Slashdot Mirror
Security Experts Doubt SCO's Claims of DoS
devilkin writes "As a recent Slashdot story indicates, SCO claims their website was the target of a DoS (Denial of Service) attack. Was it really? The people at Groklaw think otherwise..."
← Back to Stories (view on slashdot.org)
It wouldn't be an over-exaggeration to say that a bulk of SCO-related talks happen here on Slashdot. Even NY Times and other mainstream media frequently refer to Slashdot, when they need a quote from "open-source community", "Linux users" and other group that is mentioned in the article. Thus any DDOS attack organization wouldn't probably go unnoticed on this site.
So here's a question - have you or any friends of yours taken part in SCO DDOS attack? If the overwhelming answer on Slashdot is no, then I guess we know the value of SCO's claims.
If it's true that SCO is lying or too inept to know what's happening then somehow this has to make it to the mainstream press. That would do more damage to their stock value than any DDoS.
Trolling is a art,
SCO will sue Groklaw for illegal use of the term "DDoS", which of course SCO lays claim to.
or at least, not necessarily, so the fact that the FTP server is up is not necessarily a pointer to the fact that SCO are lying through their teeth. (They may still be, but ...)
The thing that's odd is that they think it disrupted their intranet - who in their right mind merges the public internet server and internal intranet server ???
Simon
Physicists get Hadrons!
Wednesday, December 10 2003 @ 04:37 PM EST
SCO has reported that they are experiencing an attack on their servers. Groklaw has been flooded with information that indicates their story doesn't add up.
The consensus of what I am hearing is: That it is probably not an attack. That their description of the "attack" makes no sense. And that if what they are saying were true, SCO would be admitting to gross negligence.
First, I'm being told that Linux has a very simple preventative built in. Linux comes with the ability to block ALL SYN attacks. End of story. All major firewalls can do so also. They run their web site on Linux. CISCO routers can protect against SYN attacks too, I have been told, if properly enabled. Why does SCO persist in having such problems?
I knew one of Groklaw's readers is a security professional in Australia, so I wrote to him and asked if he'd take a look and give me his opinion.
Steve McInerney describes himself like this: "I worked for six years as the Technical Security member of the IT Security team for Australia's Department of Defense. Also I did IT Security policy writing/advice. More recently I was one of the senior designers/firewall/security experts at a company that manages Australia's largest federal government-certified Internet gateway." He just sent me his opinion:
"SCO has released a press release stating that their web site www.sco.com has come under a Distributed Denial of Service Attack (DDoS), specifically a SYN flood.
"Before we show how silly this statement is, let's explain SCO's position. A 'SYN Flood' attack is an attack that attempts to stop a server from accepting new connections. It's quite an old attack now, and has been relegated to the 'That was interesting' basket of attacks.
'A very simple analogy of a SYN attack: You have two hands, you are thus able to shake hands with at most two people at any one time. A third person who wants to shake your hand has to wait. Either you or one of the first two people can stop shaking hands so as to be able to accept the third person's handshake.
"In this instance SCO are claiming that 'thousands' are doing something similar to their web server. This is, in and of itself, plausible. Unfortunately if we look closer there are a few problems with this claim of SCO's.
"As stated above, the attack is quite an old one. Patches to all Operating Systems that I'm aware of, do exist to stop this sort of attack. For instance, a CISCO document: http://www.cisco.com/warp/public/707/4.html describes the attack and provides ways to stop it. Note the lines: 'Employ vendor software patches to detect and circumvent the problem (if available).' This means, quite simply, that patches exist to mitigate this attack.
Why hasn't SCO applied them?
Further SCO States:
"'The flood of traffic by these illegitimate requests caused the company's ISP's Internet bandwidth to be consumed so the Web site was inaccessible to any other legitimate Web user.'
"Interesting. If their bandwidth is consumed, then any servers nearby will also be inaccessible. That is www.sco.com has the IP address of 216.250.128.12 and ftp.sco.com has the IP address of 216.250.128.13 so the two servers are side by side, probably even on the same physical network hub/switch. Note that there is no room for a broadcast, etc., address - these servers are on the same subnet - i.e., on the same network device (hub/switch).
"Unfortunately for SCO, from Australia, ftp.sco.com is highly responsive. No bandwidth problems there that I can see - even though www.sco.com is still unavailable.
"The evidence then, is that their bandwidth is fine.
"So what about just the SYN flood? Well, even with patches, to successfully conduct a SYN flood you would tend to chew up available bandwidth anyway, which we aren't seeing. So I have quite strong doubts about the accuracy of this information.
"I feel quite
When in doubt, parenthesize. At the very least it will let some poor schmuck bounce on the % key in vi. (Larry Wall)
"SCO claims their website was the target of a DoS (Denial of Service) attack. Was it really?"
;)
Groklaw certainly has just been
Cheers,
rob.
stolen from: http://www.newsforge.com/business/03/12/11/1315246 .shtml?tid=85
Very strange is this; reported BEFORE it happened?
by Anonymous Reader on 2003.12.11 12:54 (#81456)
I see they have been playing this DDos Attack in the press. In fact, as near as I can tell, the stories about this ddos attack started appearing very early on. Most companies take some time to discover they have a ddos attack, and then to take the time to report it; the press also has lead time for a story to actually make it out the door and into print/web site/whatever.
The early and timely appearing of their "press" about it even while this attack was "underway", and through so many sources, leads me to ask this question; is it possible they contacted any press BEFORE this alledged attack even took place?!
What's even weirder is, that before the groklaw post, www.sco.com was down, but ftp.sco.com (next IP address) was just fine, which invalidated SCO's claims of a DDoS attack.
But about 2 hours after the groklaw post, ftp.sco.com mysteriously went down too.
Just more ham handed FUD from Darl and friends.
SCO's web site was only designed to handle one person at a time. Until recently, it worked well enough, but recently two people tried to access the web site simultaneoulsy. This, of course, brought down their server. And since the two people were located at different locations, it was distributed; hence, we have a distributed denial of service (DDoS) attack.
And now you know the real story.
For every post, there is an equal and opposite re-post.
Your thoughts would be correct. However, had you read the article, you would have noted that multiple COMPUTER SECURITY EXPERTS were consulted for feedback on the issue.
Silly grasshopper.
I don't doubt their claims, they are clearly lying. Instead of discussing the obvious, that they are not under a DDoS attack, we should be asking ourselves why they are faking an attack.
Some people have pointed out that they are doing it to remove self incriminating evidence from their website. Very likely.
Another plausible speculation is that they are going to use this fake attack as an excuse to delay showing the evidence the judge demanded. I wouldn't be surprised if they go as far as saying that some "evil free software hugger" performed the attack to erase the evidence from all their computers, and use that as an excuse to insist that IBM should show their code first.
And no, these are not conspiracy theories, because the evidence is enough to prove they are faking the attack. They are doing it for a very good reason.
Netcraft had a posting about the supposed attack, but didn't doubt the actual situation. I've sent them the following letter:
1 63721614
To: webmaster@netcraft.com
Subject: News on your front page
You have a news article about SCO's network downtime posted on your front page, claiming that SCO is the target of a DDoS attack. Due to availability of services on other machines on the same netblock, like the FTP protocol on ftp.sco.com (one IP address higher than www.sco.com), I question the veracity of your news article, and I felt that I should call this into question.
groklaw.net has information posted that you might find interesting, potentially leading to a revision of your news article. The page can be found at:
http://www.groklaw.net/article.php?story=20031210
Much of the information that I have read about this is available from them, as are some theories as to what is actually happening.
Thank you for your time,
TWX
Basically, if you doubt the truth of the "news" about SCO/Caldera's troubles, call it into question with those reporting it, especially those who are supposed to be some kind of authority to listen to.
Do not look into laser with remaining eye.
SCO Experiences Distributed Denial of Service Attack
It was suggested on the Yahoo BBS that perhaps this was a DNS IP transition that wasn't properly planned by the BOFH admin. Could that mean this website has been up and running all along on this new IP address?
SCO Grows Your Business http.://216.250.128.20 vs the old address of 216.250.128.13?
Inquiring minds want to know! News editors are breathless waiting! Investors are fretting! BSD users dread being blamed next! The SLTPD and FBI need your assistance in tracking down the real SCO-flaws
I'm sure this is just an overture to...
Step 2: "Hackers" infiltrate SCO and maliciously make off with all of the supporting evidence for their suits against IBM. Sorry judge!
The most probable explanation - they recompiled apache so it doesn't reveal the host OS, made all the other changes, and fubar'd the update. rather than admit it, they claimed a DoS attach.
Later SCO will claim that this is the same server that held the only copy of their moutain of evidence and all of their source code too.
SCO was taking a publicity beating on several fronts:
- They got an unfavorable ruling WRT discovery on Friday
- The world discovers Boies isn't so confident of SCO's case that he's willing to take the case on contingency. Boies is billing by the hour, he just stands to get a big bonus under certain conditions.
- Baystar/RBC isn't happy about the Boies deal, so they demand and get the power to veto certain courses of action.
- SCO has to delay their earning announcement by two weeks to screw around with the numbers.
Needless to say, SCOX stock price dives, and the lo and behold, an attack on SCO's website suddenly becomes the to SCO new item and buries all the other bad news. How fortunate!
This past week the university that I work for has been the victim of an internal denial of service attack that may be related. From what I can gather, our sysadmins have traced the problem to some sort of irc virus/worm that is using student's computers to participate in a DDOS attack. The compromised computers were spoofing random ip adresses and (from what I heard) trying to hit SCO. These have all been stopped by our firewall, but they had been causing trouble with said firewall all week.
I don't have conformation that they were trying to hit SCO, but this headline jibes.
"When ideology and theology couple, their offspring are not always bad but they are always blind." -- Bill Moyers
The absolutely best hypothesis is that they're doing it to purge the bad news off the newssites. There was news about the motion to compell hearing (which wasn't SCO's finest hour. Read the transcript here. Check p55 if you're in a hurry) and about the SCO - Boies - Investor-relationship which also was very bad news for SCO, because they want people to belive Boies is on a continguency (apparently that implies 'faith in the lawsuit').
Where is that now? Gone.
Instead we have stories about poor, poor SCO being attacked by those evil linux users.
How many companies release Press Releases about being under attack?! On the same day, no less!
Belief is the currency of delusion.
It was all their remaining technical people sending out floods of job applications.
One line blog. I hear that they're called Twitters now.
Most members of the press are as interested in the truth as Darl McBride is, and they are equally compentent in technology matters.
Face it a bunch of angry hackers attacking SCO makes a better story than the truth. Especailly using the 10 word headline format that is so prevelant in the US.
So Long and Thanks for all the Fish.
SCO's victim story doesn't add up, and it doesn't make sense.
I used up all my sick days, so I'm calling in dead.
they recompiled apache so it doesn't reveal the host OS
You don't have to recompile Apache to make it not reveal OS. ServerTokens (AFAIR) Directive is for setting this. Rather you need to recompile kernels to spoof TCP/IP fingerprints that are used to reveal OS running on host.
I think we should have an informal fund raiser for groklaw.
They (that guy?) does a lot for the good of the world (fighting evil (sco) is not just good for linux, it's good for "right").
So, I'll donate $5 to his paypal, and I highly recommend that everyone else do the same. $5 isn't much, but * slashdot it's a lot. Surely we've spent a lot of their money on bandwidth, not to mention the free research time they've spent.
.sigs are for post^Hers.
It's astonishing that rumors spread like wildfire if the facts are so easy to check.
If you monitor a few tens of thousands of unused IPv4 addresses, you can observe most DoS attacks involving randomly spoofed addresses. You just listen for backscatter ((sorry, no better resource appears to be available). These packets are created by the victim server when it tries to answer to requests that have been spoofed from your address space. Some people even keep statistics of that noise.
And guess what? Yesterday and today, there was plenty of backscatter from 216.250.128.12. Why was ftp.sco.com suddenly offline today? Well, beginning around 2003-12-11 10:49 UTC, you could observe backscatter from 216.250.128.13, too. Unless SCO is deliberately forging backscatter (and if they are, they are doing a pretty good job at it, it looks very much like the real thing), they were under attack, yesterday and today.