Slashdot Mirror
Security Experts Doubt SCO's Claims of DoS
devilkin writes "As a recent Slashdot story indicates, SCO claims their website was the target of a DoS (Denial of Service) attack. Was it really? The people at Groklaw think otherwise..."
← Back to Stories (view on slashdot.org)
Wednesday, December 10 2003 @ 04:37 PM EST
SCO has reported that they are experiencing an attack on their servers. Groklaw has been flooded with information that indicates their story doesn't add up.
The consensus of what I am hearing is: That it is probably not an attack. That their description of the "attack" makes no sense. And that if what they are saying were true, SCO would be admitting to gross negligence.
First, I'm being told that Linux has a very simple preventative built in. Linux comes with the ability to block ALL SYN attacks. End of story. All major firewalls can do so also. They run their web site on Linux. CISCO routers can protect against SYN attacks too, I have been told, if properly enabled. Why does SCO persist in having such problems?
I knew one of Groklaw's readers is a security professional in Australia, so I wrote to him and asked if he'd take a look and give me his opinion.
Steve McInerney describes himself like this: "I worked for six years as the Technical Security member of the IT Security team for Australia's Department of Defense. Also I did IT Security policy writing/advice. More recently I was one of the senior designers/firewall/security experts at a company that manages Australia's largest federal government-certified Internet gateway." He just sent me his opinion:
"SCO has released a press release stating that their web site www.sco.com has come under a Distributed Denial of Service Attack (DDoS), specifically a SYN flood.
"Before we show how silly this statement is, let's explain SCO's position. A 'SYN Flood' attack is an attack that attempts to stop a server from accepting new connections. It's quite an old attack now, and has been relegated to the 'That was interesting' basket of attacks.
'A very simple analogy of a SYN attack: You have two hands, you are thus able to shake hands with at most two people at any one time. A third person who wants to shake your hand has to wait. Either you or one of the first two people can stop shaking hands so as to be able to accept the third person's handshake.
"In this instance SCO are claiming that 'thousands' are doing something similar to their web server. This is, in and of itself, plausible. Unfortunately if we look closer there are a few problems with this claim of SCO's.
"As stated above, the attack is quite an old one. Patches to all Operating Systems that I'm aware of, do exist to stop this sort of attack. For instance, a CISCO document: http://www.cisco.com/warp/public/707/4.html describes the attack and provides ways to stop it. Note the lines: 'Employ vendor software patches to detect and circumvent the problem (if available).' This means, quite simply, that patches exist to mitigate this attack.
Why hasn't SCO applied them?
Further SCO States:
"'The flood of traffic by these illegitimate requests caused the company's ISP's Internet bandwidth to be consumed so the Web site was inaccessible to any other legitimate Web user.'
"Interesting. If their bandwidth is consumed, then any servers nearby will also be inaccessible. That is www.sco.com has the IP address of 216.250.128.12 and ftp.sco.com has the IP address of 216.250.128.13 so the two servers are side by side, probably even on the same physical network hub/switch. Note that there is no room for a broadcast, etc., address - these servers are on the same subnet - i.e., on the same network device (hub/switch).
"Unfortunately for SCO, from Australia, ftp.sco.com is highly responsive. No bandwidth problems there that I can see - even though www.sco.com is still unavailable.
"The evidence then, is that their bandwidth is fine.
"So what about just the SYN flood? Well, even with patches, to successfully conduct a SYN flood you would tend to chew up available bandwidth anyway, which we aren't seeing. So I have quite strong doubts about the accuracy of this information.
"I feel quite
have you or any friends of yours taken part in SCO DDOS attack? If the overwhelming answer on Slashdot is no, then I guess we know the value of SCO's claims.
That's specious logic.
A single machine on cable or DSL can SYN flood a machine. The attacker sends a stream of SYN packets with forged source addresses, the victim machine replies back to the bogus IP and waits.. and waits.. and waits.. It takes negligible bandwidth to do this.
Trolling is a art,
Yes, this is a dupe. This "news" was submitted as a comment in the previous SCO item. Do we really need to keep rehashing the SCO thing?
Your thoughts would be correct. However, had you read the article, you would have noted that multiple COMPUTER SECURITY EXPERTS were consulted for feedback on the issue.
Silly grasshopper.
Actually, they do own a lot of DOS and sued microsoft over it not that long ago...
e ID=8045
http://www.winntmag.com/Articles/Index.cfm?Articl
The issue is there are two Ds in DDoS. Also, with syncookies and stuff, flooding a machine from a DSL is not as trivial as it used to be.
It doesn't actually have much to do with the IPs being one off. It has to do with them being on the same subnet. Behind the same router. If www.sco.com was being DDOSed, then there would have at least been a) a hiccup, DDOSed servers don't go straight offline b) effects on hosts on the same subnet. Of course, SCO also claimed it hit their corporate intranet. I wonder how that happened?
====
Crudely Drawn Games
the adjacent IP addresses may or may not be in the same place. They could be on opposite sides of the planet.
However, tracing to those IPs reveals them both to go through a link they claim is saturated.
A link, curiously, that serves many other companies. Companies who have noted on groklaw that their internet access is just fine thanks.
SCO Experiences Distributed Denial of Service Attack
It was suggested on the Yahoo BBS that perhaps this was a DNS IP transition that wasn't properly planned by the BOFH admin. Could that mean this website has been up and running all along on this new IP address?
SCO Grows Your Business http.://216.250.128.20 vs the old address of 216.250.128.13?
Inquiring minds want to know! News editors are breathless waiting! Investors are fretting! BSD users dread being blamed next! The SLTPD and FBI need your assistance in tracking down the real SCO-flaws
bye.edu was down, uvsc.edu was down.. iomega was down.. What do they all have in common.. They are in the Salt Lake City valley area. I was bored and decided to visit sco and it was down.. traceroutes to all locations revealed that a OC-12 connection between level3.net and x0.net was down somewhere in chicago.. thus causing me not to get into the SLC area.
There's no Freedom like UFP-dom
Well the only point I can make is that not a lot of people read the comments. The proof I have is groklaw was fine until this story was posted and now it is slashdotted. I am sure the slashdot crew could tell us the % of people that go and read the comments but I would guess less the 20%.
I didn't use the preview button, so get over it!!!!
Mike
This past week the university that I work for has been the victim of an internal denial of service attack that may be related. From what I can gather, our sysadmins have traced the problem to some sort of irc virus/worm that is using student's computers to participate in a DDOS attack. The compromised computers were spoofing random ip adresses and (from what I heard) trying to hit SCO. These have all been stopped by our firewall, but they had been causing trouble with said firewall all week.
I don't have conformation that they were trying to hit SCO, but this headline jibes.
"When ideology and theology couple, their offspring are not always bad but they are always blind." -- Bill Moyers
I've noticed going to http://216.250.128.20/ I can reach their site, but going to www.sco.com, I cannot.
Very strange, indeed.
The interesting thing here is that it came back up for what looked like an house according to netcraft. Look at the New York graph it was even responding normally, how strange.
o .com
http://uptime.netcraft.com/perf/graph?site=www.sc
If a first you don't succeed, your a programmer...
I have confirmation. SCO ips (and Google's) were being attempted by the virus/worm our users have.
;-)
From the sysadmin: "Its's gotta be some 15 yo - he also tried going after google and anyone who knows anything knows that that'd be futile"
SCO isn't [completely] lying for once.
"When ideology and theology couple, their offspring are not always bad but they are always blind." -- Bill Moyers
Even more fishy: ftp.dev.caldera.com (216.250.128.14) was not mentioned in the post, but is on the same subnet as www and ftp.sco.com. Guess what? It's quite responsive at refusing anonymous logins. Plus, ftp.beta.caldera.com (.15), ftp.iso.caldera.com (.16) work just fine:That's a 0.9-second FTP session. Guess what else? Despite
Something doesn't add up.
Near the top of the article, a security expert from Australia says:
"So what about just the SYN flood? Well, even with patches, to successfully conduct a SYN flood you would tend to chew up available bandwidth anyway, which we aren't seeing. So I have quite strong doubts about the accuracy of this information.
He also claims that ftp.sco.com should be unavailable if the DoS attack were real.
However, near the bottom of the article, another user writes in:
"There are many types of DoS and DDoS attacks, each type targeting a different resource. Blake Stowell is confusing a SYN flood (an attack against the TCP port resource on a host) with a brute-force DDoS against a bandwidth resource. This simply demonstrates that BS is not a techie and that the difference has not been explained to him.
"Dear Mr. BS: . . . A SYN-flood attack probably consumes 1 Kbps or less. Everybody else in the known universe can communicate with all of your externally-visible machines except www.sco.com. If the (alleged) attack on www.sco.com has affected any other machines, your network is very poorly administered. I suggest you avail yourself of the vast array of of volunteer expertise that is ready to help any user of a Linux system.
This suggest to me that SCO didn't explain correctly the type of attack it's under, especially in saying 'all bandwidth was consumed' when perhaps they meant 'all server resources were consumed'
However, I make no statements whether the DoS attack is real or fabricated- I see either as likely.
-Ryan
AUWYHSTOT (Acronyms are Useless When You Have to Spell Them Out Too)
Did anyone else see this article linked from SCO's main page? It starts off saying 'I have a hard time seeing the Linux Zealots as any different from terrorists because of the nature of their threats.'. I knew Darl and Co. were a bunch of asshats, but this is ridiculous.
they recompiled apache so it doesn't reveal the host OS
You don't have to recompile Apache to make it not reveal OS. ServerTokens (AFAIR) Directive is for setting this. Rather you need to recompile kernels to spoof TCP/IP fingerprints that are used to reveal OS running on host.
Actually SCO, formerly Caldera, does own CPM. They also own DR DOS (Digital Research DOS). They've used the rights to these products to sue Microsoft for unfair business practices.
This is not my site, but it is succinct and accurate:
http://www.maxframe.com/CPM.HTM
SCO/Caldera seems to be in the business of obscure rights to extract money, through the legal process, from companies that are actually in the business of developing technology products.
err meant to say groklaw showed that ftp.sco.com was up then somehow it goes out of service afterwards.
2 years and no mod points. Join reddit. Because openness is good.
Her.
Groklaw is run by a chixx0r.
This is a website for CS geeks and scientists, do you really expect them to recognise a joke like that?
Besides, it's still off-topic. The topic is SCO's claim that they've been DDOS'd, not As I Lay Dying.
It's astonishing that rumors spread like wildfire if the facts are so easy to check.
If you monitor a few tens of thousands of unused IPv4 addresses, you can observe most DoS attacks involving randomly spoofed addresses. You just listen for backscatter ((sorry, no better resource appears to be available). These packets are created by the victim server when it tries to answer to requests that have been spoofed from your address space. Some people even keep statistics of that noise.
And guess what? Yesterday and today, there was plenty of backscatter from 216.250.128.12. Why was ftp.sco.com suddenly offline today? Well, beginning around 2003-12-11 10:49 UTC, you could observe backscatter from 216.250.128.13, too. Unless SCO is deliberately forging backscatter (and if they are, they are doing a pretty good job at it, it looks very much like the real thing), they were under attack, yesterday and today.
For what it's worth, yesterday I tried to access www.sco.com, and when I found that I couldn't I attempted a traceroute to the site. The traceroute died in the innards of alter.net. For what it's worth.
enjoy
www.sco.com resolves to 216.250.128.10, just two hosts away from the IP address in parent.
http://216.250.128.10
Why do you think sco hopped IP addresses?
HMMMMMM?
Buford "Maddog" Tannen is fighting mad! And I hate that name too, so now I'm even madder!
Buford "Mad Dog" Tannen
Interestingly, after Groklaw posted this and it was pointed out that their FTP server was still accessible, which clearly counters their claim of a DDoS attack, it now appears that the FTP server has been knocked down as well.
I can see it now at SCO:
Darl: Dammit, you forgot to take down the FTP server too!
Admin: Yeah, uhh, forgot...
Darl: Fix it now, before anyone reads Groklaw!
I have not lost my mind... it's backed up on disk somewhere!
I just got a responce from our admin, the worm is Gaobot. That's all I know at this time.
"When ideology and theology couple, their offspring are not always bad but they are always blind." -- Bill Moyers
I donated $10 the other day, and she even wrote a nice thank you note back to me. Great lady!
The Official Steve Ballmer Webpage
For more information (and graph of attack), see CAIDA's writeup.