Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Experts Doubt SCO's Claims of DoS

Posted by ryuzaki0 on from the raising-a-lot-of-eyebrows dept.

devilkin writes "As a recent Slashdot story indicates, SCO claims their website was the target of a DoS (Denial of Service) attack. Was it really? The people at Groklaw think otherwise..."

30 of 510 comments (clear)

  1. Very strange is this; reported BEFORE it happened? by Anonymous Coward · · Score: 5, Interesting

    stolen from: http://www.newsforge.com/business/03/12/11/1315246 .shtml?tid=85

    Very strange is this; reported BEFORE it happened?
    by Anonymous Reader on 2003.12.11 12:54 (#81456)
    I see they have been playing this DDos Attack in the press. In fact, as near as I can tell, the stories about this ddos attack started appearing very early on. Most companies take some time to discover they have a ddos attack, and then to take the time to report it; the press also has lead time for a story to actually make it out the door and into print/web site/whatever.

    The early and timely appearing of their "press" about it even while this attack was "underway", and through so many sources, leads me to ask this question; is it possible they contacted any press BEFORE this alledged attack even took place?!

  2. ftp.sco.com by Hug+Life · · Score: 5, Interesting

    What's even weirder is, that before the groklaw post, www.sco.com was down, but ftp.sco.com (next IP address) was just fine, which invalidated SCO's claims of a DDoS attack.
    But about 2 hours after the groklaw post, ftp.sco.com mysteriously went down too.
    Just more ham handed FUD from Darl and friends.

  3. Poll already up. by eddy · · Score: 4, Interesting

    There's a poll here.

    --
    Belief is the currency of delusion.
  4. Re:Press release? by Unfallen · · Score: 5, Interesting

    Interestingly, and somewhat depressingly, the first thing I knew about it was about 3 e-mails from Google News Alert, each telling me of about 3 different news sites reporting the story. Some of the sites weren't even that techie (CXO Today seems a good example of the people SCO were intending to reach with their statement). The fact that SCO got their press release out so far, and so quickly might not say anything about the true nature of their server(s) downtime, but it does indicate where their operational motives lie.

    Steve Ballmer seems almost impressive with his shouts of "Developers! Developers! Developers!". I like to think of Darl giving a rousing meeting, stomping around the stage yelling "Marketeers! Marketeers! Marketeers! Lawyers! Lawyers! Lawyers!"

  5. Does anyone here care about SCO's troubles? by randall_burns · · Score: 2, Interesting
    I suspect that SCO is going to get about as much sypathy from the technical community as someone that wanders into Harlem at 2AM and runs down the street shouting racial insults at the residents. Sure there are some folks that would think such a misguided individual deserves the protection of the law-but there ability to actually provide them protection is limited. There are quite simply limits to what a major corporation can do and get away with it.


    The emergence of Linux has helped the careers/livelyhood of a lot of people here. I don't see SCO making any kind of similar contribution-which limits the degree to which they can expect the good Samaritan type behavior which enforcement of the law realistically requires.

  6. Letter to Netcraft by TWX · · Score: 5, Interesting

    Netcraft had a posting about the supposed attack, but didn't doubt the actual situation. I've sent them the following letter:

    To: webmaster@netcraft.com
    Subject: News on your front page

    You have a news article about SCO's network downtime posted on your front page, claiming that SCO is the target of a DDoS attack. Due to availability of services on other machines on the same netblock, like the FTP protocol on ftp.sco.com (one IP address higher than www.sco.com), I question the veracity of your news article, and I felt that I should call this into question.

    groklaw.net has information posted that you might find interesting, potentially leading to a revision of your news article. The page can be found at:

    http://www.groklaw.net/article.php?story=200312101 63721614

    Much of the information that I have read about this is available from them, as are some theories as to what is actually happening.

    Thank you for your time,
    TWX


    Basically, if you doubt the truth of the "news" about SCO/Caldera's troubles, call it into question with those reporting it, especially those who are supposed to be some kind of authority to listen to.

