probably one of the perks to this whole thing - it makes everybody but them look bad, and they come out perfectly clean to the media. Playing the innocent little child who got their candy stolen, I dare say.
Well... pending on how one wishes to view the situation it could also be described as a "sit in" a-la what the hippies did years ago. Civil disobedience as such. Yes, I know it is not the same thing, but it is not that different.
That being said *IF* the DDoS is coming from compromised machines without there owners permission that is criminal but if it is otherwise (read: users permission coordinated demonstration) then calling it criminal seems a bit harsh. Digital Civil Disobedience seems more accurate.
This is getting just annoying. As has already been pointed out, the facts point to this being another hoax. However, as not everyone else in this community knows much about Security, let me add my few years of experience in to help those who don't understand.
I should point out, this has pretty much been covered by Groklaw already and my methods don't vary too much from those already posted by them.
SCO claims their email and web servers are unavailable because of a DDoS attack that has also infiltrated their Intranet and affected helpdesk services as well as other internal services. If this is the case, then it is more than just a DDoS they're suffering, or they are negligent in the highest order for failing to take simple steps to ensure a risk mitigated environment for conducting business within.
Lets start with their Mail Server.
Everyone has a backup mail server, usually hosted by a 3rd party to ensure that if your primary mail server is offline for any reason, mail can still be delivered successfully. The fact that SCO claimed their mail servers were unavailable suggests they either failed to purchase this extremely basic service or their setup is absolutely wrong by anyones standards. The purpose of multiple MX records is for this exact situation. You start with a high priority MX record (say 10) and work your way down the order (usually in steps of +10, so the secondary is usually 20).
Their Web Server
Their webserver is hosted on exactly the same subnet as their ftp server. However, during this attack, their FTP server has been available to anyone thats tried to connect to it. If they were suffering a DDoS attack of the proportions that SCO claims, this server would also have been affected and taken offline. Yet this is not the case. This blows open entirely the philosophy of a DDoS attack without any of the further evidence.
SCO has alluded to the fact that the attack is a basic SYN Flood. A very simple and old attack that has been blockable by nearly every appliance and OS for the past 3 years at least. Yet if they are suffering as they claim, then they are guilty of negligence for failing to apply patches or even configure their platforms correctly. Its very easy to turn the SYN Cookies on in Linux (sysctl isn't rocket science) and just as easy in something like a Cisco Router/PIX Firewall or a Checkpoint Firewall.
The claims that this has adversely affected their intranet suggests that the intranet is in some way exposed to the Internet. Even more alarming is the fact that it disabled their Helpdesk services for a period as well. This would suggest that their network has absolutely no perimeter protection of any kind. The smallest flaw in a product they use could apparently be used to access their core network infrastructure. Isn't that where their source code and IP documentation are kept? I'd start getting very worried about now if I were an investor.
Due diligence is a core principle of any company. That includes ensuring that the services relied upon are securely and properly setup and maintained. If SCO truly has been affected by an attack of any kind on the magnitued they're claiming, then they should be legally responsible for the results of their failure to perform due diligence. (However, IANAL so don't quote me on legalities, especially given I live in NZ, not the US).
In short, the supposed attack on SCO does not add up at all. In fact, if they are being attacked this time round, they are in serious legal trouble themselves if their reports are accurate.
I would also question why they have released this to the press as a Press Release instead of getting on with fixing the problem as quickly as possible. Also, how is it that their mail services are now restored, their FTP server never offline, yet their website remains offline? Surely, a DDoS would affect both.
Not to mention the fact that it would affect SCOs upstream provider who, when contacted last time, saw absolutely no evidence of an attack in progress at a
WARNING: I'm going to vector some rumours here. Feel free to slap them down if inaccurate, as I'm too damned lazy/tired to investigate myself right now.
There are some rumours floating around the Yahoo SCOX message board that several directories containing Linux source code, such as patches and updates, are now missing from SCO's ftp server. Months ago, many people pointed out that SCO itself continued distributing copies of the kernel in support and updates directories on their ftp server. There is also speculation the strangely internal nature of this so-called DDoS attack may be part of an Ollie North operation to prevent certain evidence from falling into IBM's hands via discovery.
SCO's execs need to read The Boy Who Cried Wolf a few times, and learn the lesson within. Darl, unlike Ken Lay, does not have close friends in the White House, and probably would not escape prosecution for any illegal acts being committed under his watch at SCO.
Someday, you're going to die. Get over it.
logging into machines, uploading tools, etc.
Zombie armies are probably most often built w/ auto-rooters -- "tools" that get passed around and modified. E.g. a script-kid may just have to specify which DCOM hole in which Service pack to attack, and then what irc server/channel he/she wants to command them all from. Then he/she installs it on joe user's 24/7 cable-connected box and lets 'er rip. Rinse and repeat 'til you've got 2,000 systems under your thumb.
So yes, it takes a *little* work, but NO skill.
How secure are these undead nets?
Well, once someone does gain control over the machine, by way of a Windows with a blank administrator password, they set the machine policy to prompt the user to enter a pass the next time the machine is logged into. And make a different account for themselves to log back on the compromised machine. If the user doesn't freak out about the password prompt, they are all set.
