Slashdot Mirror
Security Experts Doubt SCO's Claims of DoS
devilkin writes "As a recent Slashdot story indicates, SCO claims their website was the target of a DoS (Denial of Service) attack. Was it really? The people at Groklaw think otherwise..."
← Back to Stories (view on slashdot.org)
It wouldn't be an over-exaggeration to say that a bulk of SCO-related talks happen here on Slashdot. Even NY Times and other mainstream media frequently refer to Slashdot, when they need a quote from "open-source community", "Linux users" and other group that is mentioned in the article. Thus any DDOS attack organization wouldn't probably go unnoticed on this site.
So here's a question - have you or any friends of yours taken part in SCO DDOS attack? If the overwhelming answer on Slashdot is no, then I guess we know the value of SCO's claims.
If it's true that SCO is lying or too inept to know what's happening then somehow this has to make it to the mainstream press. That would do more damage to their stock value than any DDoS.
Trolling is a art,
SCO will sue Groklaw for illegal use of the term "DDoS", which of course SCO lays claim to.
"Armed forces abroad are of little value unless there is prudent counsel at home" - Cicero
or at least, not necessarily, so the fact that the FTP server is up is not necessarily a pointer to the fact that SCO are lying through their teeth. (They may still be, but ...)
The thing that's odd is that they think it disrupted their intranet - who in their right mind merges the public internet server and internal intranet server ???
Simon
Physicists get Hadrons!
Wednesday, December 10 2003 @ 04:37 PM EST
SCO has reported that they are experiencing an attack on their servers. Groklaw has been flooded with information that indicates their story doesn't add up.
The consensus of what I am hearing is: That it is probably not an attack. That their description of the "attack" makes no sense. And that if what they are saying were true, SCO would be admitting to gross negligence.
First, I'm being told that Linux has a very simple preventative built in. Linux comes with the ability to block ALL SYN attacks. End of story. All major firewalls can do so also. They run their web site on Linux. CISCO routers can protect against SYN attacks too, I have been told, if properly enabled. Why does SCO persist in having such problems?
I knew one of Groklaw's readers is a security professional in Australia, so I wrote to him and asked if he'd take a look and give me his opinion.
Steve McInerney describes himself like this: "I worked for six years as the Technical Security member of the IT Security team for Australia's Department of Defense. Also I did IT Security policy writing/advice. More recently I was one of the senior designers/firewall/security experts at a company that manages Australia's largest federal government-certified Internet gateway." He just sent me his opinion:
"SCO has released a press release stating that their web site www.sco.com has come under a Distributed Denial of Service Attack (DDoS), specifically a SYN flood.
"Before we show how silly this statement is, let's explain SCO's position. A 'SYN Flood' attack is an attack that attempts to stop a server from accepting new connections. It's quite an old attack now, and has been relegated to the 'That was interesting' basket of attacks.
'A very simple analogy of a SYN attack: You have two hands, you are thus able to shake hands with at most two people at any one time. A third person who wants to shake your hand has to wait. Either you or one of the first two people can stop shaking hands so as to be able to accept the third person's handshake.
"In this instance SCO are claiming that 'thousands' are doing something similar to their web server. This is, in and of itself, plausible. Unfortunately if we look closer there are a few problems with this claim of SCO's.
"As stated above, the attack is quite an old one. Patches to all Operating Systems that I'm aware of, do exist to stop this sort of attack. For instance, a CISCO document: http://www.cisco.com/warp/public/707/4.html describes the attack and provides ways to stop it. Note the lines: 'Employ vendor software patches to detect and circumvent the problem (if available).' This means, quite simply, that patches exist to mitigate this attack.
Why hasn't SCO applied them?
Further SCO States:
"'The flood of traffic by these illegitimate requests caused the company's ISP's Internet bandwidth to be consumed so the Web site was inaccessible to any other legitimate Web user.'
"Interesting. If their bandwidth is consumed, then any servers nearby will also be inaccessible. That is www.sco.com has the IP address of 216.250.128.12 and ftp.sco.com has the IP address of 216.250.128.13 so the two servers are side by side, probably even on the same physical network hub/switch. Note that there is no room for a broadcast, etc., address - these servers are on the same subnet - i.e., on the same network device (hub/switch).
"Unfortunately for SCO, from Australia, ftp.sco.com is highly responsive. No bandwidth problems there that I can see - even though www.sco.com is still unavailable.
"The evidence then, is that their bandwidth is fine.
"So what about just the SYN flood? Well, even with patches, to successfully conduct a SYN flood you would tend to chew up available bandwidth anyway, which we aren't seeing. So I have quite strong doubts about the accuracy of this information.