    --
    Do not look into laser with remaining eye.
  7. Re:Let's do a Slashdot insta-poll by DataPath · · Score: 2, Interesting

    except that SCO claims it's a DDOS. Which is part of the reason they find SCO's claims lacking merit.

    --
    Inconceivable!
  8. How conventient by Dunark · · Score: 5, Interesting

    SCO was taking a publicity beating on several fronts:
    - They got an unfavorable ruling WRT discovery on Friday
    - The world discovers Boies isn't so confident of SCO's case that he's willing to take the case on contingency. Boies is billing by the hour, he just stands to get a big bonus under certain conditions.
    - Baystar/RBC isn't happy about the Boies deal, so they demand and get the power to veto certain courses of action.
    - SCO has to delay their earning announcement by two weeks to screw around with the numbers.

    Needless to say, SCOX stock price dives, and the lo and behold, an attack on SCO's website suddenly becomes the to SCO new item and buries all the other bad news. How fortunate!

  9. No. by schon · · Score: 3, Interesting

    lack of technical knowledge.

    If you have read the article, and still believe this, then it is you that suffers from a lack of technical knowledge.

    it is total and absolute speculation at this point

    No, it most certainly is not.

    It is a logical conclusion, drawn from deductive reasoning.

    From the evidence (machines on the same network, accessible through the same router and switch, are unaffected), we can deduct that at least some of SCO's claims (such as the bandwidth usage) are false.

    This does not preclude the possiblity of a synflood attack, however the fact that a synflood would be prevented by a properly configured network means that SCO is either lying, or incompetant.

    1. Re:No. by schon · · Score: 2, Interesting

      when I read it much of the information that was there was shaky at best

      I read the article this morning at 8AM (eastern) - when I did, the information was not shaky at all. There was very clear, concise information as to why the fact that being able to connect to FTP was an indication that there was no bandwidth saturation.

      Maybe now someone has posted a little bit better info and looked into it in a little more depth

      If you looked at it earlier, then perhaps you're vindicated (I can't say, because I don't know what was posted before I looked at it.) But if it was after I read the article, then you need to brush up on either your reading comprehension, or your technical knowledge.

    2. Re:No. by Anonymous Coward · · Score: 1, Interesting

      One is always free to take a stand, and even to look stupid in so doing.

      The Groklaw article is, in fact, substantially useful and technically reasoned. But, feel free to stand up and look the fool for all you're worth.

      You can even call it "disagreement", if you like.

      Anyway traceroute showed/shows/alwasy has shown both www and ftp enter SCO through the same router from their ISP. That that a single wire enter's SCO, and common subnet exists for these various machines is demonstrated.

      Given that fact regarding subnets, the remainder of the analysis holds. Quite firmly.

  10. SCO tries to divert analysts from their court loss by Animats · · Score: 4, Interesting
    SCO issued three press releases about their "denial of service attack", perhaps in hope that this news story, "SCO Group Hit by Double Whammy" will scroll off.
    • Shares of SCO Group, the company challenging the popular Linux movement, fell sharply Monday after the company lost a court motion Friday and postponed its earnings report.

      After trading as low as $15.10 intraday Monday, SCO shares closed down $1.32, or 8%, at $15.27.

      Two events from Friday were feeding the selloff. First, SCO lost a motion asking IBM for source code. The court also ruled SCO must provide the code relevant to the case to IBM within the next 30 days. SCO shares closed down $1.32, or 8%, at $15.27. ...

      Secondly, SCO on Friday postponed its fourth-quarter earnings report, initially scheduled for Monday ...

    It worked, too. See SCO's chart. The stock dropped about 10-15% in moderately heavy Tuesday and Wednesday trading, but has since bounced back by about half that much.

  11. You fail it. by FreeLinux · · Score: 3, Interesting

    I think that it is you that missed the networking class. Different IP addresses on the same subnet do NOT have to use the same gateway at all. It is in fact possible for a class C subnet (254 addresses) to have 127 hosts(workstations) and 127 routers on the same subnet. In this bizarre and highly unlikely scenario, each of the 127 hosts could have its own unique, personal gateway.

