Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Experts Doubt SCO's Claims of DoS

Posted by ryuzaki0 on from the raising-a-lot-of-eyebrows dept.

devilkin writes "As a recent Slashdot story indicates, SCO claims their website was the target of a DoS (Denial of Service) attack. Was it really? The people at Groklaw think otherwise..."

12 of 510 comments (clear)

  1. Very strange is this; reported BEFORE it happened? by Anonymous Coward · · Score: 5, Interesting

    stolen from: http://www.newsforge.com/business/03/12/11/1315246 .shtml?tid=85

    Very strange is this; reported BEFORE it happened?
    by Anonymous Reader on 2003.12.11 12:54 (#81456)
    I see they have been playing this DDos Attack in the press. In fact, as near as I can tell, the stories about this ddos attack started appearing very early on. Most companies take some time to discover they have a ddos attack, and then to take the time to report it; the press also has lead time for a story to actually make it out the door and into print/web site/whatever.

    The early and timely appearing of their "press" about it even while this attack was "underway", and through so many sources, leads me to ask this question; is it possible they contacted any press BEFORE this alledged attack even took place?!

  2. ftp.sco.com by Hug+Life · · Score: 5, Interesting

    What's even weirder is, that before the groklaw post, www.sco.com was down, but ftp.sco.com (next IP address) was just fine, which invalidated SCO's claims of a DDoS attack.
    But about 2 hours after the groklaw post, ftp.sco.com mysteriously went down too.
    Just more ham handed FUD from Darl and friends.

  3. Poll already up. by eddy · · Score: 4, Interesting

    There's a poll here.

    --
    Belief is the currency of delusion.
  4. Re:Press release? by Unfallen · · Score: 5, Interesting

    Interestingly, and somewhat depressingly, the first thing I knew about it was about 3 e-mails from Google News Alert, each telling me of about 3 different news sites reporting the story. Some of the sites weren't even that techie (CXO Today seems a good example of the people SCO were intending to reach with their statement). The fact that SCO got their press release out so far, and so quickly might not say anything about the true nature of their server(s) downtime, but it does indicate where their operational motives lie.

    Steve Ballmer seems almost impressive with his shouts of "Developers! Developers! Developers!". I like to think of Darl giving a rousing meeting, stomping around the stage yelling "Marketeers! Marketeers! Marketeers! Lawyers! Lawyers! Lawyers!"

  5. Letter to Netcraft by TWX · · Score: 5, Interesting

    Netcraft had a posting about the supposed attack, but didn't doubt the actual situation. I've sent them the following letter:

    To: webmaster@netcraft.com
    Subject: News on your front page

    You have a news article about SCO's network downtime posted on your front page, claiming that SCO is the target of a DDoS attack. Due to availability of services on other machines on the same netblock, like the FTP protocol on ftp.sco.com (one IP address higher than www.sco.com), I question the veracity of your news article, and I felt that I should call this into question.

    groklaw.net has information posted that you might find interesting, potentially leading to a revision of your news article. The page can be found at:

    http://www.groklaw.net/article.php?story=200312101 63721614

    Much of the information that I have read about this is available from them, as are some theories as to what is actually happening.

    Thank you for your time,
    TWX


    Basically, if you doubt the truth of the "news" about SCO/Caldera's troubles, call it into question with those reporting it, especially those who are supposed to be some kind of authority to listen to.

    --
    Do not look into laser with remaining eye.
  6. How conventient by Dunark · · Score: 5, Interesting

    SCO was taking a publicity beating on several fronts:
    - They got an unfavorable ruling WRT discovery on Friday
    - The world discovers Boies isn't so confident of SCO's case that he's willing to take the case on contingency. Boies is billing by the hour, he just stands to get a big bonus under certain conditions.
    - Baystar/RBC isn't happy about the Boies deal, so they demand and get the power to veto certain courses of action.
    - SCO has to delay their earning announcement by two weeks to screw around with the numbers.

    Needless to say, SCOX stock price dives, and the lo and behold, an attack on SCO's website suddenly becomes the to SCO new item and buries all the other bad news. How fortunate!