"I feel quite
But I sure know that groklaw is DOS'd.
Connection refused.
That just causes more problems for their servers.
When in doubt, parenthesize. At the very least it will let some poor schmuck bounce on the % key in vi. (Larry Wall)
"SCO claims their website was the target of a DoS (Denial of Service) attack. Was it really?"
;)
Groklaw certainly has just been
Cheers,
rob.
stolen from: http://www.newsforge.com/business/03/12/11/1315246 .shtml?tid=85
Very strange is this; reported BEFORE it happened?
by Anonymous Reader on 2003.12.11 12:54 (#81456)
I see they have been playing this DDos Attack in the press. In fact, as near as I can tell, the stories about this ddos attack started appearing very early on. Most companies take some time to discover they have a ddos attack, and then to take the time to report it; the press also has lead time for a story to actually make it out the door and into print/web site/whatever.
The early and timely appearing of their "press" about it even while this attack was "underway", and through so many sources, leads me to ask this question; is it possible they contacted any press BEFORE this alledged attack even took place?!
I thought Groklaw was more of an expert in law.
Security Expert: "Oh, so um, you claim malicious linux users who you wanted to sue are DDoSing your servers Mr. McBride? Well, let me get out my laptop and check it out."
*boots up linux distro of choice*
"Nope, doesn't look like it was that at all, sorry!"
*evil snicker*
Buy Steampunk Clothing Online!
First they claim they own Linux, and now DOS! What's next, CP/M?
sulli
RTFJ.
What's even weirder is, that before the groklaw post, www.sco.com was down, but ftp.sco.com (next IP address) was just fine, which invalidated SCO's claims of a DDoS attack.
But about 2 hours after the groklaw post, ftp.sco.com mysteriously went down too.
Just more ham handed FUD from Darl and friends.
Read through the groklaw page earlier, and it was really based heavily upon lots of speculation and in some cases, as was pointed out by other posters, misinformation and lack of technical knowledge.(Stuff like: I can ping the ftp server, but not the www server, and their IP addresses are only off by 1 number, that means it is fake!)
Now, it may or may not be true, but it is total and absolute speculation at this point and some people seem to have already accepted it as fact.
Casual Games/Downloads
SCO's web site was only designed to handle one person at a time. Until recently, it worked well enough, but recently two people tried to access the web site simultaneoulsy. This, of course, brought down their server. And since the two people were located at different locations, it was distributed; hence, we have a distributed denial of service (DDoS) attack.
And now you know the real story.
For every post, there is an equal and opposite re-post.
If their bandwidth is consumed, then any servers nearby will also be inaccessible. That is www.sco.com has the IP address of 216.250.128.12 and ftp.sco.com has the IP address of 216.250.128.13 so the two servers are side by side, probably even on the same physical network hub/switch.
The ftp server seems inaccessible now. Maybe someone at SCO clued in "Joe! You forgot to unplug the FTP server! Quick, grab that cable..."
Maybe Valerie from The Princess Bride sais it best: "Liar! Liar! Liiiiaaaaaar!"
Ruby on Rails Screencast
There's a poll here.
Belief is the currency of delusion.
Like others have stated, this would be a twist of fate pushing for the end of SCO. If they have to lie that the community or linux community as they put it is DDoS'ing there network then this could very well be the most damning story against SCO yet. It would be amazing to prove the lack and misunderstanding of IT, Linux and Intellectual property SCO has by getting a headline on national news "SCO lies about networking attacks".
A Simple title like that would take the competency out of any IP lawsuite around simply on the grounds you couldn't tell what the company was telling the truth on or not. (Well, to geeks its easy to say they're lying, but this brings it to the forefront that any CTO/CIO or CEO would understand for that matter).
Has anyone been able to get any further comments from upstream providers or ISP's around them?
I wonder if i will ever see the code to smurf.c as "a special F**K you to SCO".. I always laughed when i saw the code and recognized old Fnet admins being the brunt, would be funny to see sco action (although, i'm with RMS - don't do anything illegal.. just keep on emailing them and expressing your opinions!)
In the Internet industry, all sorts of companies use DOS/DDOS or claims that worm-related traffic is to blame for a plethora of problems that are often internal blunders. This shouldn't come as a surprise to anyone who has ever managed a server online.
The emergence of Linux has helped the careers/livelyhood of a lot of people here. I don't see SCO making any kind of similar contribution-which limits the degree to which they can expect the good Samaritan type behavior which enforcement of the law realistically requires.
I don't doubt their claims, they are clearly lying. Instead of discussing the obvious, that they are not under a DDoS attack, we should be asking ourselves why they are faking an attack.
Some people have pointed out that they are doing it to remove self incriminating evidence from their website. Very likely.