    It is quite common for large or critical subnets to have multiple gateways for reliability or load distribution. Combine those gateways with Hot Standby Routing Protocol(HSRP) or Virtual Redundant Routing Protocol(VRRP) and you have very reliable gateways indeed.

  12. A couple of points not covered above by kroyd · · Score: 4, Interesting

    1: The day before the alleged attack it was revealed that the "contigency agreement" with Boies (a very high profile lawyer) isn't really a contigency agreement at all, but a bonus on top of already very expensive fees.

    The claims of Boies taking the case on contigency is one of the major reasjons for the SCOX market capitalizion to incerease by 20x since he was hired. (SCO is extremely dependent on their inflated stock price for survival)

    2: SCO actually paid a PR firm to distribute their press release about the alleged attack - this might be a first by any company.

    Now put 1 and 2 together and you get both a motive (get attention away from the Boies deal), and a method (fake a ddos attack, pay for a press release to be distributed).

  13. Re:Speculation for Nerds. Hardly matters. by Trepalium · · Score: 5, Interesting
    Well how about this, someone DoS's you, and your Intranet and support desk goes down? That's pretty damn peculiar. I see three options. Either they're lying, they're incompetent, or it's an inside job. Their ISP is treating the attack like a standard DDoS attack, by blocking it far upstream, and BS comes to the press and tries to be technical and call it a "SYN attack". SCO claims their mail system was knocked down, but their webserver doesn't even act as a mail server (it's mail.ut.caldera.com [216.250.130.2], not www.sco.com [216.250.128.12]). They dont' even have a secondary MX in this case.

    SCO's victim story doesn't add up, and it doesn't make sense.

    --
    I used up all my sick days, so I'm calling in dead.
  14. Re:Let's do a Slashdot insta-poll by Rick+the+Red · · Score: 4, Interesting

    Apparently, SCO doesn't use a firewall. Or they claim they don't. Or something.

    --
    If all this should have a reason, we would be the last to know.
  15. Re:SCO just doesn't quit by IM6100 · · Score: 2, Interesting

    The irony is that Caldera never would have been able to afford DR-DOS, at the price they could afford to paid for it, if Microsoft hadn't stomped it as an OS by various means. So they bought something cheap and used it as a vehicle to attack Microsoft. Kind of the corporate equivalent of buying a cheap used Ford Pinto in order to attack the Ford Motor Company.

    --
    A Good Intro to NetBS
  16. For those with too much time on their hands! by hydertech · · Score: 3, Interesting

    If you want to see what boxes SCO neglected to unplug in the 216.250.128.xxx subnet here's a list. HINT: QUITE A FEW ARE ONLINE!