  7. SCO tries to divert analysts from their court loss by Animats · · Score: 4, Interesting
    SCO issued three press releases about their "denial of service attack", perhaps in hope that this news story, "SCO Group Hit by Double Whammy" will scroll off.
    • Shares of SCO Group, the company challenging the popular Linux movement, fell sharply Monday after the company lost a court motion Friday and postponed its earnings report.

      After trading as low as $15.10 intraday Monday, SCO shares closed down $1.32, or 8%, at $15.27.

      Two events from Friday were feeding the selloff. First, SCO lost a motion asking IBM for source code. The court also ruled SCO must provide the code relevant to the case to IBM within the next 30 days. SCO shares closed down $1.32, or 8%, at $15.27. ...

      Secondly, SCO on Friday postponed its fourth-quarter earnings report, initially scheduled for Monday ...

    It worked, too. See SCO's chart. The stock dropped about 10-15% in moderately heavy Tuesday and Wednesday trading, but has since bounced back by about half that much.

  8. A couple of points not covered above by kroyd · · Score: 4, Interesting

    1: The day before the alleged attack it was revealed that the "contigency agreement" with Boies (a very high profile lawyer) isn't really a contigency agreement at all, but a bonus on top of already very expensive fees.

    The claims of Boies taking the case on contigency is one of the major reasjons for the SCOX market capitalizion to incerease by 20x since he was hired. (SCO is extremely dependent on their inflated stock price for survival)

    2: SCO actually paid a PR firm to distribute their press release about the alleged attack - this might be a first by any company.

    Now put 1 and 2 together and you get both a motive (get attention away from the Boies deal), and a method (fake a ddos attack, pay for a press release to be distributed).

  9. Re:Speculation for Nerds. Hardly matters. by Trepalium · · Score: 5, Interesting
    Well how about this, someone DoS's you, and your Intranet and support desk goes down? That's pretty damn peculiar. I see three options. Either they're lying, they're incompetent, or it's an inside job. Their ISP is treating the attack like a standard DDoS attack, by blocking it far upstream, and BS comes to the press and tries to be technical and call it a "SYN attack". SCO claims their mail system was knocked down, but their webserver doesn't even act as a mail server (it's mail.ut.caldera.com [216.250.130.2], not www.sco.com [216.250.128.12]). They dont' even have a secondary MX in this case.

    SCO's victim story doesn't add up, and it doesn't make sense.

    --
    I used up all my sick days, so I'm calling in dead.
  10. Re:Let's do a Slashdot insta-poll by Rick+the+Red · · Score: 4, Interesting

    Apparently, SCO doesn't use a firewall. Or they claim they don't. Or something.

    --
    If all this should have a reason, we would be the last to know.
  11. Re:Full text: in case of slashdotting by bpd1069 · · Score: 4, Interesting

    There will be more information to come, I have no doubt. But this is enough to raise questions in any reasonable person's mind. If there is an attack, where is the proof? Did SCO SYN attack itself? A single attacker can mount a SYN flood, I'm told. They are claiming the attack affected their intranet. I am hearing that is unlikely in the extreme. Here is how Jason Fordham explained it to me:

    "An Intranet should be designed so that all traffic on that net can get to anywhere on that net. It's open; it's inside the citadel. You can look out, and pull data in from outside, but you don't let anyone straight in. Anything outside comes through another server - email to a mail server, or submitted to a webpage, like a GROKLAW post. These act as control points - outside the citadel.

    Ok, now I am not making excuses for SCO, god no, but I like puzzles, and making pieces fit...

    Is it possible that there really was an attack, but the attack originated from inside the SCO LAN? If so could this explain the internal problems that are being reported as well as the lack of bandwidth problems outside the router? Again, I am no expert at all in this regard, but just putting out a theory, that perhaps someone has attacked SCO from the inside....

    --
    --
  12. Re:You are incorrect. by Silvers · · Score: 4, Interesting

    In the article it states ftp.sco.com was responsive.

    That would mean that *if* a firewall was in front of the subnet that the ftp and www server was on, it was most assuredly not bogged down with syn's. Also, it means that the bandwidth wasn't an issue.

    What options does that leave? An unprotected www server being syn attacked without exceeding the bandwidth of the link, or just an IT snafu. Either way its just poor network engineering.