So, to answer your question, I suppose they are about as secure as an unfirewalled/unpatched windows box, since the last thing the 'hacker' will do is put a firewall on the machine for you.
All this looks rather dodgy. Maybe they just hope to get slashdotted and then claim that this was the DDOS attack...
Launching a DDoS does not require the slightest bit of hacking.
"Computer hacking" is defined as "operating a computer in a manner inconsistent with it's designed intent". Thus a DDoS fits perfectly. It's much more accurate than your other suggestions:
Criminal: Entirely free of content. You'd have to be more specific. Also, computer tampering is not illegal in all jurisdictions, so not every hack is a crime (far from it)
Script kiddie: Implies knowledge about the modus operandi that you can't possibly have (without being an accomplice). Do you know the assailant is an amateur who can barely run the kits he downloads?
Script monkey: Makes a rather ludicrous suggestion of the perpetrator's species.
Some people would likely suggest cracker. That is not correct for all DoS attacks, because cracker (as a person, not a food) is someone who penetrates security. However, a DDoS normally involves taking over several other computers beforehand, so cracker is likely to be appropriate.
A lot of the emails don't make it to a system that can be infected, aren't opened by someone dumb enough, and so on. However, like the numbers involved in spamming, they just need a very small percentage to be dumb enough.
One line blog. I hear that they're called Twitters now.
A synflood would generally only affect the host it's directed at. There would be some extra traffic, but I believe even a 33.6Kbps modem can synflood a single server on a fat pipe (pipe size in this case does not matter). However, this is not what we're seeing. We're seeing their provider filtering www.sco.com's IP address. That's what's peculiar.
I used up all my sick days, so I'm calling in dead.
SCO claim e-mail and other services were compromised which do not use the TCP SYN/ACK and are not therefore vulnerable to this attack
"email"? SMTP? POP3? IMAP? All of these are TCP-based, and are therefore vulnerable to SYN flooding.
My guess is a little less conspiracy theory oriented. Some IT guy at SCO royally screwed up and took down an important server. He tried to fix it, but got yelled at by management before he could resolve things. He made up an "oh, hackers did that" story to cover his ass.
Just because it makes the open source community look bad and they thought that they *were* under attack, SCO execs handed out a press release.
May we never see th
No one can fall victim of a SYN flood attack these days. You don't need a DDOS with "thousands of servers" to do a SYN flood attack. SCO's ISP isn't suffering anything related to a DDOS attack. The shutdown pattern of the SCO's servers shows that they were unpluged. Groklaw has a good disection of the hoax.
/. editors waiting for, in order to update the story stating it as a fraud from SCO.
Therefore, I would like to know what are the
I wouldn't be surprised if SCO issues a press release tomorrow saying that the evidence they were going to show in January 5 was destroyed.
This is just too much. I thought "evil corporations" existed only on comic books, and hollywood movies.
ftp.sco.com has an adjacent ip, probably on the same switch, and it is perfectly responsive. It's not a bandwidth clogging attack.
If this is honestly a DDOS attack, then there's bound to be more than enough logs on the servers. If they claim this caused any problems with their discovery, they will be asked to provide backup tapes and log files.
To destroy logs related to the attack or backup tapes that may contain evidence would be criminal at this point. If backups and logs don't exist, there will likely be inquiries on SCO's execs.
On a personal note, I must admit that this looks "fishy", but it'll all come out in the wash...
Dude! Ever heard of "Letters from a Birmingham Jail?" One of the great pieces of american writing! I'll be mightily disappointed if my english lit. teacher lied and it was actually composed from a Motel 6...
http://metapundit.net
The Age has an article titled Doubts cast on SCO claims of denial of service attack. It's good to see a mainstream news service not just reporting the FUD but actually digging a little deeper.
www.worldrps.com
Need I say more?
Mainframe/UNIX Bit Twiddler and long time Windows/Linux Hobbyist.
The Theorem Theorem: If If, Then Then.
Curiously, in the time that SCO's site was "being attacked" they managed to
o .com shows they have gone from using linux/apache before the attack, to unknown/apache after the attack.
1. give the site a bit of a revamp. It's different, and content has changed.
2. Switch operating systems. http://uptime.netcraft.com/perf/graph?site=www.sc
Now, you're in the middle of what you claim is a network attack. You say your site is down, email is down, support is down, and you're working hard to get these things going again... so instead of actually trying to get the network up again, you revamp the site and change the OS of the server
SCO is so full of shit, and the mainstream media is licking up their bullshit press releases. Blah.
Come on.....
1 63721614
There are only a few possibilities:
1: SCO's IT department doesn't know what syn cookies are and how they relate to Linux (which the DO run their site on). They evidently don't know how to configure CISCO routers in order to block syn floods either. In this case SCO is incompetent...
2: SCO is deliberately not protecting their networks in order to draw attention to themselves.
3: SCO is sabotaging their own networks.
4: The ctber-attack story is completely made up and has no truth value.
The Groklaw story is worth reading:
http://www.groklaw.net/article.php?story=20031210
LedgerSMB: Open source Accounting/ERP