    216.250.128.7 ftp-rsync.sco.com
    216.250.128.9 lists.caldera.com
    216.250.128.12 www.sco.com
    216.250.128.13 ftp.sco.com
    216.250.128.14 ftp.dev.caldera.com
    216.250.128.15 ftp.beta.caldera.com
    216.250.128.16 ftp.iso.caldera.com
    216.250.128.17 ftp2.sco.com
    216.250.128.32 colonet.caldera.com
    216.250.128.33 artemis.caldera.com
    216.250.128.35 apollo.sco.com
    216.250.128.37 stage.caldera.com
    216.250.128.44 colofailover1.caldera.com
    216.250.128.45 colofailover2.caldera.com
    216.250.128.46 cologw.caldera.com
    216.250.128.47 colobcast.caldera.com
    216.250.128.64 vultusnet.ut.sco.com
    216.250.128.65 medusa.ut.sco.com
    216.250.128.66 minotaur.ut.sco.com
    216.250.128.67 sphinx.ut.sco.com
    216.250.128.69 pegasus.ut.sco.com
    216.250.128.70 cyclops.ut.sco.com
    216.250.128.71 griffon.ut.sco.com
    216.250.128.72 chimaera.ut.sco.com
    216.250.128.194 public.sco.com
    216.250.128.197 register.sco.com
    216.250.128.198 authentica.caldera.com
    216.250.128.199 sonic.ut.caldera.com
    216.250.128.200 vupdate.sco.com
    216.250.128.210 bosshog.j2.net
    216.250.128.215 openwbem.caldera.com
    216.250.128.220 scoxweb.sco.com
    216.250.128.221 scoxdb.sco.com
    216.250.128.222 scoxdemo.sco.com
    216.250.128.225 zeus.ut.sco.com
    216.250.128.235 www.vultus.com
    216.250.128.236 data.vultus.com
    216.250.128.237 bugzilla.vultus.com
    216.250.128.238 mardon.ut.sco.com
    216.250.128.241 linuxupdate.sco.com
    216.250.128.245 uw713doc.caldera.com
    216.250.128.246 ou800doc.caldera.com
    216.250.128.247 docsrv.caldera.com
    216.250.128.248 locutus3.calderasystems.com
    216.250.128.251 ntop.ut.caldera.com
    216.250.128.253 fgw.calderasystems.com
    216.250.128.254 c7-gw.calderasystems.com

  17. Re:Full text: in case of slashdotting by WinterpegCanuck · · Score: 3, Interesting

    Lets say, for arguments sake, they really were attacked. Here is an account of a small company being attacked, and how even being a small fish to their ISP, was able to detect, solve, and prevent further attacks. Admitedly, the attack is a UDP flood, but applying a filter to an upstream router cannot be much less time consuming than applying a patch. With the army that SCO employs, this should have been no more than a day of downtime and quitely filed away.

  18. Re:Speculation for Nerds. Hardly matters. by Serveert · · Score: 2, Interesting

    Read many of the posts here and you'll see that a) groklaw article appears showing ftp.sco.com down b) ftp.sco.com suddenly disappears hours aftwerwards.

    It's pretty obvious that SCO's claim is shady at best.

    --
    2 years and no mod points. Join reddit. Because openness is good.
  19. Re:Full text: in case of slashdotting by bpd1069 · · Score: 4, Interesting

    There will be more information to come, I have no doubt. But this is enough to raise questions in any reasonable person's mind. If there is an attack, where is the proof? Did SCO SYN attack itself? A single attacker can mount a SYN flood, I'm told. They are claiming the attack affected their intranet. I am hearing that is unlikely in the extreme. Here is how Jason Fordham explained it to me:

    "An Intranet should be designed so that all traffic on that net can get to anywhere on that net. It's open; it's inside the citadel. You can look out, and pull data in from outside, but you don't let anyone straight in. Anything outside comes through another server - email to a mail server, or submitted to a webpage, like a GROKLAW post. These act as control points - outside the citadel.

    Ok, now I am not making excuses for SCO, god no, but I like puzzles, and making pieces fit...

    Is it possible that there really was an attack, but the attack originated from inside the SCO LAN? If so could this explain the internal problems that are being reported as well as the lack of bandwidth problems outside the router? Again, I am no expert at all in this regard, but just putting out a theory, that perhaps someone has attacked SCO from the inside....

    --
    --
  20. It's better for SCO than bankruptcy speculation by hamjudo · · Score: 2, Interesting
    Before the DDoS announcement the Yahoo Message Board was talking about Bankrupt Before the Trial Starts.

    Now they're talking about the state of the SCO website and how Groklaw is slashdotted.

    If you were running a stock scam, which type of story would you prefer?

  21. They may be DoSed, but... by Svartalf · · Score: 2, Interesting

    ...what they're claiming is happening isn't or shouldn't be. They're claiming it is a SYN flood attack. Linux has SYN flood protection built in and has had this support since the middle-to-late 2.0.X kernels. Their website would be accessable, but slow to respond if it were an attempted SYN flood.