Another plausible speculation is that they are going to use this fake attack as an excuse to delay showing the evidence the judge demanded. I wouldn't be surprised if they go as far as saying that some "evil free software hugger" performed the attack to erase the evidence from all their computers, and use that as an excuse to insist that IBM should show their code first.
And no, these are not conspiracy theories, because the evidence is enough to prove they are faking the attack. They are doing it for a very good reason.
Netcraft had a posting about the supposed attack, but didn't doubt the actual situation. I've sent them the following letter:
1 63721614
To: webmaster@netcraft.com
Subject: News on your front page
You have a news article about SCO's network downtime posted on your front page, claiming that SCO is the target of a DDoS attack. Due to availability of services on other machines on the same netblock, like the FTP protocol on ftp.sco.com (one IP address higher than www.sco.com), I question the veracity of your news article, and I felt that I should call this into question.
groklaw.net has information posted that you might find interesting, potentially leading to a revision of your news article. The page can be found at:
http://www.groklaw.net/article.php?story=20031210
Much of the information that I have read about this is available from them, as are some theories as to what is actually happening.
Thank you for your time,
TWX
Basically, if you doubt the truth of the "news" about SCO/Caldera's troubles, call it into question with those reporting it, especially those who are supposed to be some kind of authority to listen to.
Do not look into laser with remaining eye.
Hey guys, the trailer for the next Star Wars movie is RIGHT HERE!!!!.
SCO Experiences Distributed Denial of Service Attack
It was suggested on the Yahoo BBS that perhaps this was a DNS IP transition that wasn't properly planned by the BOFH admin. Could that mean this website has been up and running all along on this new IP address?
SCO Grows Your Business http.://216.250.128.20 vs the old address of 216.250.128.13?
Inquiring minds want to know! News editors are breathless waiting! Investors are fretting! BSD users dread being blamed next! The SLTPD and FBI need your assistance in tracking down the real SCO-flaws
I'm sure this is just an overture to...
Step 2: "Hackers" infiltrate SCO and maliciously make off with all of the supporting evidence for their suits against IBM. Sorry judge!
Why don't we SYN flood their FTP server? If their claims are correct, it should go offline, right?
But there is another kind of evil that we must fear most... and that is the indifference of good men.
-SCO sold all their servers to increase revenue.
-They took everything down to install MS Windows Advanced Server 2004
- The guy that took over for the sysadmin, after they fired him, tripped and spilled coffee all over the cisco rack. They're waiting for replacements, shipped Express.
- Daryl opened an attachment
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
The most probable explanation - they recompiled apache so it doesn't reveal the host OS, made all the other changes, and fubar'd the update. rather than admit it, they claimed a DoS attach.
Yesterday i noticed that SCO stock was down to 14$ today its at 15$. i wounder what would happen if you plotted a function of sco stock prices to their press releases.
That, or the Dow went down yesterday and is up today though about 1pm.
-t
http://unmoldable.com W:"No one of consequence" I:"I must know" W:"Get used to disappointment"
bye.edu was down, uvsc.edu was down.. iomega was down.. What do they all have in common.. They are in the Salt Lake City valley area. I was bored and decided to visit sco and it was down.. traceroutes to all locations revealed that a OC-12 connection between level3.net and x0.net was down somewhere in chicago.. thus causing me not to get into the SLC area.
There's no Freedom like UFP-dom
Well the only point I can make is that not a lot of people read the comments. The proof I have is groklaw was fine until this story was posted and now it is slashdotted. I am sure the slashdot crew could tell us the % of people that go and read the comments but I would guess less the 20%.
I didn't use the preview button, so get over it!!!!
Mike
Later SCO will claim that this is the same server that held the only copy of their moutain of evidence and all of their source code too.
SCO was taking a publicity beating on several fronts:
- They got an unfavorable ruling WRT discovery on Friday
- The world discovers Boies isn't so confident of SCO's case that he's willing to take the case on contingency. Boies is billing by the hour, he just stands to get a big bonus under certain conditions.
- Baystar/RBC isn't happy about the Boies deal, so they demand and get the power to veto certain courses of action.
- SCO has to delay their earning announcement by two weeks to screw around with the numbers.
Needless to say, SCOX stock price dives, and the lo and behold, an attack on SCO's website suddenly becomes the to SCO new item and buries all the other bad news. How fortunate!
This past week the university that I work for has been the victim of an internal denial of service attack that may be related. From what I can gather, our sysadmins have traced the problem to some sort of irc virus/worm that is using student's computers to participate in a DDOS attack. The compromised computers were spoofing random ip adresses and (from what I heard) trying to hit SCO. These have all been stopped by our firewall, but they had been causing trouble with said firewall all week.
