Slashdot Mirror
Security Experts Doubt SCO's Claims of DoS
devilkin writes "As a recent Slashdot story indicates, SCO claims their website was the target of a DoS (Denial of Service) attack. Was it really? The people at Groklaw think otherwise..."
← Back to Stories (view on slashdot.org)
It wouldn't be an over-exaggeration to say that a bulk of SCO-related talks happen here on Slashdot. Even NY Times and other mainstream media frequently refer to Slashdot, when they need a quote from "open-source community", "Linux users" and other group that is mentioned in the article. Thus any DDOS attack organization wouldn't probably go unnoticed on this site.
So here's a question - have you or any friends of yours taken part in SCO DDOS attack? If the overwhelming answer on Slashdot is no, then I guess we know the value of SCO's claims.
If it's true that SCO is lying or too inept to know what's happening then somehow this has to make it to the mainstream press. That would do more damage to their stock value than any DDoS.
Trolling is a art,
liars.
Stupid people make stupid things profitable.
SCO will sue Groklaw for illegal use of the term "DDoS", which of course SCO lays claim to.
"Armed forces abroad are of little value unless there is prudent counsel at home" - Cicero
or at least, not necessarily, so the fact that the FTP server is up is not necessarily a pointer to the fact that SCO are lying through their teeth. (They may still be, but ...)
The thing that's odd is that they think it disrupted their intranet - who in their right mind merges the public internet server and internal intranet server ???
Simon
Physicists get Hadrons!
Wednesday, December 10 2003 @ 04:37 PM EST
SCO has reported that they are experiencing an attack on their servers. Groklaw has been flooded with information that indicates their story doesn't add up.
The consensus of what I am hearing is: That it is probably not an attack. That their description of the "attack" makes no sense. And that if what they are saying were true, SCO would be admitting to gross negligence.
First, I'm being told that Linux has a very simple preventative built in. Linux comes with the ability to block ALL SYN attacks. End of story. All major firewalls can do so also. They run their web site on Linux. CISCO routers can protect against SYN attacks too, I have been told, if properly enabled. Why does SCO persist in having such problems?
I knew one of Groklaw's readers is a security professional in Australia, so I wrote to him and asked if he'd take a look and give me his opinion.
Steve McInerney describes himself like this: "I worked for six years as the Technical Security member of the IT Security team for Australia's Department of Defense. Also I did IT Security policy writing/advice. More recently I was one of the senior designers/firewall/security experts at a company that manages Australia's largest federal government-certified Internet gateway." He just sent me his opinion:
"SCO has released a press release stating that their web site www.sco.com has come under a Distributed Denial of Service Attack (DDoS), specifically a SYN flood.
"Before we show how silly this statement is, let's explain SCO's position. A 'SYN Flood' attack is an attack that attempts to stop a server from accepting new connections. It's quite an old attack now, and has been relegated to the 'That was interesting' basket of attacks.
'A very simple analogy of a SYN attack: You have two hands, you are thus able to shake hands with at most two people at any one time. A third person who wants to shake your hand has to wait. Either you or one of the first two people can stop shaking hands so as to be able to accept the third person's handshake.
"In this instance SCO are claiming that 'thousands' are doing something similar to their web server. This is, in and of itself, plausible. Unfortunately if we look closer there are a few problems with this claim of SCO's.
"As stated above, the attack is quite an old one. Patches to all Operating Systems that I'm aware of, do exist to stop this sort of attack. For instance, a CISCO document: http://www.cisco.com/warp/public/707/4.html describes the attack and provides ways to stop it. Note the lines: 'Employ vendor software patches to detect and circumvent the problem (if available).' This means, quite simply, that patches exist to mitigate this attack.
Why hasn't SCO applied them?
Further SCO States:
"'The flood of traffic by these illegitimate requests caused the company's ISP's Internet bandwidth to be consumed so the Web site was inaccessible to any other legitimate Web user.'
"Interesting. If their bandwidth is consumed, then any servers nearby will also be inaccessible. That is www.sco.com has the IP address of 216.250.128.12 and ftp.sco.com has the IP address of 216.250.128.13 so the two servers are side by side, probably even on the same physical network hub/switch. Note that there is no room for a broadcast, etc., address - these servers are on the same subnet - i.e., on the same network device (hub/switch).
"Unfortunately for SCO, from Australia, ftp.sco.com is highly responsive. No bandwidth problems there that I can see - even though www.sco.com is still unavailable.
"The evidence then, is that their bandwidth is fine.
"So what about just the SYN flood? Well, even with patches, to successfully conduct a SYN flood you would tend to chew up available bandwidth anyway, which we aren't seeing. So I have quite strong doubts about the accuracy of this information.
"I feel quite
Make people think that they are SOOOOO right in their claims that the "pirates" will do anything to keep the lawyers off their backs. May work with a few fools...
But I sure know that groklaw is DOS'd.
Connection refused.
That just causes more problems for their servers.
When in doubt, parenthesize. At the very least it will let some poor schmuck bounce on the % key in vi. (Larry Wall)
Can I get some cheese with that whine?
People say I'm crazy, I got diamonds on the soles of my shoes...
"SCO claims their website was the target of a DoS (Denial of Service) attack. Was it really?"
;)
Groklaw certainly has just been
Cheers,
rob.
Cowboy Neal doesn't run SCO you insensitive clod!
stolen from: http://www.newsforge.com/business/03/12/11/1315246 .shtml?tid=85
Very strange is this; reported BEFORE it happened?
by Anonymous Reader on 2003.12.11 12:54 (#81456)
I see they have been playing this DDos Attack in the press. In fact, as near as I can tell, the stories about this ddos attack started appearing very early on. Most companies take some time to discover they have a ddos attack, and then to take the time to report it; the press also has lead time for a story to actually make it out the door and into print/web site/whatever.
The early and timely appearing of their "press" about it even while this attack was "underway", and through so many sources, leads me to ask this question; is it possible they contacted any press BEFORE this alledged attack even took place?!
I thought Groklaw was more of an expert in law.
Other IP addresses on SCO's subnet can be reached, there is "NO" denial of service attack on their system. SCO took the web site down themselves, either to make fake reasons for this quarter's poor financial results or to remove incriminating evidence from their HTML files! Either way, SCO are "LIARS"!
I'll leave the detection of DDOS to the experts on network security. I'll the finerys of law to to the groksters. Grok's job is to question and doubt things. They were probably wrong last time they questioned the problems with SCO. Some script kiddee probably did launch a DDOS on SCOsville.
.. Groklaw gets a DoS attack of their own, complements of the /. effect.
No good deed goes unpunished!
To make up for it, you also killed the groklaw servers. You bastards. :)
Security Expert: "Oh, so um, you claim malicious linux users who you wanted to sue are DDoSing your servers Mr. McBride? Well, let me get out my laptop and check it out."
*boots up linux distro of choice*
"Nope, doesn't look like it was that at all, sorry!"
*evil snicker*
Buy Steampunk Clothing Online!
Two words- Tactical Nuke.
First they claim they own Linux, and now DOS! What's next, CP/M?
sulli
RTFJ.
What's even weirder is, that before the groklaw post, www.sco.com was down, but ftp.sco.com (next IP address) was just fine, which invalidated SCO's claims of a DDoS attack.
But about 2 hours after the groklaw post, ftp.sco.com mysteriously went down too.
Just more ham handed FUD from Darl and friends.
whats next? SCO sues DDoS?
Read through the groklaw page earlier, and it was really based heavily upon lots of speculation and in some cases, as was pointed out by other posters, misinformation and lack of technical knowledge.(Stuff like: I can ping the ftp server, but not the www server, and their IP addresses are only off by 1 number, that means it is fake!)
Now, it may or may not be true, but it is total and absolute speculation at this point and some people seem to have already accepted it as fact.
Casual Games/Downloads
Yes, this is a dupe. This "news" was submitted as a comment in the previous SCO item. Do we really need to keep rehashing the SCO thing?
As it turns out the real cause of missing service on the SCO site was not a DDoS...
SCO admin #1: Holy crap! I think the site's under attack!
SCO admin #2: How do you know?
SCO admin #1: Can't hit the site. It's not responding at all!
SCO admin #2: [looks around behind the servers to find them unplugged]
~ "When I'm of that age I'm just going to live up a tree."
What if it's just that no one cares about the SCO case, and so they attacked themselves to get press? I'd bet that was more likely than an actual external DoS attack. Besides, what hacker(s) would waste their time DoS'ing SCO when they can be DoS'ing Microsoft or some other more humorous target?
stuff |
P.S. Don't nobody link to anything on the SCO site today, wouldn't want them to think they are getting DDoSed while they are being /.ed!
