Slashdot Mirror
Security Experts Doubt SCO's Claims of DoS
devilkin writes "As a recent Slashdot story indicates, SCO claims their website was the target of a DoS (Denial of Service) attack. Was it really? The people at Groklaw think otherwise..."
← Back to Stories (view on slashdot.org)
If it's true that SCO is lying or too inept to know what's happening then somehow this has to make it to the mainstream press. That would do more damage to their stock value than any DDoS.
Trolling is a art,
or at least, not necessarily, so the fact that the FTP server is up is not necessarily a pointer to the fact that SCO are lying through their teeth. (They may still be, but ...)
The thing that's odd is that they think it disrupted their intranet - who in their right mind merges the public internet server and internal intranet server ???
Simon
Physicists get Hadrons!
Read through the groklaw page earlier, and it was really based heavily upon lots of speculation and in some cases, as was pointed out by other posters, misinformation and lack of technical knowledge.(Stuff like: I can ping the ftp server, but not the www server, and their IP addresses are only off by 1 number, that means it is fake!)
Now, it may or may not be true, but it is total and absolute speculation at this point and some people seem to have already accepted it as fact.
Casual Games/Downloads
I don't doubt their claims, they are clearly lying. Instead of discussing the obvious, that they are not under a DDoS attack, we should be asking ourselves why they are faking an attack.
Some people have pointed out that they are doing it to remove self incriminating evidence from their website. Very likely.
Another plausible speculation is that they are going to use this fake attack as an excuse to delay showing the evidence the judge demanded. I wouldn't be surprised if they go as far as saying that some "evil free software hugger" performed the attack to erase the evidence from all their computers, and use that as an excuse to insist that IBM should show their code first.
And no, these are not conspiracy theories, because the evidence is enough to prove they are faking the attack. They are doing it for a very good reason.
The most probable explanation - they recompiled apache so it doesn't reveal the host OS, made all the other changes, and fubar'd the update. rather than admit it, they claimed a DoS attach.
The absolutely best hypothesis is that they're doing it to purge the bad news off the newssites. There was news about the motion to compell hearing (which wasn't SCO's finest hour. Read the transcript here. Check p55 if you're in a hurry) and about the SCO - Boies - Investor-relationship which also was very bad news for SCO, because they want people to belive Boies is on a continguency (apparently that implies 'faith in the lawsuit').
Where is that now? Gone.
Instead we have stories about poor, poor SCO being attacked by those evil linux users.
How many companies release Press Releases about being under attack?! On the same day, no less!
Belief is the currency of delusion.
Most members of the press are as interested in the truth as Darl McBride is, and they are equally compentent in technology matters.
Face it a bunch of angry hackers attacking SCO makes a better story than the truth. Especailly using the 10 word headline format that is so prevelant in the US.
So Long and Thanks for all the Fish.
I think we should have an informal fund raiser for groklaw.
They (that guy?) does a lot for the good of the world (fighting evil (sco) is not just good for linux, it's good for "right").
So, I'll donate $5 to his paypal, and I highly recommend that everyone else do the same. $5 isn't much, but * slashdot it's a lot. Surely we've spent a lot of their money on bandwidth, not to mention the free research time they've spent.
.sigs are for post^Hers.
I've dealt with huge synflood attacks, in the wild.
Most of the things you say you think you know here are simply not true, I'm sorry.
Tools to mitigate synfloods only help to a marginal degree if the attack is done correctly.
First, bandwidth is an issue. Determined hackers can bring GIGABITS of syn requests in... NO, I'm not exaggerating in the least. if you aren't colo'd somewhere with massive bandwidth in the first place, all the "mitigation tools" you want won't help you, as you will be out of bandwidth. Completely. The days of 1Kbps synflood shutting you down may be gone.. but nowadays when attackers want to hit you, they hit you with tens of megabits, to start with.. so not only is it a syn flood, it's just plain a FLOOD.
Provided you DO have enough bandwidth, you need a way to differentiate between valid syns and attacker syns.. which is a fundamental problem. If the attacker has enough hosts he can do full source address spoofing from, you are just plain screwed.. your attack prevention device won't do anything at all, as there is NO way to differentiate between good and bad traffic, fundamentally.
Syncookies increase the rate at which you can deal with syns, but they are by no means a solution to the synflood problem, the problem still exists with or without syn cookies. Let me say that again.. syncookies do NOT solve the synflood problem.. they just lighten the load on the machine, and let it deal with more requests at once.
Putting a box out front that can sink LOTS of syn requests, and only pass valid, established connections through to the real servers HELPS.... but only to a point. only as long as it can keep up with the flood.. which when we are takling about gigabit speeds, is tough.
IN short, if your servers are colo'd at a really, really fast network, and you have really, really good equipment, and people who know how to deal with it, you can deal with this kind of attack, most of the time. You can absolutely build a system or setup that is basically immune to this.... but tha'ts far more engineering and resources than many even very large companies throw at their stuff.
It's nowhere near as trivial as you are making it out to be, and considering the number of attacks I've seen in the last six months, in person, I have no trouble at all believing sco is getting trashed. well, except that everything they say is generally bullshit, but that's a different matter entirely.
Second, when PR people start talking about "can't access the intranet, etc" they may mean "can't access it from outside" or something like that.. give it a rest. Intranet has different meanings to different places..
And you should know, how things SHOULD be designed is rarely how they ARE designed, even by people who should and do know better.
It is natural for criminals to group together. Why? Because they've committed so many heinous acts that they only feel comforted by others who are just as bad. The other side of this is, criminals figure that because they're crooks, the rest of the world must be, too. So when SCO's servers start acting up, their first reaction, being such criminals as they are, is to assume that someone else is doing exactly what they do--launch an attack, attempting to destroy or deface the competition. And thus, it must be someone in the evil Open Source community who is doing it, or maybe just maybe IBM.