I don't have conformation that they were trying to hit SCO, but this headline jibes.
"When ideology and theology couple, their offspring are not always bad but they are always blind." -- Bill Moyers
lack of technical knowledge.
If you have read the article, and still believe this, then it is you that suffers from a lack of technical knowledge.
it is total and absolute speculation at this point
No, it most certainly is not.
It is a logical conclusion, drawn from deductive reasoning.
From the evidence (machines on the same network, accessible through the same router and switch, are unaffected), we can deduct that at least some of SCO's claims (such as the bandwidth usage) are false.
This does not preclude the possiblity of a synflood attack, however the fact that a synflood would be prevented by a properly configured network means that SCO is either lying, or incompetant.
The absolutely best hypothesis is that they're doing it to purge the bad news off the newssites. There was news about the motion to compell hearing (which wasn't SCO's finest hour. Read the transcript here. Check p55 if you're in a hurry) and about the SCO - Boies - Investor-relationship which also was very bad news for SCO, because they want people to belive Boies is on a continguency (apparently that implies 'faith in the lawsuit').
Where is that now? Gone.
Instead we have stories about poor, poor SCO being attacked by those evil linux users.
How many companies release Press Releases about being under attack?! On the same day, no less!
Belief is the currency of delusion.
1. A revel involving unrestraining FUD.
2. Uncontrollable or moderate FUD.
3. A secret rite involving Microsoft executives, involving frenzied FUD producing sessions, and FUD producing activity.
Word Usage- Lets SCO all night long. He is SCO right now, he needs help!
After trading as low as $15.10 intraday Monday, SCO shares closed down $1.32, or 8%, at $15.27.
Two events from Friday were feeding the selloff. First, SCO lost a motion asking IBM for source code. The court also ruled SCO must provide the code relevant to the case to IBM within the next 30 days. SCO shares closed down $1.32, or 8%, at $15.27. ...
Secondly, SCO on Friday postponed its fourth-quarter earnings report, initially scheduled for Monday ...
It worked, too. See SCO's chart. The stock dropped about 10-15% in moderately heavy Tuesday and Wednesday trading, but has since bounced back by about half that much.
The interesting thing here is that it came back up for what looked like an house according to netcraft. Look at the New York graph it was even responding normally, how strange.
o .com
http://uptime.netcraft.com/perf/graph?site=www.sc
If a first you don't succeed, your a programmer...
It was all their remaining technical people sending out floods of job applications.
One line blog. I hear that they're called Twitters now.
I have confirmation. SCO ips (and Google's) were being attempted by the virus/worm our users have.
;-)
From the sysadmin: "Its's gotta be some 15 yo - he also tried going after google and anyone who knows anything knows that that'd be futile"
SCO isn't [completely] lying for once.
"When ideology and theology couple, their offspring are not always bad but they are always blind." -- Bill Moyers
Darl :- linux turned me into a nute :- Well , I got better
Everyone looks at him,
Darl
for the last time people, I am "frodo from middle eaRTH", not "middle eaST".
Most members of the press are as interested in the truth as Darl McBride is, and they are equally compentent in technology matters.
Face it a bunch of angry hackers attacking SCO makes a better story than the truth. Especailly using the 10 word headline format that is so prevelant in the US.
So Long and Thanks for all the Fish.
Honest Dad, I didn't forget to put oil in it (as the father drains the pristinely-clean golden-colored oil from the locked up engine)...
Honest Dad, I had a blow-out (as the father examines the tire with a 4 inch puncture would that shows the core pushed inside the tire)...
Can you say busted?
I think that it is you that missed the networking class. Different IP addresses on the same subnet do NOT have to use the same gateway at all. It is in fact possible for a class C subnet (254 addresses) to have 127 hosts(workstations) and 127 routers on the same subnet. In this bizarre and highly unlikely scenario, each of the 127 hosts could have its own unique, personal gateway.
It is quite common for large or critical subnets to have multiple gateways for reliability or load distribution. Combine those gateways with Hot Standby Routing Protocol(HSRP) or Virtual Redundant Routing Protocol(VRRP) and you have very reliable gateways indeed.
Dear Mr. Judge,
I am sorry but we are unable to provide the source code examples you have requested. These examples were stored on our web server and were lost in a recent DDoS attack on these servers.
By my reckoning, that means we win. Tell IBM to pay up.
-D. McBride
CEO, SCO Group
Punctanym: alternate spelling of words using punctuation or numerals in place of some or all of its letters; see 'leet'
Near the top of the article, a security expert from Australia says:
"So what about just the SYN flood? Well, even with patches, to successfully conduct a SYN flood you would tend to chew up available bandwidth anyway, which we aren't seeing. So I have quite strong doubts about the accuracy of this information.
He also claims that ftp.sco.com should be unavailable if the DoS attack were real.
However, near the bottom of the article, another user writes in:
"There are many types of DoS and DDoS attacks, each type targeting a different resource. Blake Stowell is confusing a SYN flood (an attack against the TCP port resource on a host) with a brute-force DDoS against a bandwidth resource. This simply demonstrates that BS is not a techie and that the difference has not been explained to him.
"Dear Mr. BS: . . . A SYN-flood attack probably consumes 1 Kbps or less. Everybody else in the known universe can communicate with all of your externally-visible machines except www.sco.com. If the (alleged) attack on www.sco.com has affected any other machines, your network is very poorly administered. I suggest you avail yourself of the vast array of of volunteer expertise that is ready to help any user of a Linux system.
This suggest to me that SCO didn't explain correctly the type of attack it's under, especially in saying 'all bandwidth was consumed' when perhaps they meant 'all server resources were consumed'
However, I make no statements whether the DoS attack is real or fabricated- I see either as likely.
-Ryan
AUWYHSTOT (Acronyms are Useless When You Have to Spell Them Out Too)
1: The day before the alleged attack it was revealed that the "contigency agreement" with Boies (a very high profile lawyer) isn't really a contigency agreement at all, but a bonus on top of already very expensive fees.
The claims of Boies taking the case on contigency is one of the major reasjons for the SCOX market capitalizion to incerease by 20x since he was hired. (SCO is extremely dependent on their inflated stock price for survival)
2: SCO actually paid a PR firm to distribute their press release about the alleged attack - this might be a first by any company.
Now put 1 and 2 together and you get both a motive (get attention away from the Boies deal), and a method (fake a ddos attack, pay for a press release to be distributed).
Did anyone else see this article linked from SCO's main page? It starts off saying 'I have a hard time seeing the Linux Zealots as any different from terrorists because of the nature of their threats.'. I knew Darl and Co. were a bunch of asshats, but this is ridiculous.
they recompiled apache so it doesn't reveal the host OS
You don't have to recompile Apache to make it not reveal OS. ServerTokens (AFAIR) Directive is for setting this. Rather you need to recompile kernels to spoof TCP/IP fingerprints that are used to reveal OS running on host.
On a different note, perhaps we should all (all /. readers) visit the SCO site each day, maybe even multiple times a day, to make sure we don't miss out on some important information.
And remember, you'll want to disable your cache to do this. Oh, and if you have a browser that allows you to set it to auto refresh, that would be a good idea too. It would really be a shame to miss an important press release just because you forgot to hit Refresh often enough...
Unfortunately, SCO's unknown (linux) server is having some difficulty right now.
What (obviously) amuses me is that this frequent refreshing of their news page would be justified, given their proclivity for using press releases to disseminate important information.
.sigs are for post^Hers.
They forgot to buy a liscense from themselves, and were forced to shut their server down to keep from getting sued by themselves?
I think we should have an informal fund raiser for groklaw.
They (that guy?) does a lot for the good of the world (fighting evil (sco) is not just good for linux, it's good for "right").
So, I'll donate $5 to his paypal, and I highly recommend that everyone else do the same. $5 isn't much, but * slashdot it's a lot. Surely we've spent a lot of their money on bandwidth, not to mention the free research time they've spent.
.sigs are for post^Hers.
Actually SCO, formerly Caldera, does own CPM. They also own DR DOS (Digital Research DOS). They've used the rights to these products to sue Microsoft for unfair business practices.
This is not my site, but it is succinct and accurate:
http://www.maxframe.com/CPM.HTM
SCO/Caldera seems to be in the business of obscure rights to extract money, through the legal process, from companies that are actually in the business of developing technology products.
If you want to see what boxes SCO neglected to unplug in the 216.250.128.xxx subnet here's a list. HINT: QUITE A FEW ARE ONLINE!
