Slashdot Mirror
Security Experts Doubt SCO's Claims of DoS
devilkin writes "As a recent Slashdot story indicates, SCO claims their website was the target of a DoS (Denial of Service) attack. Was it really? The people at Groklaw think otherwise..."
← Back to Stories (view on slashdot.org)
stolen from: http://www.newsforge.com/business/03/12/11/1315246 .shtml?tid=85
Very strange is this; reported BEFORE it happened?
by Anonymous Reader on 2003.12.11 12:54 (#81456)
I see they have been playing this DDos Attack in the press. In fact, as near as I can tell, the stories about this ddos attack started appearing very early on. Most companies take some time to discover they have a ddos attack, and then to take the time to report it; the press also has lead time for a story to actually make it out the door and into print/web site/whatever.
The early and timely appearing of their "press" about it even while this attack was "underway", and through so many sources, leads me to ask this question; is it possible they contacted any press BEFORE this alledged attack even took place?!
What's even weirder is, that before the groklaw post, www.sco.com was down, but ftp.sco.com (next IP address) was just fine, which invalidated SCO's claims of a DDoS attack.
But about 2 hours after the groklaw post, ftp.sco.com mysteriously went down too.
Just more ham handed FUD from Darl and friends.
There's a poll here.
Belief is the currency of delusion.
Interestingly, and somewhat depressingly, the first thing I knew about it was about 3 e-mails from Google News Alert, each telling me of about 3 different news sites reporting the story. Some of the sites weren't even that techie (CXO Today seems a good example of the people SCO were intending to reach with their statement). The fact that SCO got their press release out so far, and so quickly might not say anything about the true nature of their server(s) downtime, but it does indicate where their operational motives lie.
Steve Ballmer seems almost impressive with his shouts of "Developers! Developers! Developers!". I like to think of Darl giving a rousing meeting, stomping around the stage yelling "Marketeers! Marketeers! Marketeers! Lawyers! Lawyers! Lawyers!"
Netcraft had a posting about the supposed attack, but didn't doubt the actual situation. I've sent them the following letter:
1 63721614
To: webmaster@netcraft.com
Subject: News on your front page
You have a news article about SCO's network downtime posted on your front page, claiming that SCO is the target of a DDoS attack. Due to availability of services on other machines on the same netblock, like the FTP protocol on ftp.sco.com (one IP address higher than www.sco.com), I question the veracity of your news article, and I felt that I should call this into question.
groklaw.net has information posted that you might find interesting, potentially leading to a revision of your news article. The page can be found at:
http://www.groklaw.net/article.php?story=20031210
Much of the information that I have read about this is available from them, as are some theories as to what is actually happening.
Thank you for your time,
TWX
Basically, if you doubt the truth of the "news" about SCO/Caldera's troubles, call it into question with those reporting it, especially those who are supposed to be some kind of authority to listen to.
Do not look into laser with remaining eye.
SCO was taking a publicity beating on several fronts:
- They got an unfavorable ruling WRT discovery on Friday
- The world discovers Boies isn't so confident of SCO's case that he's willing to take the case on contingency. Boies is billing by the hour, he just stands to get a big bonus under certain conditions.
- Baystar/RBC isn't happy about the Boies deal, so they demand and get the power to veto certain courses of action.
- SCO has to delay their earning announcement by two weeks to screw around with the numbers.
Needless to say, SCOX stock price dives, and the lo and behold, an attack on SCO's website suddenly becomes the to SCO new item and buries all the other bad news. How fortunate!
lack of technical knowledge.
If you have read the article, and still believe this, then it is you that suffers from a lack of technical knowledge.
it is total and absolute speculation at this point
No, it most certainly is not.
It is a logical conclusion, drawn from deductive reasoning.
From the evidence (machines on the same network, accessible through the same router and switch, are unaffected), we can deduct that at least some of SCO's claims (such as the bandwidth usage) are false.
This does not preclude the possiblity of a synflood attack, however the fact that a synflood would be prevented by a properly configured network means that SCO is either lying, or incompetant.
After trading as low as $15.10 intraday Monday, SCO shares closed down $1.32, or 8%, at $15.27.
Two events from Friday were feeding the selloff. First, SCO lost a motion asking IBM for source code. The court also ruled SCO must provide the code relevant to the case to IBM within the next 30 days. SCO shares closed down $1.32, or 8%, at $15.27. ...
Secondly, SCO on Friday postponed its fourth-quarter earnings report, initially scheduled for Monday ...
It worked, too. See SCO's chart. The stock dropped about 10-15% in moderately heavy Tuesday and Wednesday trading, but has since bounced back by about half that much.
I think that it is you that missed the networking class. Different IP addresses on the same subnet do NOT have to use the same gateway at all. It is in fact possible for a class C subnet (254 addresses) to have 127 hosts(workstations) and 127 routers on the same subnet. In this bizarre and highly unlikely scenario, each of the 127 hosts could have its own unique, personal gateway.
It is quite common for large or critical subnets to have multiple gateways for reliability or load distribution. Combine those gateways with Hot Standby Routing Protocol(HSRP) or Virtual Redundant Routing Protocol(VRRP) and you have very reliable gateways indeed.
1: The day before the alleged attack it was revealed that the "contigency agreement" with Boies (a very high profile lawyer) isn't really a contigency agreement at all, but a bonus on top of already very expensive fees.
The claims of Boies taking the case on contigency is one of the major reasjons for the SCOX market capitalizion to incerease by 20x since he was hired. (SCO is extremely dependent on their inflated stock price for survival)
2: SCO actually paid a PR firm to distribute their press release about the alleged attack - this might be a first by any company.
Now put 1 and 2 together and you get both a motive (get attention away from the Boies deal), and a method (fake a ddos attack, pay for a press release to be distributed).
SCO's victim story doesn't add up, and it doesn't make sense.
I used up all my sick days, so I'm calling in dead.
Apparently, SCO doesn't use a firewall. Or they claim they don't. Or something.
If all this should have a reason, we would be the last to know.
If you want to see what boxes SCO neglected to unplug in the 216.250.128.xxx subnet here's a list. HINT: QUITE A FEW ARE ONLINE!
216.250.128.7 ftp-rsync.sco.com
216.250.128.9 lists.caldera.com
216.250.128.12 www.sco.com
216.250.128.13 ftp.sco.com
216.250.128.14 ftp.dev.caldera.com
216.250.128.15 ftp.beta.caldera.com
216.250.128.16 ftp.iso.caldera.com
216.250.128.17 ftp2.sco.com
216.250.128.32 colonet.caldera.com
216.250.128.33 artemis.caldera.com
216.250.128.35 apollo.sco.com
216.250.128.37 stage.caldera.com
216.250.128.44 colofailover1.caldera.com
216.250.128.45 colofailover2.caldera.com
216.250.128.46 cologw.caldera.com
216.250.128.47 colobcast.caldera.com
216.250.128.64 vultusnet.ut.sco.com
216.250.128.65 medusa.ut.sco.com
216.250.128.66 minotaur.ut.sco.com
216.250.128.67 sphinx.ut.sco.com
216.250.128.69 pegasus.ut.sco.com
216.250.128.70 cyclops.ut.sco.com
216.250.128.71 griffon.ut.sco.com
216.250.128.72 chimaera.ut.sco.com
216.250.128.194 public.sco.com
216.250.128.197 register.sco.com
216.250.128.198 authentica.caldera.com
216.250.128.199 sonic.ut.caldera.com
216.250.128.200 vupdate.sco.com
216.250.128.210 bosshog.j2.net
216.250.128.215 openwbem.caldera.com
216.250.128.220 scoxweb.sco.com
216.250.128.221 scoxdb.sco.com
216.250.128.222 scoxdemo.sco.com
216.250.128.225 zeus.ut.sco.com
216.250.128.235 www.vultus.com
216.250.128.236 data.vultus.com
216.250.128.237 bugzilla.vultus.com
216.250.128.238 mardon.ut.sco.com
216.250.128.241 linuxupdate.sco.com
216.250.128.245 uw713doc.caldera.com
216.250.128.246 ou800doc.caldera.com
216.250.128.247 docsrv.caldera.com
216.250.128.248 locutus3.calderasystems.com
216.250.128.251 ntop.ut.caldera.com
216.250.128.253 fgw.calderasystems.com
216.250.128.254 c7-gw.calderasystems.com
Lets say, for arguments sake, they really were attacked. Here is an account of a small company being attacked, and how even being a small fish to their ISP, was able to detect, solve, and prevent further attacks. Admitedly, the attack is a UDP flood, but applying a filter to an upstream router cannot be much less time consuming than applying a patch. With the army that SCO employs, this should have been no more than a day of downtime and quitely filed away.
There will be more information to come, I have no doubt. But this is enough to raise questions in any reasonable person's mind. If there is an attack, where is the proof? Did SCO SYN attack itself? A single attacker can mount a SYN flood, I'm told. They are claiming the attack affected their intranet. I am hearing that is unlikely in the extreme. Here is how Jason Fordham explained it to me:
"An Intranet should be designed so that all traffic on that net can get to anywhere on that net. It's open; it's inside the citadel. You can look out, and pull data in from outside, but you don't let anyone straight in. Anything outside comes through another server - email to a mail server, or submitted to a webpage, like a GROKLAW post. These act as control points - outside the citadel.
Ok, now I am not making excuses for SCO, god no, but I like puzzles, and making pieces fit...
Is it possible that there really was an attack, but the attack originated from inside the SCO LAN? If so could this explain the internal problems that are being reported as well as the lack of bandwidth problems outside the router? Again, I am no expert at all in this regard, but just putting out a theory, that perhaps someone has attacked SCO from the inside....
--
In the article it states ftp.sco.com was responsive.
That would mean that *if* a firewall was in front of the subnet that the ftp and www server was on, it was most assuredly not bogged down with syn's. Also, it means that the bandwidth wasn't an issue.
What options does that leave? An unprotected www server being syn attacked without exceeding the bandwidth of the link, or just an IT snafu. Either way its just poor network engineering.
Her. Linux Universe had an interview with her recently, here's the /. discussion.
If you have any evidence, please feel free to submit it, as the comment as it stands is proof of nothing.
Again, if you have evidence, submit it or submit a link to a place where evidence may be collected (and don't tell me SCO), and we'll look into it (you may even submit it directly to me if you like).
Roland Buresund
-- Roland Buresund MBA, MCMI, CISSP