"Talk minus action equals nothing" - Joey Shithead, D.O.A.
"Talk minus action equals
SCO's web site was only designed to handle one person at a time. Until recently, it worked well enough, but recently two people tried to access the web site simultaneoulsy. This, of course, brought down their server. And since the two people were located at different locations, it was distributed; hence, we have a distributed denial of service (DDoS) attack.
And now you know the real story.
For every post, there is an equal and opposite re-post.
If their bandwidth is consumed, then any servers nearby will also be inaccessible. That is www.sco.com has the IP address of 216.250.128.12 and ftp.sco.com has the IP address of 216.250.128.13 so the two servers are side by side, probably even on the same physical network hub/switch.
The ftp server seems inaccessible now. Maybe someone at SCO clued in "Joe! You forgot to unplug the FTP server! Quick, grab that cable..."
Maybe Valerie from The Princess Bride sais it best: "Liar! Liar! Liiiiaaaaaar!"
Ruby on Rails Screencast
I mean the Very First Comment in the previous SCO Group Website Attacked story was:
...and the happy folks at Groklaw already have a statement up with arguments to effect that SCO is fibbing. They think the attack could be a hoax.
Your hair look like poop, Bob! - Wanker.
Uhh... check the times
Grub's post was at 18:13
The AC was at 18:18
This is a dupe, or at least 90% of one. There are a thousand links from the previous slashdot discussion to Groklaw, like this, this, and this, not to mention this, plus this and most definitely this. And many of those are rated +5 as well.
On a side note, I can't access SCO's website or ftp site from University of Wisc @ Madison computers.
I'm going to go update scoreport.com now... (Link in my sig)
There's a poll here.
Belief is the currency of delusion.
Yeah uh... no.
(Hint: Time of grub's post: 1:13 P.M.; Time of AC post: 1:18 P.M.)
I wasn't finished reading it and had to go back. There it was, a PHP error, then I knew /. had to post the store and yup I was right. :)
Mike
I didn't use the preview button, so get over it!!!!
Mike
But Groklaw was....
/public/private/groklaw/system/databases/mysql.cla ss.php on line 108
Cannnot connect to DB server
Warning: mysql_connect(): Too many connections in
Tired of being "punished" by the Slashdot $rtbl since 2002. I'm now over at http://soylentnews.org/ .
They have not been facing DDoSing attacks, they have been facing 3 articles on slashdot / h during the last 6 months. On the other hand... the outcome is the same.
"Civis Europaeus sum!"
Warning: mysql_connect(): Too many connections in /public/private/groklaw/system/databases/mysql.cla ss.php on line 108
Cannnot connect to DB server
Do they need a hug? Or do they want to have themselves in the news to try and boast up their stoks?
Get Movie Posters
Cannnot connect to DB server
Seems at Groklaw they know something about DOS after all.
Like others have stated, this would be a twist of fate pushing for the end of SCO. If they have to lie that the community or linux community as they put it is DDoS'ing there network then this could very well be the most damning story against SCO yet. It would be amazing to prove the lack and misunderstanding of IT, Linux and Intellectual property SCO has by getting a headline on national news "SCO lies about networking attacks".
A Simple title like that would take the competency out of any IP lawsuite around simply on the grounds you couldn't tell what the company was telling the truth on or not. (Well, to geeks its easy to say they're lying, but this brings it to the forefront that any CTO/CIO or CEO would understand for that matter).
Has anyone been able to get any further comments from upstream providers or ISP's around them?
I wonder if i will ever see the code to smurf.c as "a special F**K you to SCO".. I always laughed when i saw the code and recognized old Fnet admins being the brunt, would be funny to see sco action (although, i'm with RMS - don't do anything illegal.. just keep on emailing them and expressing your opinions!)
Warning: mysql_connect(): Too many connections in /public/private/groklaw/system/databases/mysql.cla ss.php on line 108
Cannnot connect to DB server
When I tell an object to delete this, am I killing it or telling it to kill me?
In the Internet industry, all sorts of companies use DOS/DDOS or claims that worm-related traffic is to blame for a plethora of problems that are often internal blunders. This shouldn't come as a surprise to anyone who has ever managed a server online.
And take me down with it, too.
Oh NO! Now those linux hackers are attacking groklaw too!
They can have a big democracy cake
right in the middle of Tienahmen square
and it won't make a lick of difference
You wanna know why?
Two Words: Nuclear fuckin' weapons!
SYN attack is not bandwidth intensive. It keeps the machine so busy with fake SYN packets that the real ones get ignored. Why do people think you need to saturate pipes to keep a machine offline?
The recent Slashdot story indicates very much that it SCO was indeed not DDOSed, if you read the comments -- this means you, Taco!
Well, M.I.T. doesn't believe in firewalls as they just lull you into a false sense of security. Therefore, 18.0.0.0/8 is both their intranet and Internet at the same time.
To me it seems that the most suspicious piece of evidence is that SCO fell victim to a SYN attack. Based off information I've read, most systems (operating systems, routers, firewalls, etc.) should be protected from this type of attack by now.
Now, I'm no security expert. So my question is this - is it true that most systems should not be vulnerable to this type of attack? Or is that, in some manner, misinformation?
Having dealt with children for sometime, my hunch is that SCO is probably feigning a DDOS attack so that can go back to the judge and ask to extend their 30 day fish-or-cut-bait order.
This is theory is strengthen by their prior actions that indicate their desire to drag this thing out so that the FUD factor stays in effect.
The emergence of Linux has helped the careers/livelyhood of a lot of people here. I don't see SCO making any kind of similar contribution-which limits the degree to which they can expect the good Samaritan type behavior which enforcement of the law realistically requires.
------
Re: By the way (score: 1, it is strange funny)
The comment of Anonymous Coward: Sunday July 20, @03:15AM (#362323)
Stupid Claimer Organization
------
didn't understand that joke, but it's hilarious anyway *wipes tear* ... "The Comment of Anonymous Coward" ha ha ha
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
I don't doubt their claims, they are clearly lying. Instead of discussing the obvious, that they are not under a DDoS attack, we should be asking ourselves why they are faking an attack.
Some people have pointed out that they are doing it to remove self incriminating evidence from their website. Very likely.
Another plausible speculation is that they are going to use this fake attack as an excuse to delay showing the evidence the judge demanded. I wouldn't be surprised if they go as far as saying that some "evil free software hugger" performed the attack to erase the evidence from all their computers, and use that as an excuse to insist that IBM should show their code first.
And no, these are not conspiracy theories, because the evidence is enough to prove they are faking the attack. They are doing it for a very good reason.
Maybe their server is messed up from the slashdotting from dozens of /. articles linking to them.
it was just the slashdot effect.
Netcraft had a posting about the supposed attack, but didn't doubt the actual situation. I've sent them the following letter:
1 63721614
To: webmaster@netcraft.com
Subject: News on your front page
You have a news article about SCO's network downtime posted on your front page, claiming that SCO is the target of a DDoS attack. Due to availability of services on other machines on the same netblock, like the FTP protocol on ftp.sco.com (one IP address higher than www.sco.com), I question the veracity of your news article, and I felt that I should call this into question.
groklaw.net has information posted that you might find interesting, potentially leading to a revision of your news article. The page can be found at:
http://www.groklaw.net/article.php?story=20031210
Much of the information that I have read about this is available from them, as are some theories as to what is actually happening.
Thank you for your time,
TWX
Basically, if you doubt the truth of the "news" about SCO/Caldera's troubles, call it into question with those reporting it, especially those who are supposed to be some kind of authority to listen to.
Do not look into laser with remaining eye.
It's because their IT department is "distributed" on Christmas vacation and some exec probably rebooted it because he wasn't getting his email.
Hey guys, the trailer for the next Star Wars movie is RIGHT HERE!!!!.
Dear SCO,
[*] IP: TCP syncookie support (disabled per default)
make dep
make clean
make bzImage
then shut the hell up
SCO Experiences Distributed Denial of Service Attack
It was suggested on the Yahoo BBS that perhaps this was a DNS IP transition that wasn't properly planned by the BOFH admin. Could that mean this website has been up and running all along on this new IP address?
SCO Grows Your Business http.://216.250.128.20 vs the old address of 216.250.128.13?
Inquiring minds want to know! News editors are breathless waiting! Investors are fretting! BSD users dread being blamed next! The SLTPD and FBI need your assistance in tracking down the real SCO-flaws
No, I'm...ahem.
Yesterday i noticed that SCO stock was down to 14$ today its at 15$. i wounder what would happen if you plotted a function of sco stock prices to their press releases.
you would probably get a 1 to 1 ratio
Could there be friends on the inside of SCO trying to send a message to those on the outside?
I'm sure this is just an overture to...
Step 2: "Hackers" infiltrate SCO and maliciously make off with all of the supporting evidence for their suits against IBM. Sorry judge!
Why don't we SYN flood their FTP server? If their claims are correct, it should go offline, right?
But there is another kind of evil that we must fear most... and that is the indifference of good men.
Or at least i hope he was, if not he's totally clueless of recent history...
---- Booth was a patriot ----
-SCO sold all their servers to increase revenue.
-They took everything down to install MS Windows Advanced Server 2004
- The guy that took over for the sysadmin, after they fired him, tripped and spilled coffee all over the cisco rack. They're waiting for replacements, shipped Express.
- Daryl opened an attachment
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Stating that the DDOS attach was most likely a Made for Wallstreet effort by SCO and pointing to some relevant information. Including the Netcraft News Graph.
Maybe do the same with lesser known Magazines. You can find a whole slew via Google News
Be polite and let them know they are being used as a pawn by SCO.
Help fight continental drift.
The most probable explanation - they recompiled apache so it doesn't reveal the host OS, made all the other changes, and fubar'd the update. rather than admit it, they claimed a DoS attach.
A DOS attack wouldn't hurt them.
Their business is lawsuits.
They could shut down their entire operation, as long as their lawyers can work, they are in business.
- For the complete works of Shakespeare: cat
I thought maybe they were going after Double-Dos now. It's about the only operating system they haven't laid claim to.
bye.edu was down, uvsc.edu was down.. iomega was down.. What do they all have in common.. They are in the Salt Lake City valley area. I was bored and decided to visit sco and it was down.. traceroutes to all locations revealed that a OC-12 connection between level3.net and x0.net was down somewhere in chicago.. thus causing me not to get into the SLC area.
There's no Freedom like UFP-dom
Later SCO will claim that this is the same server that held the only copy of their moutain of evidence and all of their source code too.
SCO was taking a publicity beating on several fronts:
- They got an unfavorable ruling WRT discovery on Friday
- The world discovers Boies isn't so confident of SCO's case that he's willing to take the case on contingency. Boies is billing by the hour, he just stands to get a big bonus under certain conditions.
- Baystar/RBC isn't happy about the Boies deal, so they demand and get the power to veto certain courses of action.
- SCO has to delay their earning announcement by two weeks to screw around with the numbers.
Needless to say, SCOX stock price dives, and the lo and behold, an attack on SCO's website suddenly becomes the to SCO new item and buries all the other bad news. How fortunate!
Now that I think of it, the server rather quick to respond that it was down, as opposed to the long wait before a timeout that is symptomatic of a DDOS.
This sig no verb.
This past week the university that I work for has been the victim of an internal denial of service attack that may be related. From what I can gather, our sysadmins have traced the problem to some sort of irc virus/worm that is using student's computers to participate in a DDOS attack. The compromised computers were spoofing random ip adresses and (from what I heard) trying to hit SCO. These have all been stopped by our firewall, but they had been causing trouble with said firewall all week.
I don't have conformation that they were trying to hit SCO, but this headline jibes.
"When ideology and theology couple, their offspring are not always bad but they are always blind." -- Bill Moyers
I use http://www.sco.com to test browsers cause its unlikley to be in the cache
Oh, wait- that's us...
I find it likely that the "DDoS" was someone internally opening an attachment with a virus, which then propigated to every (windows) system on the network; the virus may have had a payload that said, "upload all .doc files to x.x.x.x"... so they killed the external link that the internal network uses.
Just a thought.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
lack of technical knowledge.
If you have read the article, and still believe this, then it is you that suffers from a lack of technical knowledge.
it is total and absolute speculation at this point
No, it most certainly is not.
It is a logical conclusion, drawn from deductive reasoning.
From the evidence (machines on the same network, accessible through the same router and switch, are unaffected), we can deduct that at least some of SCO's claims (such as the bandwidth usage) are false.
This does not preclude the possiblity of a synflood attack, however the fact that a synflood would be prevented by a properly configured network means that SCO is either lying, or incompetant.
I've noticed going to http://216.250.128.20/ I can reach their site, but going to www.sco.com, I cannot.
Very strange, indeed.
The absolutely best hypothesis is that they're doing it to purge the bad news off the newssites. There was news about the motion to compell hearing (which wasn't SCO's finest hour. Read the transcript here. Check p55 if you're in a hurry) and about the SCO - Boies - Investor-relationship which also was very bad news for SCO, because they want people to belive Boies is on a continguency (apparently that implies 'faith in the lawsuit').
Where is that now? Gone.
Instead we have stories about poor, poor SCO being attacked by those evil linux users.
How many companies release Press Releases about being under attack?! On the same day, no less!
Belief is the currency of delusion.
Have you ever caused, participated in a DDoS attack?
Have you ever sympathized with a person or group that caused a DDoS attack?
Are you now or have you ever used the Linux operation system?
Have you ever sympathized with a person or group that is (or was) using the Linux operating system.
Etc.
Regards,
Fredrick
1. A revel involving unrestraining FUD.
2. Uncontrollable or moderate FUD.
3. A secret rite involving Microsoft executives, involving frenzied FUD producing sessions, and FUD producing activity.
Word Usage- Lets SCO all night long. He is SCO right now, he needs help!
After trading as low as $15.10 intraday Monday, SCO shares closed down $1.32, or 8%, at $15.27.
Two events from Friday were feeding the selloff. First, SCO lost a motion asking IBM for source code. The court also ruled SCO must provide the code relevant to the case to IBM within the next 30 days. SCO shares closed down $1.32, or 8%, at $15.27. ...
Secondly, SCO on Friday postponed its fourth-quarter earnings report, initially scheduled for Monday ...
It worked, too. See SCO's chart. The stock dropped about 10-15% in moderately heavy Tuesday and Wednesday trading, but has since bounced back by about half that much.
Plagerism is ALWAYS FUNNY!
The interesting thing here is that it came back up for what looked like an house according to netcraft. Look at the New York graph it was even responding normally, how strange.
o .com
http://uptime.netcraft.com/perf/graph?site=www.sc
If a first you don't succeed, your a programmer...
Ok, boys and gilrs, follow suit.
Send an email to SCO. They say their email has been down. I know for a fact that I can get a bounce with a faux address. They are claiming that the DDOS has taken out intranet as well as email.
Simple, quick, logical. Send this test to YAHOO! and other news agencies so that they can verify the story.
(not spell chexed...)
It was all their remaining technical people sending out floods of job applications.
One line blog. I hear that they're called Twitters now.
It's even funnier when you misspelled it.
C|N>K
An error occured while loading http://www.groklaw.net/article.php?story=200312101 63721614:
Timeout on server
Connection was to www.groklaw.net at port 80
I have confirmation. SCO ips (and Google's) were being attempted by the virus/worm our users have.
;-)
From the sysadmin: "Its's gotta be some 15 yo - he also tried going after google and anyone who knows anything knows that that'd be futile"
SCO isn't [completely] lying for once.
"When ideology and theology couple, their offspring are not always bad but they are always blind." -- Bill Moyers
Darl :- linux turned me into a nute :- Well , I got better
Everyone looks at him,
Darl
for the last time people, I am "frodo from middle eaRTH", not "middle eaST".
Most members of the press are as interested in the truth as Darl McBride is, and they are equally compentent in technology matters.
Face it a bunch of angry hackers attacking SCO makes a better story than the truth. Especailly using the 10 word headline format that is so prevelant in the US.
So Long and Thanks for all the Fish.
see if you can get the firewall logs!
The greatest right given is the right to be wrong...
Honest Dad, I didn't forget to put oil in it (as the father drains the pristinely-clean golden-colored oil from the locked up engine)...
Honest Dad, I had a blow-out (as the father examines the tire with a 4 inch puncture would that shows the core pushed inside the tire)...
Can you say busted?
I think that it is you that missed the networking class. Different IP addresses on the same subnet do NOT have to use the same gateway at all. It is in fact possible for a class C subnet (254 addresses) to have 127 hosts(workstations) and 127 routers on the same subnet. In this bizarre and highly unlikely scenario, each of the 127 hosts could have its own unique, personal gateway.
It is quite common for large or critical subnets to have multiple gateways for reliability or load distribution. Combine those gateways with Hot Standby Routing Protocol(HSRP) or Virtual Redundant Routing Protocol(VRRP) and you have very reliable gateways indeed.
They already think they can sue the entire Evil Penguin Empire. (They're a little confused because they can't locate the Evil Penguin Overlord, but that has to be Linus, right?)
One line blog. I hear that they're called Twitters now.
DDoS'ing Groklaw!
Dear Mr. Judge,
I am sorry but we are unable to provide the source code examples you have requested. These examples were stored on our web server and were lost in a recent DDoS attack on these servers.
By my reckoning, that means we win. Tell IBM to pay up.
-D. McBride
CEO, SCO Group
Punctanym: alternate spelling of words using punctuation or numerals in place of some or all of its letters; see 'leet'
Near the top of the article, a security expert from Australia says:
"So what about just the SYN flood? Well, even with patches, to successfully conduct a SYN flood you would tend to chew up available bandwidth anyway, which we aren't seeing. So I have quite strong doubts about the accuracy of this information.
He also claims that ftp.sco.com should be unavailable if the DoS attack were real.
However, near the bottom of the article, another user writes in:
"There are many types of DoS and DDoS attacks, each type targeting a different resource. Blake Stowell is confusing a SYN flood (an attack against the TCP port resource on a host) with a brute-force DDoS against a bandwidth resource. This simply demonstrates that BS is not a techie and that the difference has not been explained to him.
"Dear Mr. BS: . . . A SYN-flood attack probably consumes 1 Kbps or less. Everybody else in the known universe can communicate with all of your externally-visible machines except www.sco.com. If the (alleged) attack on www.sco.com has affected any other machines, your network is very poorly administered. I suggest you avail yourself of the vast array of of volunteer expertise that is ready to help any user of a Linux system.
This suggest to me that SCO didn't explain correctly the type of attack it's under, especially in saying 'all bandwidth was consumed' when perhaps they meant 'all server resources were consumed'
However, I make no statements whether the DoS attack is real or fabricated- I see either as likely.
-Ryan
AUWYHSTOT (Acronyms are Useless When You Have to Spell Them Out Too)
1: The day before the alleged attack it was revealed that the "contigency agreement" with Boies (a very high profile lawyer) isn't really a contigency agreement at all, but a bonus on top of already very expensive fees.
The claims of Boies taking the case on contigency is one of the major reasjons for the SCOX market capitalizion to incerease by 20x since he was hired. (SCO is extremely dependent on their inflated stock price for survival)
2: SCO actually paid a PR firm to distribute their press release about the alleged attack - this might be a first by any company.
Now put 1 and 2 together and you get both a motive (get attention away from the Boies deal), and a method (fake a ddos attack, pay for a press release to be distributed).
I can't comment on whether they faked the attack (even if we can get to the FTP server, the DoS may be over but the HTTP server is under repair).
What I found funny is that the supposed attack started at 4:20am. Since we've already heard SCO try to link the OS community to theives and crackers... now they're linking them to drug users!
Subtle, I know.
That's
www.sco.com%01@goatse.cx
Is Groklaw now the authority on computer security?
That's what the article seems to imply.
You were mistaken. Which is odd, since memory shouldn't be a problem for you
Did anyone else see this article linked from SCO's main page? It starts off saying 'I have a hard time seeing the Linux Zealots as any different from terrorists because of the nature of their threats.'. I knew Darl and Co. were a bunch of asshats, but this is ridiculous.
they recompiled apache so it doesn't reveal the host OS
You don't have to recompile Apache to make it not reveal OS. ServerTokens (AFAIR) Directive is for setting this. Rather you need to recompile kernels to spoof TCP/IP fingerprints that are used to reveal OS running on host.
Well my guess is what with all the lawyer's fees, money is so tight they could only afford one linux license...
On a different note, perhaps we should all (all /. readers) visit the SCO site each day, maybe even multiple times a day, to make sure we don't miss out on some important information.
And remember, you'll want to disable your cache to do this. Oh, and if you have a browser that allows you to set it to auto refresh, that would be a good idea too. It would really be a shame to miss an important press release just because you forgot to hit Refresh often enough...
Unfortunately, SCO's unknown (linux) server is having some difficulty right now.
What (obviously) amuses me is that this frequent refreshing of their news page would be justified, given their proclivity for using press releases to disseminate important information.
.sigs are for post^Hers.
They forgot to buy a liscense from themselves, and were forced to shut their server down to keep from getting sued by themselves?
The only information people want to see is the same information they don't want anyone to have: evidence of their claims.
I think we should have an informal fund raiser for groklaw.
They (that guy?) does a lot for the good of the world (fighting evil (sco) is not just good for linux, it's good for "right").
So, I'll donate $5 to his paypal, and I highly recommend that everyone else do the same. $5 isn't much, but * slashdot it's a lot. Surely we've spent a lot of their money on bandwidth, not to mention the free research time they've spent.
.sigs are for post^Hers.
Actually SCO, formerly Caldera, does own CPM. They also own DR DOS (Digital Research DOS). They've used the rights to these products to sue Microsoft for unfair business practices.
This is not my site, but it is succinct and accurate:
http://www.maxframe.com/CPM.HTM
SCO/Caldera seems to be in the business of obscure rights to extract money, through the legal process, from companies that are actually in the business of developing technology products.
Yes, unlike any others, it seems a SCO Ddos attack announces itself with a press release!
Could this fraudulent DoS claim be an attempt to build a case for delaying discovery?
might be an idea to look at groklaw.net before you post? ;-)
ASAP
1000 SlashDot sigs
If you want to see what boxes SCO neglected to unplug in the 216.250.128.xxx subnet here's a list. HINT: QUITE A FEW ARE ONLINE!
216.250.128.7 ftp-rsync.sco.com
216.250.128.9 lists.caldera.com
216.250.128.12 www.sco.com
216.250.128.13 ftp.sco.com
216.250.128.14 ftp.dev.caldera.com
216.250.128.15 ftp.beta.caldera.com
216.250.128.16 ftp.iso.caldera.com
216.250.128.17 ftp2.sco.com
216.250.128.32 colonet.caldera.com
216.250.128.33 artemis.caldera.com
216.250.128.35 apollo.sco.com
216.250.128.37 stage.caldera.com
216.250.128.44 colofailover1.caldera.com
216.250.128.45 colofailover2.caldera.com
216.250.128.46 cologw.caldera.com
216.250.128.47 colobcast.caldera.com
216.250.128.64 vultusnet.ut.sco.com
216.250.128.65 medusa.ut.sco.com
216.250.128.66 minotaur.ut.sco.com
216.250.128.67 sphinx.ut.sco.com
216.250.128.69 pegasus.ut.sco.com
216.250.128.70 cyclops.ut.sco.com
216.250.128.71 griffon.ut.sco.com
216.250.128.72 chimaera.ut.sco.com
216.250.128.194 public.sco.com
216.250.128.197 register.sco.com
216.250.128.198 authentica.caldera.com
216.250.128.199 sonic.ut.caldera.com
216.250.128.200 vupdate.sco.com
216.250.128.210 bosshog.j2.net
216.250.128.215 openwbem.caldera.com
216.250.128.220 scoxweb.sco.com
216.250.128.221 scoxdb.sco.com
216.250.128.222 scoxdemo.sco.com
216.250.128.225 zeus.ut.sco.com
216.250.128.235 www.vultus.com
216.250.128.236 data.vultus.com
216.250.128.237 bugzilla.vultus.com
216.250.128.238 mardon.ut.sco.com
216.250.128.241 linuxupdate.sco.com
216.250.128.245 uw713doc.caldera.com
216.250.128.246 ou800doc.caldera.com
216.250.128.247 docsrv.caldera.com
216.250.128.248 locutus3.calderasystems.com
216.250.128.251 ntop.ut.caldera.com
216.250.128.253 fgw.calderasystems.com
216.250.128.254 c7-gw.calderasystems.com
SCO = "Smokes Crack Often"; SUE = "Some Useless Entity"; SCO = (ONDRUGS)? SCO: SUE;
show them a real DDOS
/dev/null http://www.sco.com" into your crontab, set this hourly
1) paste "wget -O
2) Spread the Word
3) make some evil laughs
Repeat after me: We are all individuals
Now they're talking about the state of the SCO website and how Groklaw is slashdotted.
If you were running a stock scam, which type of story would you prefer?
I'm sure they're just lining up. It's the opportunity of a lifetime.. to help SCO secure their internal systems so nobody else can log in and wreak havoc through, say, a backdoor placed there by the idiots currently running the SCO network on the advice of their helpful friends.
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
Yes they are trying to get apache to sue everyone that hits their websites with Linux.
Man o Manechewiz... just when I think I can't dispise that company any more, they come up with this. They seem to have a pathological inability to tell the truth. Absolutely amazing. They personify the worst aspects of capitalism and the MBA. I can't take it any more... I can't go on.
Now, I aint a techy (I'm a biologist; much of this stuff is simply magic to me, from lack of time to care about it), but at least one detailed post over on Groklaw claimed that the SCO server was handling SYN packets just fine. All y'all are in a better position to evaluate that claim than I am, but here in outline is what I remember that I think he said. Statements in the following that look like they betray my ignorance are likely doing exactly that, and shouldn't be taken to reflect on the guy who posted over there.
He used a packet sniffer to analyze transmissions, and attempted to connect to SCO's site. The SCO OS responded to his SYN packet, his side responded back, and the failure happened when the communication was to be handed off from the OS to apache. He claimed that this meant the server computer was just fine, as was the access to that machine, that there could not have been a SYN flood going on, and that the fault was with the web site / apache itself.
Couple this with the fact that apache was reporting linux/apache before the incident, and unknown/apache afterwards, that Netcraft shows the site simply dropping off with no (none, zilch) latency changes beforehand, and that there have apparently been substantial changes to the content of the web site while it was down, and it makes SCO's claim sound very fishy indeed.
Hah, I don't doubt for a second that they've been getting DoS'ed - they've been pissing a lot of the wrong people off. I think slashdot should post a story with nothing but a link to their page so they get slashdotted.
;-)
SCO sucks!
ping -f sco.com
j/k
Hmph... A frigging 28.8k modem could SYN flood a machine.
You don't NEED to distribute the attack, per se, it'd be done that way to completely cover their tracks...
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
... so shouldn't it be a DR-DOS attack?
Hello, is this mike on.. hello....
its about time for me to start filtering out these goddamn sco stories.
we dont care anymore. tell us when its over.
------ hi mom
RTFA
Mod parent down.
It's astonishing that rumors spread like wildfire if the facts are so easy to check.
If you monitor a few tens of thousands of unused IPv4 addresses, you can observe most DoS attacks involving randomly spoofed addresses. You just listen for backscatter ((sorry, no better resource appears to be available). These packets are created by the victim server when it tries to answer to requests that have been spoofed from your address space. Some people even keep statistics of that noise.
And guess what? Yesterday and today, there was plenty of backscatter from 216.250.128.12. Why was ftp.sco.com suddenly offline today? Well, beginning around 2003-12-11 10:49 UTC, you could observe backscatter from 216.250.128.13, too. Unless SCO is deliberately forging backscatter (and if they are, they are doing a pretty good job at it, it looks very much like the real thing), they were under attack, yesterday and today.
Have a look at this. I think everyone already figured the infamous list of files wouldn't hold up under scrutiny. Well, here's some of that scrutiny.
Good idea, but just to make sure you get it all, you should mirror the contents. "wget -m" should do the trick, and when the site does get hosed, you'll already have a mirror to share with /. readers!
I think /. should partake in a new reality series call "Just your average SCO". Where through a series of forums we can vote on what McBride does next. He will have to do whatever gets the most votes or is the coolest conspiracy.
...what they're claiming is happening isn't or shouldn't be. They're claiming it is a SYN flood attack. Linux has SYN flood protection built in and has had this support since the middle-to-late 2.0.X kernels. Their website would be accessable, but slow to respond if it were an attempted SYN flood.
I believe that a page request attack would saturate the links so you couldn't hit the FTP server, as would Fraggles and other DoS attacks. Most of them rely on the link being saturated or the IP stack being so overwhelmed by bandwidth that it just quits responding or the packets never get to the machine.
If the FTP server is accessable, it's a low-bandwidth attack, and unless there's something new it's not a DoS- and if it's something new, the idiots at SCO can't tell their *sses from a hole in the ground because it's not a SYN flood.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
They will say that posting this article with slashdotters going to www.sco.com is a DOS attack by the linux community.
http://threetechguys.info Come, discuss Technology. Got a technology question? Come ask!
What is the name of the worm?
This is my digital signature. 10011011001
I've dealt with huge synflood attacks, in the wild.
Most of the things you say you think you know here are simply not true, I'm sorry.
Tools to mitigate synfloods only help to a marginal degree if the attack is done correctly.
First, bandwidth is an issue. Determined hackers can bring GIGABITS of syn requests in... NO, I'm not exaggerating in the least. if you aren't colo'd somewhere with massive bandwidth in the first place, all the "mitigation tools" you want won't help you, as you will be out of bandwidth. Completely. The days of 1Kbps synflood shutting you down may be gone.. but nowadays when attackers want to hit you, they hit you with tens of megabits, to start with.. so not only is it a syn flood, it's just plain a FLOOD.
Provided you DO have enough bandwidth, you need a way to differentiate between valid syns and attacker syns.. which is a fundamental problem. If the attacker has enough hosts he can do full source address spoofing from, you are just plain screwed.. your attack prevention device won't do anything at all, as there is NO way to differentiate between good and bad traffic, fundamentally.
Syncookies increase the rate at which you can deal with syns, but they are by no means a solution to the synflood problem, the problem still exists with or without syn cookies. Let me say that again.. syncookies do NOT solve the synflood problem.. they just lighten the load on the machine, and let it deal with more requests at once.
Putting a box out front that can sink LOTS of syn requests, and only pass valid, established connections through to the real servers HELPS.... but only to a point. only as long as it can keep up with the flood.. which when we are takling about gigabit speeds, is tough.
IN short, if your servers are colo'd at a really, really fast network, and you have really, really good equipment, and people who know how to deal with it, you can deal with this kind of attack, most of the time. You can absolutely build a system or setup that is basically immune to this.... but tha'ts far more engineering and resources than many even very large companies throw at their stuff.
It's nowhere near as trivial as you are making it out to be, and considering the number of attacks I've seen in the last six months, in person, I have no trouble at all believing sco is getting trashed. well, except that everything they say is generally bullshit, but that's a different matter entirely.
Second, when PR people start talking about "can't access the intranet, etc" they may mean "can't access it from outside" or something like that.. give it a rest. Intranet has different meanings to different places..
And you should know, how things SHOULD be designed is rarely how they ARE designed, even by people who should and do know better.
I realize this is offtopic, but something just struck me... Lets look at the possible outcomes of the lawsuit
A) SCO wins, Linux does in fact contain code that was copyrighted.
- So now the Linux community is in shock. However if SCO wants to release ANY Linux software they will have to GPL the code or remove it - thus revelaing it to the rest of the community allowing them to remove the offending code and making the lawsuit a moot point.
B) SCO loses, the code doesn't exist, or was previously GPL'd by SCO.
- SCO loses its entire customer base (never trust a traitor, not even one you create). And closes its doors or is sold on the cheap.
C) Someone bails SCO out, buys everything before the lawsuit ends.
- SCO doesn't sell cheaply, Daryl gets out with millions in "severance pay", Linux community moves on.
You tell me where the lawsuit is going.
-Coach
"Never upset a goalie, getting hit with a blocker is an unpleasent experience - facemask or not." -Me
Really, SCO's just a bit confused over what kind of attack they're experiencing. Nobody does "SYN" floods anymore (unless, of course, they're a L33t child, or they just recently emerged from a 5 year coma).
No . . . What's SCO's experiencing is a "SIN" attack. A classic example of that whole "what goes around, comes around" karma kinda thing.
I'm not tense. I'm just terribly, terribly, alert.
Looks like both to me. Someone at SCO has a cron job running that starts a DDoS (SYN) attack against www.sco.com from their internal network, and sends out a press release at the same time.
That way Darl doesn't even have to climb out of his lawyers' lap, where he spends the day happily napping and dreaming of Linus as his shoe shine boy.
...no evidence, NO CASE.
Their case against IBM gets dropped, but IBM's and Red Hat's goes forward with the extra little tidbit that they can't prove that they weren't in violation with the Lanham Act now (If they come up with that later on, then they directly defied an ORDER to produce the same for the discovery phase of their own suit... Not a pretty picture for SCO at that point...).
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
For what it's worth, yesterday I tried to access www.sco.com, and when I found that I couldn't I attempted a traceroute to the site. The traceroute died in the innards of alter.net. For what it's worth.
It is natural for criminals to group together. Why? Because they've committed so many heinous acts that they only feel comforted by others who are just as bad. The other side of this is, criminals figure that because they're crooks, the rest of the world must be, too. So when SCO's servers start acting up, their first reaction, being such criminals as they are, is to assume that someone else is doing exactly what they do--launch an attack, attempting to destroy or deface the competition. And thus, it must be someone in the evil Open Source community who is doing it, or maybe just maybe IBM.
Well assuming that it is a hoax (and, being the cautious type, I do have to concede the possibility that it may be legitimate - stranger things have happened), I honestly don't find myself terribly surprised that they have taken this route.
If you really look at it, SCO has been trying to create an atmosphere of fear - all of which was brought to an abrupt end when the judge commanded them to put up or shut up, essentially. I don't know if they could issue another press release about how their IP is in Linux without irritating the judge, which would destroy any chance they have of actually winning the case.
So, how do you continue to remain active and relevent?
Well, if they can demonstrate that this attack came from the open source community, they can gain some public support, which puts pressure on IBM (as they are representing open source), all without even mentioning the oft-repeated "SCO IP is in Linux" line.
It could even be elegant, if SCO hadn't blown the case out of proportion with their press blitz and threats earlier.
Robert B. Marks
Author, Demonsbane in Diablo Archive
if it's true that SCO is lying
David Boies, chief counsel for the SCO efforts, is well known for his ability to orchestrate public relations in his litigation efforts.
For instance (and recognizing the "selected not elected" conspiracy crowd will have difficulty acknowledging what has been substantiated factually from the Florida Presidential election mess), Boies launched a curious "disenfranchised voter" misdirection tactic that was rather successful in muddying the waters (especially when his own client was particularly guilty of the very charge with respect to absentee military votes).
Regardless of one's political views and support or opposition to the election outcome, Boies employed a rather effective strategy that continues to influence views years later.
If this information about the DDoS being manufactured is indeed correct, the betting money says Boies is probably behind the strategy. Consider the PR battle Boies needs to win: he understands he is unlikely to compel educated technical persons of his intellectual property fiction. Better to scare the executive decision makers into supporting his view that Linux and the open source world are nothing but a bunch of pirates and terrorists.
Can anyone say tort reform?
Three headlines, wow, SCO launched a "Denial of headline" attack against yahoo! Fiancial!
Since Apache compiles and runs fine on UnixWare, I would not be surprised if the Caldera OpenLinux machine they were using before was brought down to put a UnixWare machine in its place.
It helps that the last "attack" in August was when they brought down the server to add the whole registration section for Linux kernel downloads.
----
Open mind, insert foot.
Is it possible that there really was an attack, but the attack originated from inside the SCO LAN? If so could this explain the internal problems that are being reported as well as the lack of bandwidth problems outside the router? Again, I am no expert at all in this regard, but just putting out a theory, that perhaps someone has attacked SCO from the inside....
Maybe someone should investigate a way to see who was downloading a bunch of warez, movies, porn, and MP3s at that time. Maybe some of the services that monitor such traffic could point us in the direction of SCO employees?!?! And of course, when the slowdown was noticed, the employees would blame it of a DDoS attack!
Usurper_ii
Ron Paul
You know, you and the countless other self proclaimed experts, here on Slashdot, scare the shit out of me. You spout off complete and unadulterated crap, as if it were fact, and know nothing of which you speak. I can only hope that with your networking ineptitude, you are never allowed to touch a network outside of your own home.
Did you not read the post that you responded to? It was extremely coherent and unusually well written, for a Slashdot comment. Your's however, was all to typical.
Now, I don't want to speculate into the cause of the SCO outage, however, my guess is that SCO's taking the time to weed out some of the information that they've distributed.
They've realized that they're totally fuxored, and they're abandoning ship, right?
*wishful thinking*
I disable sigs...do you?
While a Denial of Service attack may cause SCO some hassles, it really does not damage them seriously, and only gives them fuel for their attack on Open Source. They can say "see what these crazy hacker types that promote Open Source will do to your business!".
The best way to deal SCO is to hit them where it counts - in the pocket book. How do you do that?
Well here is a list of the major institutional shareholders of SCO:
TOP INSTITUTIONAL HOLDERS
Holder Shares % Out Value* Reported
Capital Guardian Trust Company 1,177,800 8.51 $16,288,974 30-Sep-03
Integral Capital Management Vi, LLC 316,600 2.29 $4,378,578 30-Sep-03
Royce & Associates, Inc. 1,441,200 10.41 $19,931,796 30-Sep-03
Integral Capital Management V, LLC 246,730 1.78 $3,412,275 30-Sep-03
Empire Capital Partners LP 205,000 1.48 $1,961,849 30-Jun-03
Barclays Bank Plc 174,686 1.26 $2,415,907 30-Sep-03
Bjurman, Barry & Associates 160,000 1.16 $2,212,800 30-Sep-03
ING Investments, LLC 143,100 1.03 $1,979,073 30-Sep-03
Oberweis Asset Management Inc. 112,000 0.81 $1,548,960 30-Sep-03
Whitney Asset Management LLC 76,967 0.56 $1,064,453 30-Sep-03
While this only amounts to about 30% of the outstanding shares of SCO - most seem to be privately held - it is a good place to start. A letter writing campaign to these companies would be one method. Let them know in civil, adult terms that you do not approve of companies who practice business in the way SCO does, and that you plan to help organize a boycott of these companies for helping SCO. If you have any investments with these companies threaten to take your business elsewhere. Also tell them that if they do not respond then you plan to target other companies they do business with a similar boycott. And let them know that you plan to be very vocal with your protests - bad publicity can really hit a company in the pocketbook.
Most of the shares of SCO seem to be owned by individuals, but they can be targeted also. With a little time and research of SCO's SEC postings those individuals can be sorted out. Now many of them are officers of SCO, but they and other individual investors maybe officers or large shareholders of other companies. Those companies would be a good target for a boycott too. Also anybody doing business with David Boles and his lacky legal firm would be good targets. Lexus-Nexus would be a good way to research that.
You may think this is silly, or won't work, but in the USA - as the saying goes "bullshit talks, but money walks". Take a look at what is going on with Abercrombie & Fitch. They annoyed a lot of people and now a boycott of their business is being organized. Their stock price is down and they are having to change they way they do business.
We could wait for the courts to sort it out, but that just gives more money to the damn sharks - whoops, I meant lawyers.
In the good old USA the $$$ rules - and that is not necessarily a bad thing, you just got to know how to play the game. Use the power of your money wisely!
on her front page.
Click early and often. Well, after the slashdotting ends, of course.
If I(or someone else) does that, wouldn't the packet stop at the router ?
It's a fine deal with iptales and SNAT, but I have an idea that wouldn't work very well over Internet.
Warning: mysql_connect(): Can't connect to MySQL server on 'mysql2.ibiblio.org' (113) in /public/private/groklaw/system/databases/mysql.cla ss.php on line 108
Cannnot connect to DB server
I wish I could read the article...
"Wisdom is not a product of schooling but of the life-long attempt to acquire it." -Albert Einstein
Either GrokLaw has been slashdotted or those SCOmbags are doing a little DDoS-ing of their own!
I saw on groklaw that someone found an IP that the SCO site was available on (216.250.128.20), which caused him/her to wonder if the morons just changed IP's for the site, and didn't update the DNS record in a timely manner. Seems a good possibility. I also notice on Netcraft that the last time they changed IP's was near the end of August, around the time of the last "DDOS" attack on SCO.. Seems like more then just a coincidence to me...
r13
When I submit a story to Slashdot, a warning email should automatically go to WEBMASTER@ for every mentioned in the story, as soon as it enters the Slashdot editorial queue for consideration. That way, at least the webmasters will get a warning to take cover before the slashdotting hordes invade their servers. Will you help me patch the slashcode?
--
make install -not war
Yes.. we've all read the article by groklaw claiming it was a hoax. I never considered myself that experienced, but when reading this article and all of these posts.. their "security experts" and these posters are simply morons..
first of all, a classic synflood is something that you and me can do from our home computers to some shitty webservers.. port 80 might stop accepting connections and simply time out. the box will still be up, every other service will be fine. any good webserver nowadays will have protections against it. for anyone to even CARE about a synflood nowadays, it has to be huge. the majority of synfloods anyone talks about today are so huge that they bottleneck network equipment and bring down the entire machine or several machines. its pretty obvious sco is talking about the second kind of synflood, not the first. "synflood" now just describes the packets they used to flood, the fact that they were syns had nothing to do with it and any synflood protection on the box wont help.
secondly, just because an ip is next to another ip doesnt mean they're connected to the same switch/hub
also, just because a server next to it is responding, doesnt mean its not an attack. what would you do if your entire network goes down and your internet connections cant handle the bandwidth being sent in? you call up your upstream providers of course! they have the resources to block a large attack early before it hits your network. how would they block it? by blocking all traffic to www.sco.com, maybe even just syn's to port 80 to be more specific. this will keep their entire network up and running. and in this scenario, www.sco.com is down, but ftp.sco.com is up. even if their entire internet connection was never maxed out.. they'd probably block all traffic to www.sco.com at their backbones to keep everything else next to it up
and by the way, just because it brought down their internal network doesnt mean their internal network was "exposed". their internal internet connection has to come from somewhere. i bet sco's network's internet connections were completely maxed out for a while.. a synflood can do that
someone prove me wrong
Some people have pointed out that they are doing it to remove self
incriminating evidence from their website. Very likely.
Yeah, some items have disappeared
Like an ELF spec? Or the whole devspec page?
when combined with the fact that the last time they changed IP's (according to Netcraft) was around the end of August, which was the last time they experienced a "DDoS".....
r13
Enjoy!
The GrokLaw site has been DDoS'ed by the Slashdot crowd. We're waiting till the database server is back up from the hit(s).
"No, SCO hasn't been DDoS'ed. WE'VE been DDoSed, you insensitive clod!"
Hack your mind out of its sandbox.
At about 9:00 CST today I saw that this whole www.sco.com 'DDoS' thing was happening and I wanted to see what was going on for myself. At that time I discovered that the ftp server, ftp.sco.com was down as well.
As I had to be off to class shortly, I had no time to look into this myself. Now looking into things, I don't know if I found anything significant or not, but the IP addresses for www.sco.com and ftp.sco.com trace slightly differently than the others.
Route trace to www.sco.com (216.250.128.12) and ftp.sco.com (216.250.128.13): (first 5 hops not disclosed)
6 sl-st20-chi-15-1.sprintlink.net (144.232.20.80) 41.964 ms 38.945 ms 31.379 ms
7 sl-xocomm-2-0.sprintlink.net (144.223.241.10) 41.726 ms 34.471 ms 31.864 ms
8 p5-0-0.RAR1.Chicago-IL.us.xo.net (65.106.6.133) 43.642 ms 35.284 ms 28.719 ms
9 p6-0-0.RAR2.Denver-CO.us.xo.net (65.106.0.25) 76.919 ms 60.173 ms 57.044 ms
10 p0-0-0-2.RAR1.Denver-CO.us.xo.net (65.106.1.81) 62.918 ms 58.354 ms 56.242 ms
11 p4-0-0.MAR1.SaltLake-UT.us.xo.net (65.106.6.74) 74.249 ms 72.024 ms 68.099 ms
12 p0-0.CHR1.SaltLake-UT.us.xo.net (207.88.83.42) 75.645 ms 69.934 ms 66.853 ms
13 * * *
Now, the rest of the subnet adds one more hop (for me at 13 before it times out:
13 205.158.14.114.ptr.us.xo.net (205.158.14.114) 79.440 ms 71.363 ms 66.883 ms
I don't know if this means anything or not, but in my mind it seems kind of odd.
enjoy
...He was inspired by the bit where Bob fakes being paralyzed by an assassin's bullet in order to get sympathy and 'martyr' status (he reveals himself as a fake by tapping his foot while sitting in a wheelchair performing a song). Darl decided to play the wounded puppy to get some press time and pump up SCOX for some Christmas time insider selling.
www.sco.com resolves to 216.250.128.10, just two hosts away from the IP address in parent.
http://216.250.128.10
Why do you think sco hopped IP addresses?
HMMMMMM?
Buford "Maddog" Tannen is fighting mad! And I hate that name too, so now I'm even madder!
Buford "Mad Dog" Tannen
Oh for Christ's sake, mods!
That was a good joke and I can't believe nobody got it.
Could we institute a literacy test for moderators here?
All's true that is mistrusted
Oops. Preview, preview, preview :(
Buford "Mad Dog" Tannen
At the risk of stating the obvious, who can believe anything that SCO says? They've already proved that they are willing to do anything to inflate the value of their stock.
Here is what Groklaw`s site is returning right now
"The GrokLaw site has been DDoS'ed by the Slashdot crowd. We're waiting till the database server is back up from the hit(s)."
And you are just half a day late in reporting that. Heise.de was running a story on this before /. had even the first one up and had details as to why it can't have been a DoS attack. /. reporting news - just... late.
Misread this and thought SCO were going to sue DOS developers.
--This isn't a man who is leaving with his head between his legs.
Yes, it seems like they just changed the IP-adress if their webserver to 216.250.128.10 (or is this perhaps a backup site?)
If you had put some effort into reading the article you talk about, you would have understood that it talks about three kinds of Linux users -- the "pros", the "priests" and the "zealots". These classes of users do exist. Of course the zealots are a great minority, but I have met one of them recently, and let me tell you he definitely does more damage than good, even if he doesn't realize it. If you look up "zealot", you may find it defined as "a fervent and even militant proponent of something", which is what zealot really means in this context.
Now, when you post with the subject line "Linux users are terrorists!!!!WTF!", that's not what the article you linked to argued at all. It claims there are pros and there are priests, and that's all good, but then there are zealots, and those are often extremist and some of them may apply "terrorist" strategies online, believing it helps "our" "cause". Some of them may launch DDoS attacks, and it doesn't help our cause at all.
The article may be unfair to Linux users in general, but blatantly misunderstanding it and crying foul doesn't help either.
"Oppression and harassment is a small price to pay to live in the land of the free." -- Montgomery Burns.
I guess the inability to understand what is happening comes from firing all the technical staff and replacing them with lawyers.
Engineering is the art of compromise.
I just got a responce from our admin, the worm is Gaobot. That's all I know at this time.
"When ideology and theology couple, their offspring are not always bad but they are always blind." -- Bill Moyers
(or is this perhaps a backup site?)
Doubtful. We are beginning to know SCO well enough to anticipate some of their moves... as insane as they may be. (But this predicting ability comes at the risk of becoming as insane as they are)
Buford "Mad Dog" Tannen
Seriously, why would the linux crowd be stupid enough to DDoS them when it's just going to paint us in a bad light and help SCO's stock price go up?
You've got to be shitting me:
:)
"Dealing with an DDoS atack when your bandwidth is NOT eaten up is fairly simple. A quick and dirty script to read your firewall log(s) for incoming addresses that are trying the SYN attacks is fairly easy. Adding those IP addresses to a quick block list is also easy.
"Problem just goes away."
When you're talking about a simple SYN flood, these addresses can all be random spoofs anyway. There's no dependence on connection-setup or anything. All you need to do is get that first packet through and you can do that with spoofed IPs, so a block list is worthless- unless you just block everyone-
Yeah- block everyone, then the "problem just goes away"-
Stick to law, Groklaw
I browse at +5 Flamebait- moderation for all or moderation for none.
It means that the attack was targetted at a webserver, and not the ftp server... leaving the ftp server working just fine.
I agree about bandwidth.. if it's all over the same link, it's not just a bandwidth issue if some things arrive.
Please note I'm not defending SCO here... or arguing their case... I'm just debunking some obviously wrong stuff in the parent post.
The explanation is quite simple, and doesn't involve any crazy conspiracies:
1. SCO's webserver is flooded by a DDOS targeted at that single IP, causing lots of associated damage to their bandwith / etc.
2. As a stopgap, SCO's upstream ISP blocks all incoming trafic to the webserver's IP address.
3. This is reasonably effective in getting their network up again, except of course for the IP being attacked. Thus, the nearby computers on the network are visible but the webserver itself is unreachable.
4. DDosers realize what's going on, shift IPs -- pow, now the FTP site is unavailable!
5. Rinse, lather, repeat.
Does everything always have to be so sinister?
From NewsForge (though likely all from /.):
The SCO Group, either on purpose or by mistake
92% 2192 votes
Richard Stallman
1% 33 votes
Linus Torvalds
0% 16 votes
Groklaw publisher Pamela Jones
1% 36 votes
Bruce Perens
0% 8 votes
Eric Raymond
0% 8 votes
IBM
0% 17 votes
Robin 'Roblimo' Miller 2% 57 votes
2367 total votes
[fill in the blanks]
IPID Sequence Generation: All zeros Nmap run completed -- 1 IP address (1 host up) scanned in 36.858 seconds
Sorry for the formatting. Im busy.
Now, if you'll excuse me, I have backups to corrupt.
So how often have you guys seen other companies press releases that get the technical facts disastorously wrong? Why would SCO be any different? More than likely the message got screwed up by the time it made it to the press release.
Think about it, first of all SCO has no motive to engage in any kind of DoS attack against themselves. Even if this attack would reflect badly on the open source community (instead of making them look like robin hood) SCOs fate rests entierly at trial. Moreover IF SCO had decided to lie about an attack they wouldn't have made it a *succesfull* attack. They would have just issued a press release saying they were the target of a DDoS but their software/whatever prevented any damage. Even disregarding this if this was a hoax of their own making why would it last so long.
At the end of the day SCO still wants the software it is running to seem technically good. After all if no one is using linux who pays royalties? Faking this kind of attack is simply against their interest.
Could it have been an ordinary fuck-up that they claim was a DDoS? Well certainly, however given the fact that other systems on their net were working fine I find it tough to swallow the sysadmins couldn't just switch to another server (unless they were protesting SCOs legal attacks).
So while it is a *possibility* that SCO just had a network glitch we have no more reason to believe they are lying about the DDoS than when any other company claims to be such a victim. In fact as SCO is more likely to be such a victim (given the anger it has stirred up) their claim of a DDoS is even more reasonable than that of a generic company.
Is it not emminently more reasonable that some non-tech PR person screwed up on the technical details rather than some sort of convoluted conspiracy. It's far more believable that Johnson killed Kennedy than this crap
If you liked this thought maybe you would find my blog nice too:
from slashdot linking the site in the blurb :)
Ave Molech Setting
But that's their problem. Who's going to bother buying a Trabant when it has an AM radio and 2 stroke side valve engine while the store down the road is giving away fuel efficient, air conditioned kit cars that are easier to assemble than it is to get the Trabbie roadworthy? Oh, and they also have an option list a mile long?
SCO sell nothing worth buying, the SCO letterhead was purchased for mischief.
Xix.
"Everything is adjustable, provided you have the right tools"
The IT Department couldn't afford to pay the sales department $699 for each server, so they took one down. They figured nobody would notice, as they haven't come up with anything new recently.
warning: This post is likely to contain gobs of dripping sarcasm. Consume at your own risk.
I thought they were passe; that was my comment to my NOC coworkers last week after seeing a brief syn flood attack against one of our virtual web servers.
I do mean to check further to see if we have syn cookies enabled on the box in question, but, yes, last week I did see what was clearly a brief syn flood. Upon loggging into the box, on which http had alarmed in our monitoring system, I did a netstat and saw a ton of syn_rcvd listed, all with an identical source IP (listed by arin as Army of Slovakia, I believe it was). Piped netstat into a grep on the ip and word count and saw there were a total of 480-some syn_rcvd from that IP. Watched as the connections all timed out over the next several minutes (was busy, so didn't pursue further). Several hours later I saw a less intense repeat against against the same box from a different (probably spoofed) IP.
Is SCO lying or Groklaw incapable of analyzing data. Given groklaw's history, probably the latter.
For more information (and graph of attack), see CAIDA's writeup.
Darth McBride: But I am your father!
Linus Skywalker: No you are not, and stop smoking crack.
Obi-wan GNU Kenobi: I sense a great disturbance in the source, as if millions of user cried out in laughter.
Carbon based humanoid in training.
There are now DDoS attacks which issue a huge number of actual port 80 connections. The connections are not spoofed, although at first it looks like a classic SYN flood because it leaves a ton of sockets hanging for timeout.
When I had to deal with such an attack a few cooperative ISPs and their unwitting zombie hosts helped isolate the trojan. It's now cleaned by most virus scanners and it's possible to eliminate it remotely. Of course, new trojans always appear. I wish SCO luck in nailing the source, if there is one. These types of attacks are brutish and counterproductive, even when waged against similarly offensive opponents.
PS
The idea that the ftp server is available because an upstream router blocked a bandwidth flood doesn't agree with the termination point of previous traceroutes. Neither SCO nor the attacker may be as incompetent as has been implied; evidently this type of low bandwidth DDoS I've described is not common knowledge to SCO or Slashdot. Even though it's an expectable combination of existing attacks.
By the way, if you want to e-mail Blake Stowell, he of the "SCO is working with law enforcement officials and gathering information.." quote in the recent DOS press release, to ask specifically with which law enforcement officials he is working, his e-mail is bstowell@sco.com.
Don't hold your breath for a response....
Rich people are eccentric. Poor people are strange. Me, I'd be happy with odd.
It's not a DDoS attack, it's a cry wolf attack. If you make a living on the net, you have to be completely useless to be off for three days in August - anyone without the skills would have had plenty of time to find someone that does in that time, or plenty of time to shift things to a completely different machine even in a different country if you have to.
gah.. read the rest of my comment...
any good webserver nowadays will have protections against it. for anyone to even CARE about a synflood nowadays, it has to be huge. the majority of synfloods anyone talks about today are so huge that they bottleneck network equipment and bring down the entire machine or several machines. its pretty obvious sco is talking about the second kind of synflood, not the first. "synflood" now just describes the packets they used to flood, the fact that they were syns had nothing to do with it and any synflood protection on the box wont help.
I have it on good authority that they are very much indeed suffering from an attack (which kind I don't know for sure). We are hosting a server at Center7 (where SCO are hosted: http://www.center7.com/us/clients/), plus one of my best friends is in IT at the SCO Lindon office. I chatted him, asked if it was for real, and got an earful back :) I know that the last time they were attacked, Center7 moved their webservers to a completely dedicated line that couldn't affect the rest of their network again. I know this because we voiced our concern about another attack slowing down our own servers we planned on hosting there in the future, and the sales guy at center7 explained it to us.
SCO was hit with a DOO attack -- Denial Of Oxygen. As in the oxygen that isn't reaching their brains.
Maybe this was stated before, but lawyers are no SysAdmins.
I guess that happens if all the SysAdmins get fired and lawyers run a "Software Company".
my 2 cents
Thank you, Your Honor.
Frankly, we can appreciate the intention of the Court based on the submissions and understand the basis for it. We think, Your Honor, however, that in a few minutes this morning we can convince you that the more appropriate path is to follow a rule or an outline of the rule in Rule 3 3 that basically says that because the issues involved in this discovery involve a complex interplay between facts and law, that instead of granting the motion, what the Court should simply do is put the motion on hold until very specific discovery has been identified and produced and then make a ruling. And before I address this -- [judge interrupts] yes, Your Honor?
THE COURT:
No.
What I was going to say, Mr. McBride, is that in reviewing all the submissions and reviewing the pertinent case law, it appears to me that what is happening is somewhat circular in that defendant indicates that it cannot answer plaintiff's interrogatories until plaintiff has identified the source codes, et cetera, but the manner in which those have been submitted make it, I believe, unduly burdensome on the defendants and so we go 'round and 'round.
And I find also that it appears to me that if there's any argument to be made on the failure to confer under Rule 37 that -- that there has been a good faith effort to comply, but that because we can't get off the ground because of this circular problem, that I would not find that a sufficient basis for, you know, further postponing.
There are hours of argument you can read through, in which SCO proposes novel legal theories under which they don't have to specifically identify infringing material. The judge doesn't buy this at all.
I suspect that SCO will not produce specific infringing material in thirty days. That will lead to an appeal from the magistrate judge to the district judge. Then it gets complicated. SCO may try to litigate their concept of discovery at the appeals court level before proceeding to trial. That's usually not allowed, but there are exceptions to that rule and some of what SCO's lawyers are saying hint that they may try to go in that direction.
Fundamentally, once SCO's novel theory of vague infringement gets knocked down, it's all over for them. So we'll see all sorts of maneuvering to keep it alive. But so far, they lost the first round.
First point: a SYN attack will always use a forged 'from' address (http://216.239.59.104/search?q=cache:KRsDUV1RalkJ :cr.yp.to/syncookies.html+syn+cookies&hl=en&ie=UTF -8).
So that stuff about filtering based on firewall logs is suspicious.
Second point: the article seems to suggest that ftp. and www. are on the same pipe - perhaps, but not necessarily...
Verdict: inconclusive (but a lot less certain then Darl would like).
Some of the "explanations" to SCO's giant "DDOS conspiracy" here are ridiculous. Maybe its just simply true? http://news.netcraft.com/
Answer: Not anybody who matters. Pointy Haired Bosses just read the big media headlines. SCO have got away with this yet again.
If you were blocking sigs, you wouldn't have to read this.
That's a MAN BABY !
spankfish, please contact me. You can get my email from Ben Kuo at Troika
Scott
The only reason we have the rights we have is that people just like us died to gain those rights. -- Cheerio Boy
gah! read my comment ffs!.. i'll restate it:
whenever anyone gets a huge synflood taking down a network, do you know what a good network engineer does? They attempt to block the traffic as close to the attack as possible. For example, sco most likely blocked all syns to port 80 to www.sco.com at their backbones.. or they might have had to call up their upstream providers to block it for them if it was large enough
once this is blocked, the flood is no longer affecting their network, but their site www.sco.com is effectually down
so.. my point is.. these "security experts" are morons