216.250.128.7 ftp-rsync.sco.com
216.250.128.9 lists.caldera.com
216.250.128.12 www.sco.com
216.250.128.13 ftp.sco.com
216.250.128.14 ftp.dev.caldera.com
216.250.128.15 ftp.beta.caldera.com
216.250.128.16 ftp.iso.caldera.com
216.250.128.17 ftp2.sco.com
216.250.128.32 colonet.caldera.com
216.250.128.33 artemis.caldera.com
216.250.128.35 apollo.sco.com
216.250.128.37 stage.caldera.com
216.250.128.44 colofailover1.caldera.com
216.250.128.45 colofailover2.caldera.com
216.250.128.46 cologw.caldera.com
216.250.128.47 colobcast.caldera.com
216.250.128.64 vultusnet.ut.sco.com
216.250.128.65 medusa.ut.sco.com
216.250.128.66 minotaur.ut.sco.com
216.250.128.67 sphinx.ut.sco.com
216.250.128.69 pegasus.ut.sco.com
216.250.128.70 cyclops.ut.sco.com
216.250.128.71 griffon.ut.sco.com
216.250.128.72 chimaera.ut.sco.com
216.250.128.194 public.sco.com
216.250.128.197 register.sco.com
216.250.128.198 authentica.caldera.com
216.250.128.199 sonic.ut.caldera.com
216.250.128.200 vupdate.sco.com
216.250.128.210 bosshog.j2.net
216.250.128.215 openwbem.caldera.com
216.250.128.220 scoxweb.sco.com
216.250.128.221 scoxdb.sco.com
216.250.128.222 scoxdemo.sco.com
216.250.128.225 zeus.ut.sco.com
216.250.128.235 www.vultus.com
216.250.128.236 data.vultus.com
216.250.128.237 bugzilla.vultus.com
216.250.128.238 mardon.ut.sco.com
216.250.128.241 linuxupdate.sco.com
216.250.128.245 uw713doc.caldera.com
216.250.128.246 ou800doc.caldera.com
216.250.128.247 docsrv.caldera.com
216.250.128.248 locutus3.calderasystems.com
216.250.128.251 ntop.ut.caldera.com
216.250.128.253 fgw.calderasystems.com
216.250.128.254 c7-gw.calderasystems.com
Now they're talking about the state of the SCO website and how Groklaw is slashdotted.
If you were running a stock scam, which type of story would you prefer?
Hmph... A frigging 28.8k modem could SYN flood a machine.
You don't NEED to distribute the attack, per se, it'd be done that way to completely cover their tracks...
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
... so shouldn't it be a DR-DOS attack?
Hello, is this mike on.. hello....
It's astonishing that rumors spread like wildfire if the facts are so easy to check.
If you monitor a few tens of thousands of unused IPv4 addresses, you can observe most DoS attacks involving randomly spoofed addresses. You just listen for backscatter ((sorry, no better resource appears to be available). These packets are created by the victim server when it tries to answer to requests that have been spoofed from your address space. Some people even keep statistics of that noise.
And guess what? Yesterday and today, there was plenty of backscatter from 216.250.128.12. Why was ftp.sco.com suddenly offline today? Well, beginning around 2003-12-11 10:49 UTC, you could observe backscatter from 216.250.128.13, too. Unless SCO is deliberately forging backscatter (and if they are, they are doing a pretty good job at it, it looks very much like the real thing), they were under attack, yesterday and today.
Good idea, but just to make sure you get it all, you should mirror the contents. "wget -m" should do the trick, and when the site does get hosed, you'll already have a mirror to share with /. readers!
I think /. should partake in a new reality series call "Just your average SCO". Where through a series of forums we can vote on what McBride does next. He will have to do whatever gets the most votes or is the coolest conspiracy.
...what they're claiming is happening isn't or shouldn't be. They're claiming it is a SYN flood attack. Linux has SYN flood protection built in and has had this support since the middle-to-late 2.0.X kernels. Their website would be accessable, but slow to respond if it were an attempted SYN flood.
I believe that a page request attack would saturate the links so you couldn't hit the FTP server, as would Fraggles and other DoS attacks. Most of them rely on the link being saturated or the IP stack being so overwhelmed by bandwidth that it just quits responding or the packets never get to the machine.
If the FTP server is accessable, it's a low-bandwidth attack, and unless there's something new it's not a DoS- and if it's something new, the idiots at SCO can't tell their *sses from a hole in the ground because it's not a SYN flood.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
I've dealt with huge synflood attacks, in the wild.
Most of the things you say you think you know here are simply not true, I'm sorry.
Tools to mitigate synfloods only help to a marginal degree if the attack is done correctly.
First, bandwidth is an issue. Determined hackers can bring GIGABITS of syn requests in... NO, I'm not exaggerating in the least. if you aren't colo'd somewhere with massive bandwidth in the first place, all the "mitigation tools" you want won't help you, as you will be out of bandwidth. Completely. The days of 1Kbps synflood shutting you down may be gone.. but nowadays when attackers want to hit you, they hit you with tens of megabits, to start with.. so not only is it a syn flood, it's just plain a FLOOD.
Provided you DO have enough bandwidth, you need a way to differentiate between valid syns and attacker syns.. which is a fundamental problem. If the attacker has enough hosts he can do full source address spoofing from, you are just plain screwed.. your attack prevention device won't do anything at all, as there is NO way to differentiate between good and bad traffic, fundamentally.
Syncookies increase the rate at which you can deal with syns, but they are by no means a solution to the synflood problem, the problem still exists with or without syn cookies. Let me say that again.. syncookies do NOT solve the synflood problem.. they just lighten the load on the machine, and let it deal with more requests at once.
Putting a box out front that can sink LOTS of syn requests, and only pass valid, established connections through to the real servers HELPS.... but only to a point. only as long as it can keep up with the flood.. which when we are takling about gigabit speeds, is tough.
IN short, if your servers are colo'd at a really, really fast network, and you have really, really good equipment, and people who know how to deal with it, you can deal with this kind of attack, most of the time. You can absolutely build a system or setup that is basically immune to this.... but tha'ts far more engineering and resources than many even very large companies throw at their stuff.
It's nowhere near as trivial as you are making it out to be, and considering the number of attacks I've seen in the last six months, in person, I have no trouble at all believing sco is getting trashed. well, except that everything they say is generally bullshit, but that's a different matter entirely.
Second, when PR people start talking about "can't access the intranet, etc" they may mean "can't access it from outside" or something like that.. give it a rest. Intranet has different meanings to different places..
And you should know, how things SHOULD be designed is rarely how they ARE designed, even by people who should and do know better.
I realize this is offtopic, but something just struck me... Lets look at the possible outcomes of the lawsuit
A) SCO wins, Linux does in fact contain code that was copyrighted.
- So now the Linux community is in shock. However if SCO wants to release ANY Linux software they will have to GPL the code or remove it - thus revelaing it to the rest of the community allowing them to remove the offending code and making the lawsuit a moot point.
B) SCO loses, the code doesn't exist, or was previously GPL'd by SCO.
- SCO loses its entire customer base (never trust a traitor, not even one you create). And closes its doors or is sold on the cheap.
C) Someone bails SCO out, buys everything before the lawsuit ends.
- SCO doesn't sell cheaply, Daryl gets out with millions in "severance pay", Linux community moves on.
You tell me where the lawsuit is going.
-Coach
"Never upset a goalie, getting hit with a blocker is an unpleasent experience - facemask or not." -Me
Looks like both to me. Someone at SCO has a cron job running that starts a DDoS (SYN) attack against www.sco.com from their internal network, and sends out a press release at the same time.
That way Darl doesn't even have to climb out of his lawyers' lap, where he spends the day happily napping and dreaming of Linus as his shoe shine boy.
For what it's worth, yesterday I tried to access www.sco.com, and when I found that I couldn't I attempted a traceroute to the site. The traceroute died in the innards of alter.net. For what it's worth.
It is natural for criminals to group together. Why? Because they've committed so many heinous acts that they only feel comforted by others who are just as bad. The other side of this is, criminals figure that because they're crooks, the rest of the world must be, too. So when SCO's servers start acting up, their first reaction, being such criminals as they are, is to assume that someone else is doing exactly what they do--launch an attack, attempting to destroy or deface the competition. And thus, it must be someone in the evil Open Source community who is doing it, or maybe just maybe IBM.
Well assuming that it is a hoax (and, being the cautious type, I do have to concede the possibility that it may be legitimate - stranger things have happened), I honestly don't find myself terribly surprised that they have taken this route.
If you really look at it, SCO has been trying to create an atmosphere of fear - all of which was brought to an abrupt end when the judge commanded them to put up or shut up, essentially. I don't know if they could issue another press release about how their IP is in Linux without irritating the judge, which would destroy any chance they have of actually winning the case.
So, how do you continue to remain active and relevent?
Well, if they can demonstrate that this attack came from the open source community, they can gain some public support, which puts pressure on IBM (as they are representing open source), all without even mentioning the oft-repeated "SCO IP is in Linux" line.
It could even be elegant, if SCO hadn't blown the case out of proportion with their press blitz and threats earlier.
Robert B. Marks
Author, Demonsbane in Diablo Archive
Now, I don't want to speculate into the cause of the SCO outage, however, my guess is that SCO's taking the time to weed out some of the information that they've distributed.
They've realized that they're totally fuxored, and they're abandoning ship, right?
*wishful thinking*
I disable sigs...do you?
when combined with the fact that the last time they changed IP's (according to Netcraft) was around the end of August, which was the last time they experienced a "DDoS".....
r13
enjoy
www.sco.com resolves to 216.250.128.10, just two hosts away from the IP address in parent.
http://216.250.128.10
Why do you think sco hopped IP addresses?
HMMMMMM?
Buford "Maddog" Tannen is fighting mad! And I hate that name too, so now I'm even madder!
Buford "Mad Dog" Tannen
Misread this and thought SCO were going to sue DOS developers.
--This isn't a man who is leaving with his head between his legs.
I guess the inability to understand what is happening comes from firing all the technical staff and replacing them with lawyers.
Engineering is the art of compromise.
I just got a responce from our admin, the worm is Gaobot. That's all I know at this time.
"When ideology and theology couple, their offspring are not always bad but they are always blind." -- Bill Moyers
You've got to be shitting me:
:)
"Dealing with an DDoS atack when your bandwidth is NOT eaten up is fairly simple. A quick and dirty script to read your firewall log(s) for incoming addresses that are trying the SYN attacks is fairly easy. Adding those IP addresses to a quick block list is also easy.
"Problem just goes away."
When you're talking about a simple SYN flood, these addresses can all be random spoofs anyway. There's no dependence on connection-setup or anything. All you need to do is get that first packet through and you can do that with spoofed IPs, so a block list is worthless- unless you just block everyone-
Yeah- block everyone, then the "problem just goes away"-
Stick to law, Groklaw
I browse at +5 Flamebait- moderation for all or moderation for none.
So how often have you guys seen other companies press releases that get the technical facts disastorously wrong? Why would SCO be any different? More than likely the message got screwed up by the time it made it to the press release.
Think about it, first of all SCO has no motive to engage in any kind of DoS attack against themselves. Even if this attack would reflect badly on the open source community (instead of making them look like robin hood) SCOs fate rests entierly at trial. Moreover IF SCO had decided to lie about an attack they wouldn't have made it a *succesfull* attack. They would have just issued a press release saying they were the target of a DDoS but their software/whatever prevented any damage. Even disregarding this if this was a hoax of their own making why would it last so long.
At the end of the day SCO still wants the software it is running to seem technically good. After all if no one is using linux who pays royalties? Faking this kind of attack is simply against their interest.
Could it have been an ordinary fuck-up that they claim was a DDoS? Well certainly, however given the fact that other systems on their net were working fine I find it tough to swallow the sysadmins couldn't just switch to another server (unless they were protesting SCOs legal attacks).
So while it is a *possibility* that SCO just had a network glitch we have no more reason to believe they are lying about the DDoS than when any other company claims to be such a victim. In fact as SCO is more likely to be such a victim (given the anger it has stirred up) their claim of a DDoS is even more reasonable than that of a generic company.
Is it not emminently more reasonable that some non-tech PR person screwed up on the technical details rather than some sort of convoluted conspiracy. It's far more believable that Johnson killed Kennedy than this crap
If you liked this thought maybe you would find my blog nice too:
The IT Department couldn't afford to pay the sales department $699 for each server, so they took one down. They figured nobody would notice, as they haven't come up with anything new recently.
warning: This post is likely to contain gobs of dripping sarcasm. Consume at your own risk.
For more information (and graph of attack), see CAIDA's writeup.
Thank you, Your Honor.
Frankly, we can appreciate the intention of the Court based on the submissions and understand the basis for it. We think, Your Honor, however, that in a few minutes this morning we can convince you that the more appropriate path is to follow a rule or an outline of the rule in Rule 3 3 that basically says that because the issues involved in this discovery involve a complex interplay between facts and law, that instead of granting the motion, what the Court should simply do is put the motion on hold until very specific discovery has been identified and produced and then make a ruling. And before I address this -- [judge interrupts] yes, Your Honor?
THE COURT:
No.
What I was going to say, Mr. McBride, is that in reviewing all the submissions and reviewing the pertinent case law, it appears to me that what is happening is somewhat circular in that defendant indicates that it cannot answer plaintiff's interrogatories until plaintiff has identified the source codes, et cetera, but the manner in which those have been submitted make it, I believe, unduly burdensome on the defendants and so we go 'round and 'round.
And I find also that it appears to me that if there's any argument to be made on the failure to confer under Rule 37 that -- that there has been a good faith effort to comply, but that because we can't get off the ground because of this circular problem, that I would not find that a sufficient basis for, you know, further postponing.
There are hours of argument you can read through, in which SCO proposes novel legal theories under which they don't have to specifically identify infringing material. The judge doesn't buy this at all.
I suspect that SCO will not produce specific infringing material in thirty days. That will lead to an appeal from the magistrate judge to the district judge. Then it gets complicated. SCO may try to litigate their concept of discovery at the appeals court level before proceeding to trial. That's usually not allowed, but there are exceptions to that rule and some of what SCO's lawyers are saying hint that they may try to go in that direction.
Fundamentally, once SCO's novel theory of vague infringement gets knocked down, it's all over for them. So we'll see all sorts of maneuvering to keep it alive. But so far, they lost the first round.