    I believe that a page request attack would saturate the links so you couldn't hit the FTP server, as would Fraggles and other DoS attacks. Most of them rely on the link being saturated or the IP stack being so overwhelmed by bandwidth that it just quits responding or the packets never get to the machine.

    If the FTP server is accessable, it's a low-bandwidth attack, and unless there's something new it's not a DoS- and if it's something new, the idiots at SCO can't tell their *sses from a hole in the ground because it's not a SYN flood.

    --
    I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
  22. Re:SYN attacks are not bandwidth hogs by herrvinny · · Score: 2, Interesting

    Since so many people sue IBM, I wonder why nobody bothered to take the ibmlawsuit.com domain up to now? As you can see here, I regged it just recently. (Annoying CAPTCHA response required) Oh well, at least it's going to a good cause ;-). I just hope IBM doesn't get unhappy about me owning the domain name....

  23. Re:You are incorrect. by Silvers · · Score: 4, Interesting

    In the article it states ftp.sco.com was responsive.

    That would mean that *if* a firewall was in front of the subnet that the ftp and www server was on, it was most assuredly not bogged down with syn's. Also, it means that the bandwidth wasn't an issue.

    What options does that leave? An unprotected www server being syn attacked without exceeding the bandwidth of the link, or just an IT snafu. Either way its just poor network engineering.

  24. How long before archive.org is DMCA'ed? by ONU+CS+Geek · · Score: 2, Interesting

    Now, I don't want to speculate into the cause of the SCO outage, however, my guess is that SCO's taking the time to weed out some of the information that they've distributed.

    They've realized that they're totally fuxored, and they're abandoning ship, right?

    *wishful thinking*

    --

    I disable sigs...do you?
  25. Re:Fund Groklaw by herrvinny · · Score: 3, Interesting

    Her. Linux Universe had an interview with her recently, here's the /. discussion.

  26. Interesting.. by r13 · · Score: 2, Interesting

    when combined with the fact that the last time they changed IP's (according to Netcraft) was around the end of August, which was the last time they experienced a "DDoS".....

    r13

  27. Re:Backscatter by Roxy · · Score: 3, Interesting
    Some people even keep statistics of that noise.

    If you have any evidence, please feel free to submit it, as the comment as it stands is proof of nothing.

    Again, if you have evidence, submit it or submit a link to a place where evidence may be collected (and don't tell me SCO), and we'll look into it (you may even submit it directly to me if you like).

    Roland Buresund

    --
    -- Roland Buresund MBA, MCMI, CISSP
  28. Other press releases by logicnazi · · Score: 2, Interesting

    So how often have you guys seen other companies press releases that get the technical facts disastorously wrong? Why would SCO be any different? More than likely the message got screwed up by the time it made it to the press release.

    Think about it, first of all SCO has no motive to engage in any kind of DoS attack against themselves. Even if this attack would reflect badly on the open source community (instead of making them look like robin hood) SCOs fate rests entierly at trial. Moreover IF SCO had decided to lie about an attack they wouldn't have made it a *succesfull* attack. They would have just issued a press release saying they were the target of a DDoS but their software/whatever prevented any damage. Even disregarding this if this was a hoax of their own making why would it last so long.

    At the end of the day SCO still wants the software it is running to seem technically good. After all if no one is using linux who pays royalties? Faking this kind of attack is simply against their interest.

    Could it have been an ordinary fuck-up that they claim was a DDoS? Well certainly, however given the fact that other systems on their net were working fine I find it tough to swallow the sysadmins couldn't just switch to another server (unless they were protesting SCOs legal attacks).

    So while it is a *possibility* that SCO just had a network glitch we have no more reason to believe they are lying about the DDoS than when any other company claims to be such a victim. In fact as SCO is more likely to be such a victim (given the anger it has stirred up) their claim of a DDoS is even more reasonable than that of a generic company.

    Is it not emminently more reasonable that some non-tech PR person screwed up on the technical details rather than some sort of convoluted conspiracy. It's far more believable that Johnson killed Kennedy than this crap

    --

    If you liked this thought maybe you would find my blog nice too: