Slashdot Mirror
SCO Not Lying About DoS Attack
Licensed2Hack writes "The Cooperative Association for Internet Data Analysis (CAIDA), part of the San Diego Supercomputer Center at the University of California, San Diego has an analysis of the recent DDOS on SCO.com. Netcraft also has more information in their article and analysis graphs. Seems SCO was hit with a 50,000 packet-per-second SYN flood peak, which yields approximately 20 Mb/s each way, or about the capacity of a DS3 line."
poor little darl..... :)
. . . that's just the slashdot effect. . .
So? WTF would anyone here care?
I told you so.
-dk
Great! now they get headlines simply by *not* lying
We all know that SCO paid this security expert to say SCO was attacked...they are trying to make the OSS community look bad!
.... where did the synflood come from?
Jaysyn
There is a war going on for your mind.
Ha-ha!
Last I checked a T1 was 1.544 mbps up and down; this would be more like the equivalent of half of a T3.
What?
Thank your telling nothing, we knew this already. Is Slashdot making news for the sake of it?
Quick! Someone start knitting Satan a sweater!
libertarianswag.com
You first Michael! Go tell Darl how soryy you really are.
whether they're inept enough to leave themselves open to this sort of thing or if they're welcoming DDOS attacks with open arms for one reason or another...
Then maybe they are telling the truth about the other stuff too.
Oops, oh well. SCO still sucks.
What if SCO orchastrated this themselves? It wouldn't be hard for them to attack themselves and then play sick.
puts ("Python r0cks\n");
The only result of this kind of attack will be tarnishing of the image of Open source developers. But, there is nothing much anyone can do about it.
New year Resolution: Don't change sig this year
SCO's like the boy who cried wolf too much. Why should people care when he actually gets bitten?
I'd rather see these two sites get taken down more than SCO.
If any authorities look into this, I am gonna be pissed. I mean, if they can't bother to do anything when the anti-spam sites get attacked, then they better damn well not do anything now.
Of course, I am of the paranoid type who assumes that SCO would stage a DDoS against themselves just for the publicity, so what the hell do I know?
WWJD?
JWRTFM!
Well I guess the lying or incompetent question has been settled.
You say
this isnt suprising in the slightest
It's hard to have much sympathy, even though this is a dirty trick played by some h@xtor D00d that has nothing better to do with his time. The only way to beat a scurrilous bunch of deadbeats like SCO is to show to the public the kind of people they really are. Attacking them in this way only makes the Open-Source people look like a bunch of teenage kids that want to take on "The Man".
Stay tuned for new sig...
or third post. idiot
Or to put it another way, they weren't lying, they're just stupid?
Serve Gonk.
...SCO Must Prove Existence Of Santa Claus in Thirty Days
I'm scared of numbers that can't be written as a fraction. It's an irrational fear.
Everyone gets DoS'd, they should be happy it stopped.
With SCO there is just no telling if this was a PR stunt, if they set this up or if they really got attacked.
At this juncter, i don't think it really matters because of the simple fact we don't know what SCO is up to and with everything going on we have lost faith in SCO.
Attack or No attack is a trivial question compared to what we really know about SCO and there business practices.
SCO freaking what!
Are they sure it wasn't a SIN flood?
paied. Does it hurt to take an english class while you're in school?
...we're sorry, SCO.
We were wrong. Oops. Shame on us. You still suck, we still hate you, and you're still going to corporate hell on the first bus we can arrange to ship your sorry asses there. But we jumped the gun on this one (the boy who cried wolf, SCO -- you cry and you cry and then it really happens, someone really does attack you), and for second-guessing your apparently legitimate claim of a DoS, we're sorry.
Posting anonymously because I haven't commented on SCO yet, and I don't plan to again.
I think that's the way sco articles should be posted. Normally, we should assume they are lying, but if we find that they tell the truth about something, then the head line should read,
"SCO not lying, again." Assuming they tell the truth about something again in the future, and that's a big assumption.
Drill baby drill - on Mars
You Fail it!!
u fale et!!!
Yuo phail it!
You fail it!!
!!ti liaf uoy
Or do like the other trolls and hide your inability in 1337 sp34k.
CAIDA Analysis of SCO DoS Please use this link, the other one goes to a slow XML server.
20Mbps is less than half a DS3.
You fail it so miserably I'm not even going to waste time making fun of you. Actually, I feel sorry for you. It is doubtful whether anyone has ever been a bigger failure than you just became. Truly a failure icon.
Why on earth did SCO respond to 700 million syn packets? if there was even a moderate level of syn protection turned on they would have just droped the majority of those packets. and the bandwith usage would be half.
Is there any site that you can go to to see what traffic loads are currently like on the major backbones and ISPs? My connection has been really slow for a couple of days, and I'm wondering if it's just my connection or if there's some huge DDoS going on right now....
The cause that fits much better with their general operating pattern is that they purposely left themselves open to this attack to present themselves as the poor, innocent victims of the evil, Constitution-burning, enemy combatant, Open Source villans.
I'd buy that one.
so, all of that speculation about an attack -necessarily- also taking out the ftp server at the same time ... what was up with that? 20mbps isn't enough to fill up a simple 100mbps local network. if the ds3 was their entire pipe, and the ftp server was in there too, you shouldn't have been able to get to the ftp server.
there's some pipe sizes i wouldn't mind having explained. nice diagram of how one side filled up and the other didn't? completely separate, and people are just dolts?
it's an honest question, i swear.
The 'T3' as you call it is also generally known as a DS3, that's what was referenced. The bandwidth was 20/mbit *each* way. Meaning it was 40mbit/sec of bandwidth, or for all practical purposes, a complete DS3 since under real world conditions and a SYN attack you probably won't actually get 40mbit/sec...
They should claim ownership of all IP stacks and charge threaten to sue for damages of $0.99 for each and every packet sent from an unlicensed stack.
-- Fighting mediocrity one bad post at a time.
paid. Didn't you take English?
SCO was hit with a 50,000 packet-per-second SYN flood peak
...
If their servers died from a synflood attack, there are 3 possible reasons:
- The IT guy is a monkey (likely, but still, he would have to be a really daft monkey)
- The IT guy has time-travelled from the mid-nineties and didn't know about synfloods
- The IT guy was told to compile a kernel without the synflood protection, so that Caldera/SCO would look like the poor company hit by naughty hackers.
Also, I might add, there are another aspect to consider : whoever hit SCO with a synflood attack has either:
- the brain of a monkey
- time-travelled from the end of the nineties and attacked SCO with what he thought was a really cool unbeatable DoS
- been told to attack SCO so that SCO looks like the poor company hit by naughty hackers.
Conclusion: The cause of this DoS was either:
- 2 particularly stupid monkeys
- 2 time-travellers
- 2 suckers paid by SCO
Dunno for you, but I know where my money would go if I had to bet
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
I said yesterday, Groklaw (a *LAW* site) was not an authority on computer attacks.
I was mod'ed troll.
You were mistaken. Which is odd, since memory shouldn't be a problem for you
The attack was just short of half a DS3 Line.
DS3 Line = 44.736Mbps for those of you who need a definition
-Certified TechnoWeinie
Not an editor command: ZZ
And just what do these childish OS hackers expect to gain from this? It is not like it is going to change anything. Yes they are suing people using Linux. But thats one of the problems with open source. If there is a legal issue with the code then its your problem. That is one of the great things about microsoft. At least when you are using their software, you know that you will have microsofts army of lawers to defend any legal issues there may be with the code.
Which is cheaper, buying windows, or spending months in trial?
Then please kindly explain why the website was still available at http://216.250.128.20/ ?
Maybe we deserve this world ?
After all, SCO does own DR-DOS, and sued M$ for millions as part of settlement. If there is any DOS attack, who else will be more qualify?
dear Twink,
The CLiT has sent me, as AC, to inform you tha you are not:
a.) first
b.)properly logged in
c.)allowed to cunt roast
thank you for your time,
Cabal of Logged in Trolls
that still doesnt mean they did not initiate the attack themselves.
That just means they're incompetent. They should have had the company's internal network separated from their "outside" network (ftp, web servers, etc). They knew they were going to be the targets of these attacks, why didn't they purchase more bandwidth? They're swimming in $50 million dollars from that Canadian bank, why not spend a million on their network? After all, they are SUPPOSED to be a software company, and you would think a software company with half a collective brain would be able to ride out a DDOS.
Oh well, SCO will be gone in less than a month, so we won't have to bother with this anymore...
...and by consuming all of the bandwidth of the network connecting the servers to the Internet. The current attack successfully blocked access to SCO web and ftp servers.
Actually, there seems to be something wrong here. During the attack, while I could not get to their web server, I found that their FTP server was much more responsive than most ftp servers I use. This means that they has some (lots?) bandwidth available.
Opus: the Swiss army knife of audio codec
I bet you "Holier-than-thou" uber-nerds feel stupid now! I hope you get hit by a truck.
SCO IS ON TEH SPOKE!!!!11oneone!!11
eems SCO was hit with a 50,000 packet-per-second SYN flood peak, which yields approximately 20 Mb/s each way, or about the capacity of a DS3 line."
And how, exactly, would you prepare for this? Ignoring syn-floods is very simple when it comes to keeping your server alive, but how do you deal with the bandwidth saturation?
The "each way" would indicate the syns were being replied to (dumb), but they still would have clogged the pipe.
My question is how this is possible without killing the bandwidth other servers on the subnet, namely ftp.sco.com and others? That was the original reason for the conclusion that SCO was lying, and I've yet to see something that refutes it
The other question, of course, if it was a DDOS, who did it? A group, or one person slaving many connections? Maybe somebody with a DS3 or two available to spare?
With the last two, one would think that the outgoing results of such an attack would be noticed?
Also, again with the main arguement that the ftp was online whilst the www was offline... why does the article say the FTP was down (and first to be attacked)??
More non-news on SCO. Slashdot is just giving them free publicity by publishing articles about them EVERY DAY.
boyah! nailed it!
Even though they could have fixed this vulnerability (see this at linuxsecurity.com http://tinyurl.com/z0kal) they'll still blame it on the devil Linux...
Information on how to stop SYN attacks has been available for ages.
Yeah, right.
...how much SCO is paying the CAIDA?
There have been more attacks on SCO
DVD Ripping, Divx, VCD, SVCD under Linux
;-)
Excellent!
My question is this: What are all those lines and numbers for?
What?
Again, even when SCO shows a shred of the truth, it only reveals they're either incompetent or unethical.
sorry.. I was incoherrent once again with my posts... ment to ask if there was any credibility with the sites backing SCO up on this....?
SCO still sucks.
Short yet inspired.
I hope those half-assed security "experts" who decided to shoot their mouths off with insufficient information submit humble retractions now. Somehow I doubt it.
I just used my last Mod point in the last article. Damn that Taco - Damn him to hell !!
Stay tuned for new sig...
My home server is tighter than that!
P.S. - But please don't try to prove me wrong!
This still doesn't add up. If they say that their entire DS3 was saturated why was it that I could reach ftp.sco.com during the attack? Here's what I get:
ftp.sco.com has address 216.250.128.13
www.sco.com has address 216.250.128.12
They have neighboring IP addresses. There isn't enough room for a broadcast address between them so they have to be on the same subnet. If they're not on the same subnet then this must be some newfangled magical technology that allows them to break up subnets in a new way without sacrificing an address for the broadcast. Translation: they're still lying. On the other hand, why should I care? This company is abusing the US legal system and costing me money through the waste of my tax dollars. I'm not saying this is the proper way to respond, but hell, I still don't believe that the situation was the way SCO described it anyway.
My Slashdot account is old enough to drink...
This is the best FUCKING post every.... MOD PARENT UP....
Fucking learn how to spell dip shit.....
Hey Mods, the link in the grandparent is real information and actualy is "informative". Don't listen to this coward.
US Democracy:The best person for the job (among These pre-selected choices...)
But if the website traffic is load-balanced across those multiple servers, wouldn't the server at 216.250.128.20 have been hit by the very same attack ? From the traceroute and DNS queries, it seemed to me that they had just changed their webserver's IP from 216.250.128.12 to 216.250.128.20, and messed up the DNS update and transition.
Maybe we deserve this world ?
Interresting information in the Backscatter movie. I'd always wondered how DoS and DDoS attacks occur. It still leaves me with questions, though.
I assume that since the backscatter is so broad that it doesn't affect the presumed sender MUCH, but it does do damage to the them, no? After all, they now have to pay for, and attempt to distribute, responses to false information, correct? If so, DDoS attacks are much more of a bitch move than I'd originally thought.
My other question was wether or not DDoS attacks can physically damage the victim's machine. I'd assumed it couldn't and that the 'their servers must be in a melted, smoking mound by now!' jokes were just that, but I always wanted to ask anyway. Would someone be kind enough as to enlighten me a bit more?
Thanks
fs
I don't know if that person is brave or stupid? But SCO had it coming.....
First, you people rant and rave about how this must be a hoax, even going so far as to "analyze" the situation, posting long, drawn out posts on how it was impossible, they are lying, yada yada.
Then, it turns out that you are WRONG.. egg *all* over your face, and instead of saying, "oops, I guess we were wrong about that one," you rant and rave AGAIN!
You people are funny. Stupid, groupthinking witch-hunters, but funny (in a terribly pathetic way).
Gooooooooooo looonix! HAHAHAHA.
Is it me or these articles do not offer any explanation for "why www.sco.com (216.250.128.12) server is down and ftp.sco.com (216.250.128.13) is still working without any slowdown, even though they are on the same network?"
If they state that all the available bandwith was consumed by attacks, then all the servers on the network would be unresponsive. So that could not have been a bandwidth issue. Therefore it leaves us with "SCO is a bunch on incompitent morons" version of the events.
Dear SCO / Darl McDumbass,
SCO, Meet RIAA. RIAA, meet SCO.
RIAA, please explain to SCO and Darl McDumbass what happens when an entity pisses off a bunch of nerds who a) have no life; b) are prone to taking breaks from self-pleasuring while viewing pictures of Linus Torvalds and/or Llamas long enough to launch a MDDoS (massively-distributed DoS) attack; and c) like using words like 'pw0nzerd' and uttering phrases like 'all your servers are belong to us'
Thank you. Please drive through.
Man, this whole thing sure is a lot of shoes in a lot of Slashdotters' mouths.
"Sufferin' succotash."
ah the internet, from the perspective of law, the equivilant of late 17oo's america
Man somone must not like you.. It doesn't even look like you got moderated... Is your karma bad or something....? I hate this slashcrap moderation system... There must be some people in there who just fuck others over..... But your name probably doesn't help you......
This statement is false.
What a nice place to say that, isn't it?
The CAIDA article states: "The current attack successfully blocked access to SCO web and ftp servers"
I find that difficult to believe. The Groklaw article mentioned successful access to the FTP server for a few HOURS while the WWW server was not available.
Then, suddenly, the FTP server was also down, which was after the Groklaw article appeared.
So basically there two things which makes me wonder about this whole situation:
If the main reason for the service being denied was actually the traffic generated by this attack, which is basically what the CAIDA article seems to claim, then there is no indeed no distinction to be drawn between the two servers, and so should have gone down simultaneously.
After 30 seconds it redirects to goatse.cx
"Early in the attack, unknown perpetrators targeted SCO's web servers with a SYN flood of approximately 34,000 packets per second," CAIDA said. "Together www.sco.com and ftp.sco.com experienced a SYN flood of over 50,000 packets-per-second early Thursday morning."
Whoa...both ftp and www experienced this? Their www server must be really badly configured compared to their ftp server (or their www server received -a lot- more flooding). During the SYN flood, www.sco.com was unavailable, but ftp.sco.com was easily reached. I checked several times.
It was bound to happen eventually, if only by random chance - as much as they talk, sooner or later they were bound to say something true.
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
To put this quote in the proper context:
What was Abraham Lincoln's religion? He was never heard to say that he was a Christian. When he and his wife Mary lost their little boy Eddie in the early 1850's, Mary joined the Presbyterian church, but Lincoln never joined any. Someone once asked him what his religion was, and he replied that his religion was just like that of an old man he knew, who said, "When I do good, I feel good, and when I do bad, I feel bad, and that's my religion."
Lincoln said that he had never denied the truth of Scripture, and that he didn't believe he could ever vote for a man who scoffed at it. A Congressman once asked him why he didn't join a church, and he said this: "When any church will inscribe over its altars, as its sole qualification for membership, the Savior's condensed statement for the substance of both law and gospel, 'Thou shalt love the Lord thy God with all thy heart, and with all thy soul, and with all thy mind, and thy neighbor as thyself,' that church will I join with all my heart and soul."
Lincoln's beautiful prose bears the unmistakable stamp of Biblical style. Some of his most memorable speeches and letters are full of phrases right out of the Gospels and the Psalms. People used to see him reading a little pocket-size devotional book that somebody had given him. His ability to quote the Bible was often noticed, and people lost count of the times he replied to someone the way he replied to a Senator who wanted him to hang Jeff Davis: he said, "Judge not, that ye be not judged." His law partner told this of him: A friend attended a rally for a political candidate, at which about 400 people showed up. When he told this to Lincoln, Lincoln picked up an office Bible and turned directly to a verse that read: "Everyone that was in distress, and everyone that was discontented, gathered themselves unto him, and he became captain over them, and there were with him about four hundred men." That's pretty good.
A minister named William Barton gathered a few quotations and statements from Lincoln's writings and speeches, put them into paragraphs, and then added at the front only the words "I believe." It reads like this:
I believe in penitential and pious sentiments, in devotional designs and purposes, in homages and confessions, in supplications to the Almighty, solemnly, earnestly, reverently. I believe in blessings and comfort from the Father of Mercies to the sick, the wounded, the prisoners, and the orphans and widows. I believe it pleases Almighty God to prolong our national life, defending us with his guardian care. I believe in His eternal truth and justice. I believe the will of God prevails; without Him all human reliance is vain; without the assistance of that Divine Being I cannot succeed; with that assistance I cannot fail. I believe I am a humble instrument in the hands of our Heavenly Father; I desire that all my works and acts may be according to His will; and that it may be so, I give thanks to the Almighty and seek His aid. I believe in praise to Almighty God, the beneficent Creator and Ruler of the Universe.
Lincoln was talking about the Bible to his friend Joshua Speed in 1864, the year before he died, and he said, "Take all of this book that you can upon reason, and the rest on faith, and you will live and die a better man."
(Carl Sandberg - Introduction to Lincoln's Devotional, Channel Press, Greatneck, NY, 1957
Posted anonymously so as not to wreck my perilously teetering karma with a -1 OT score.
I wish they would have been hit with a bat instead. I prefer wooden though metal does make a nice sound.
Even a broken clock is right twice a day
but then again they probably promissed them some sco stock for the counterfeit report.
I need to put my aluminum hat on now,
Now if we can just get a l33t haxxor to send an electric shock that causes ole DARL to EXPLODE i would like that even better.
Yes, SCO are pretty low on the karma totem, however the 'experts' quoted on groklaw, as well as the far more numerous 'experts' who replied that yes they must be faking it .... were drawing their speculations on very little data.
If you cared to measure you sure didn't need to be CAIDA, many snort, pf and netfilter logs are showing the backscatter of this attack.
And to all the experts who've been holding that a large synflood is easy to fix by blocking the attacker IPs: get a fscking clue.
Both syn and bandwidth attacks use forged addresses children (which is why there is backscatter), each incoming syn is from a random IP, the ack goes to the forged addr, not the originator.
The best way I've seen to handle this involves sensors at enough upstream locations to measure the packet count ratio skewing which results. This isn't generally deployed
Now technically SCO could probably manage to forge that kind of data (just send out all the expected response traffic) but again there are enough sensor platforms out there now that such a deception would certainly be unmasked eventually.
Linux is Linux, if One need clarify their dist: <Dist>/GNU Linux
bsds are of course just BSD
Its those 100 lines of stolen code in the Linux kernel. Now SCO can sue more people. SCO, will you sue me soon, I hate being last, it gives me an inferiority complex.
404
How does a backscatter analysis prove that the site was attacked from the outside? The first thing a "wanna be victim" would do when faking an attack is to make sure that the effect can indeed be measured from the outside.
That's like reading MSN for unbiased news about M$....
I rarely read replies, it's my opinion and if you thought about your opinion a little more, I'm OK with that.
No, no, we are doing nothing to prevent those for entirely different reasons...
"Faith: Belief without evidence in what is told by one who speaks without knowledge, of things without parallel." - A.B.
In fact... a lot of SYN attacks don't use comprimised hosts at all! They actually send the request to a bunch of computers that are just running webservers, that's all. They spoof the destination IP and change it to the IP of the target to be attacked and all those webservers (usually ~40,000) respond at once to the host, essentially knocking it offline. It's happened to me before. :P
So you can use even a secure (but not 100% properly configured) server to launch an attack with... Intersting stuff.
Dear SCO,
We were wrong and apologize.
Okay there, it's out. Now it's your turn.
-Slashdot readers
What if it was the same people? I believe anumber of spammers do use linux, and they have had enough experience causing DDOS attacks against antispammers to attack SCO. Very suspicious.
Well.. maybe. Or Maybe not. But Definitely not sort of.
Isn't a T3 bi-directional 45mbps yielding an aggregate of 90mbps?
The peaks are large, but the majority of the time the load is much lower. 4,000 pps syn flood is under 1.5 Mbit/sec. So plenty of room for other traffic. SCO had both bandwidth problems from having a relatively small pipe and server load from the syn flood.
I saw a lot more indepth analisis on Groklaw yesterday. I was especially interested in a VERY CLEVER Analisis where connections were instant even on there main webserver untill the packets reached level 3 of their tcp/ip stack.Untill SCO woke up to the fact that they were busted and had their ISP block all traffic. /. and Groklaw effect of people analising their b*llshit claims.
Funnily enough I have just been studying the stack for my CS Degree so I followed this line of enquirery with interest. As far as their ftp server stats, I just put this down to the
Maybe this magic telescope of theirs can find their stolon IP for them. I would love them to try and use this as an excuse to avoid discovery. ( Sorry your honour but those GNU/Linux Commie's destroyed all our proof).
Red eye's at night, hackers delight. Red eye's in the morning, proffessors warning.
Red eye's at night, Hackers delight. Red eye's in the morning, Professors Warning.
... UCSD's Network Telescope received more than 2.8 million response packets from SCO servers, indicating that SCO responded to more than 700 million attack packets over 32 hours.
Is the backscatter they observed their only evidence that the DDOS actually took place? If so, I would hardly call that proof that "SCO Not Lying About DoS Attack." Just an observation.j/k
From the Groklaw article:
If their bandwidth is consumed, then any servers nearby will also be inaccessible. That is www.sco.com has the IP address of 216.250.128.12 and ftp.sco.com has the IP address of 216.250.128.13 so the two servers are side by side, probably even on the same physical network hub/switch. Note that there is no room for a broadcast, etc., address - these servers are on the same subnet - i.e., on the same network device (hub/switch).
Unfortunately for SCO, from Australia, ftp.sco.com is highly responsive.
Mod the parent down. There's nothing "insightful" here-- it's just a rephrasing of the Groklaw article.
Somebody mod this up....
Take'em Down NOW!! Slashdot Forever!! Take Down will happen on Dec 24th. All Slashdotter should attend. *Not to be taken seriously*
Its not the implication that open source people are involed, its that all kinds of dipshits who don't know networking from the crust on their asshole started calling SCO liars. Believe it or not, non-technical people think that slashdot dwellers are representative of technically inclined people, and the open source movement. So when everyone on slashdot starts yammering about how they are lying without having any clue what they are talking about, it makes the open source movement as a whole look bad.
You thinking the open source movement should be considered innocent until proven guilty doesn't mean jack, everyone else will draw conclusions based on the actions of masses of idiots.
So is it so impossible to imagine that SCO attacked themselves just to point the blame stick at the Open Source (et al) community?
I smell rats. Big, hairy rats. (Darl, I'm looking your way...)
Perhaps SCO should use some of their millions of recent investments and get an OC48.
... of Security export from Australia?
No?
I thought so.
IANAL but write like a drunk one.
Oh never fear I have a mirror up whats the big deal
MoFscker
When a company's image is so bad that significant numbers of (formerly) potential clients think they're staging their own "attack"....
I'm so sick of reading about these a$$clowns. When is slashdot going to return to reporting on items of actual interest?
Please explain how it comes in a sturated pipe the ftp server, just one IP address away, was still available, as several other machines is same subnet.
Expectingly awaiting answer.
Robin.
IANAL but write like a drunk one.
Quoting the article in CAIDA report...
Their Internet Service Provider (ISP) appears to have filtered all traffic destined for the web and ftp servers until they came back online at 5 PM PST.
To the best of my recollection, I connected to the SCO ftp servers some time in the late afternoon (~4pm Mountain time). The www2.sco.com server also was up all the time. You would have a hard time checking this with netcraft though - SCO Unix does not provide uptime information.
Would port fowarding not get around your broadcast address requirement?
A pointless point to make anyway, I think, since CAIDA also claimed SCO's FTP servers were attacked. It wouldn't matter how you reached it, you did reach it. As I understand it, some folks were getting very snappy FTP connections. Hmmmm.
DS3 is ~45Mbit/sec bi-directional
(so 20 is about 44% utilized)
...SCO's web server is dying.
Why would SCO have two seperate load-balancers, with one being entirely _unused_ in the first place ? If the attack was targeted at one IP, why didn't they pull the back-up online (assuming it is a back-up) ?
Any way I look at it, it's still glaring of incompetence...
Maybe we deserve this world ?
if it was a DDOS, who did it?...Maybe somebody with a DS3 or two available
a. Kiddies (self-labeled elite hackers) break into machines (perhaps machines rooted by viri/worms they had nothing to do with).
b. These 'owned' machines have a control channel either to the worm author(s) or whatever lowlife manages to wrest control, usually irc.
c. Upload ddos agent and switch it on.
Of course the system owners will often notice *something* has gone wrong and either shut the attack slaves down or if they're a bit sharper realize they're owned and fix it but I imagine most of 'em come back up still infected, ready for next time.
Linux is Linux, if One need clarify their dist: <Dist>/GNU Linux
bsds are of course just BSD
Take a look at the graph at CAIDA. The web server takes a beating for about an hour around 4am PST, and again for a bit longer around midnight. Just as the latter is leveling off, an even bigger spike hits the FTP server which lasts about an hour and then tails off over the next several. All in all a pretty poor DDoS attack if they couldn't sustain it for more than a few hours so the originator can't have been too smart. Bit bit like the victim that failed to have adequate SYN attack protection really... do you suppose there is a connection?
UNIX? They're not even circumcised! Savages!
Have you guys never heard of VLANs?
Host the same subnet in different places using vlans!
Therefore different switches and segregated traffic for servers in the same subnet.
Remember the IP layer is only 1 of 7 (broadly speaking)
How hard was that?
"I didnt do it.. no body saw me do it ..can't prove anything /me ducks
.
.
"I disapprove of what you say, but I will defend to the death your right to say it." - Voltaire
A synflood is an attack on CPU resources, not bandwidth.
TCP is a stateful protocol. This means that the kernel of the target machine needs to allocate memory for each connection (about a K @ if memory serves)
Even with countermeasures in place (e.g. syncookies) the target needs to devote some resources (exercise left to the reader) to each incoming SYN.
Thus, yes it is quite possible to effectively shutdown a target without cutting off bandwidth. See also the CAIDA graph where they show the FTP server coming under an identical attack later.
Linux is Linux, if One need clarify their dist: <Dist>/GNU Linux
bsds are of course just BSD
Cowboy Neal of course
What I want to know is who are the guys running SCO's IT shop? I mean either they are just totally out of luck for work or dont care that they are working for litigious bastards. In the big world of slashdot readers somebody must know one of these guys(gals?). Whats the story? If we can pin down who they are maybe we can answer the question of: are the folks running the network/machines dumb or are they deliberately trying to get hit by DDOS and othe bad stuff.
I'm no expert at this, but wouldn't it be possible to just send out a few million false responses to get picked up? I mean, if their FTP server was running just fine and the whole thing is a question of this being valid then why say they were ever attacked at all? Just write a small deal that randomly generates an IP (maybe with some guidlines so if people find out where your replying to it doesn't turn out to be a site that would ruin the whole story such as www.microsoft.com or www.dod.gov) and have it send out responses to them. If it turns out that they attacked themselves then whos to say they were attacked and didn't just fake the actual attack having ever even been real? Please don't flame this, it really is a question out of curiosity.
...could I get your opinion on something else we heard when the attacks were first being reported?
I heard, that SCO's ISP was contacted for information regarding the attack, and that this contact was the first they had heard of any DoS happeneing to SCO that day.
What do you think?
What if the sysadmin of SCO saw this SYN flood coming in, launched by a honest to goodness skript kiddie who has nothing better to do. The sysadmin calls Darl up, and he says to turn off SYN blocking for www.sco.com, so they get eaten alive by the packets, taking down their webserver. Sysadmin flips the "rape us" switch on his desk, lets in those SYN packets, and BAM!, there goes the web server. There isn't a slow buildup time, because the SYN flood is already in full swing. If I were Darl *shudder*, I think this would be a chance to to turn an attack that would have been easily shrugged off into some positive publicity. Sure, the webserver is down for some time, but the ftp, etc. servers are still up. Anyone think this is possible?
Whoever launched these attacks has made everybody look bad. Annoying SCO isn't going to make them say "Hey! Let's be nice now!". Their business model is now suing people. It's not as if their software was selling much.
Wrong, Wrong, Wrong, WRONG. I can shout louder. You win arguments by being right and silencing your opponent..it's called the art of war..remember. Grow up you tree hugger and leave this fight to the big boys. 8P
Great! Give SCO a reason to sue Microsoft.
The ______ Agenda
I mean really, would you put it past SCO at this point?
troll
Is every Christian responsible for the bombing of abortion clinics? Is every Muslim responsible for honor killings? Is every Linux user responsible for these attacks?
I have little doubt that they were attacked. What seems strange to me though is that they were entirely giddy over the affair. They even went as far as issuing press releases about it. I haven't heard of any company that jumps to release PR about DDOS attacks so quickly. When forced to explain reports of DDOS attacks, a company may release a statement that clears the issues. But the first reports of these attacks came from SCO themselves. This is what raised suspicion, justifiably.
But people shouldn't jump to conspiracy theories so quickly. Doubt of their veracity, sure? Conviction that they are lying--not justified.
This will probably be marked as Troll/Flamebait for whatever reason, but in all honesty they deserve it and brought it upon themselves.
SCO is flat out jerking the US legal system with these far out LIES and no one's doing anything about it... so DDoS away!
Hopefully they'll soon learn the err of their ways.. or worse things shall happen! Time will only tell.
We have secretly replaced these Slashdot mods' sense of humor with a rusty nail. Let's see if they notice!!
That is what one gets when one keeps crying wolf!
Unfortunately, the number of words in that sentence did not exhaust the immense volume of even the big lies told by SCO.
I hope the wolf is IBM.
All data is speech. All speech is Free.
I have no idea if SCO is using Cisco routers on their permiter, but I guess its not too unreasonable to assume this is a possibility. With a Cisco on the permiter, preventing a SYN attack requires all of 3 additional lines to the configuration. I'm guessing it also doesn't take too much more than this on any enterprise-class router.
p s2 120/products_configuration_guide_chapter09186a0080 0b6f0e.html
Configuring a Cisco perimeter router to prevent SYN flood attack against web server:
(config)#access-list 151 permit tcp any host
(config)#ip tcp intercept list 151
(config)#ip tcp intercept mode intercept
With Intercept mode enabled, all incoming SYN are held by router which proxy-answers w/syn-ack. Won't forward to server if Ack not recieved.
http://www.cisco.com/en/US/products/sw/secursw/
when we have our own experts at slashdot?
ISTM that some things *CAN* be done about it. The upstream dudes can monitor very closely to determine the nature of the beast.
Possibly, preventing the attack, and/or discovering the attacker.
FOSS can actually play a positive role here.
Use the tools Luke.
You are being MICROattacked, from various angles, in a SOFT manner.
It was a Gnu/DDos damnit!
Even my web servers use 100mbps connections and can handle 30 Terabytes per month.
What's wrong with SCO, don't these bozos know anything about the Internet?
Since we were just told [slashdot.org]that they lied
Am I the only one that sees that a full DS3 line goes BOTH WAYS at 45mb/sec, which would mean that 20mb/sec both ways would be around HALF of a DS3??
It is pitch black. You are likely to be eaten by a grue.
That both sites have published this retraction, after having previously published the original stories about the DDOS being a fabrication. Many, more "mainstream" and "credible", news sites probably would not have done so, or would have published the retraction loaded with "spin."
Worse, many other sites would have tried to cover up the truth, rather than risk suffering a little "egg on the face."
To the credit of both Groklaw and Slashdot, both have said "Oops, we were wrong," and handled things in a very mature fashion.
Good job, guys.
// TODO: Insert Cool Sig
That should be "funny" not "informative".
The only people I know of with this kind of bandwidth at their finger tips are spammers using the SoBig worms. Then again anyone can take advantage of the same open proxies themselves for whatever purpose.
I'm gonna go out on a limb here.
What if the attack was an inside job, designed to create publicity?
That could explain why their LAN was affected during the "attack".
However, that having been said, I still haven't seen an explanation as to why ftp.sco was ok and responsive during the attack.
The bandwidth gobbled up by this attack would have killed everything on the same subnet, including the ftp.
-- This sig for rent.
You know, I hate SCO as much as the next guy, but what I hate more are the fools pulling off these attacks. They give me, and the linux side a bad name. A few silly individuals who are nothing more than vandals can create a widescale negative view that "those crazy linux zealot hackers are a bunch of immature brats who DOS people they don't like". Sure, intelligent people don't make this association, but since when has the general idiot consensus not been a large force to be reckoned with?
Revolutions are never about freedom or justice. They're about who's going to be top dog. -- Kilgore Trout
What? Do I need to say more?
Go read the comments in the older slashdot stories if but some chance you don't know what I'm talking about.
That it wasn't customers rushing to pay their linux liscense fees because the court case is going so well?
and Daryl wouldn't lie either.
Professional Politicians are not the solution, they ARE the problem.
http://www.sco.com/company/feedback/index.html
But my routers won't route packets with random destinations. They'd all have to be destined to the system, even if the sequence numbers are off.
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
The current attack successfully blocked access to SCO web and ftp servers. A 50,000 packet-per-second SYN flood yields approximately 20 Mbits/second of Internet traffic in each direction, comparable to half the capacity of a DS3 line (roughly 45 MBits/second). The use of load balancers or proxies, SYN cookies, and Content Delivery Networks (CDNs) can help distribute the load of a denial-of-service attack, making it more difficult to saturate the available network and server resources.
Translation: even without special measures, there was plenty of capacity left. Furthermore, SCO could have taken trivial steps to protect themselves but they didn't. In fact, the fact that CAIDA's backscatter technique for detecting the attack worked is in itself an indication that SCO wasn't protecting themselves properly.
Since January 2003, tension between SCO and the open source community has increased as SCO has asserted that other operating systems have misused their intellectual property.
And what the hell does that have to do with anything? The open source community didn't launch a DDoS on SCO.
The "attack" did not come from any open-source symphasizers.
After 24 hours the main argument that SCO was faking this was that their ftp server was up. It was very common knowledge and you can be absolutlely certain the hacker was reading the news about the hack. What happened then? Suddenly the attack slowed to the main server and it started up with double intensity to the ftp server! Look at the damn graph and see what other conclusion you can think of.
Any Leet SCO-hating fanatic would have doubled the attacks on the main server, or perhaps attacked every machine *except* the ftp site. That would have been the most clear "I hate you SCO and I'm going to mess with you as much as possible" attack. If they hated SCO they would want their attack to match the insults being directed at SCO as much as possible.
Instead the attack suddenly switched to be as exactly as possible a refutation of the publicity about the attack.
There is no question what the motives of the "attacker" are. And it is absolutly disgusting that SCO can get positive publicity for this nasty little stunt.
Too bad the patrons of both, who affect the reputation of the site more than anything the site could ever do, don't have the same maturity level.
Can't keep a gay man down, sucka!
Er.
Yes, SCO are pretty low on the karma totem, however the 'experts' quoted on groklaw, as well as the far more numerous 'experts' who replied that yes they must be faking it .... were drawing their speculations on very little data.
Actually, it was based mainly on SCO's three press releases. Even if they were attacked, they should have been able to head off a syn flood attack. Second, it doesn't make sense that their intranet went down, too.
See, even if they were telling the truth about the attack, it's odd how they had three press releases ready, they already know it was those nasty open source people, and there are false statements that were made by them surrounding the issue.
It's only natural that people thought the whole thing was made up.
Do you have ESP?
This is so obvious it's not even funny.
In nearly every scenario, you can trace the cause of something to its origin by determining who benefits the most from it. In this case,
Does linux benefit from this DDoS? No.
Does IBM's case benefit? No.
Does the linux community? No.
Do 1337 kiddies? No. (They don't get the credit - "linux hippies" get the "credit")
Does SCO? Yes. They'll likely try to get an extension on their court order, just as earlier predicted here on slashdot.
If I were in the FBI and looking into this scenario, I'd first look at SCO's accounting very, very carefully. My guess is that there's a debit of several dozen (hundred?) thousand for something like "Consulting Services" made within the last couple weeks.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
In fact, a DS3 has 44.736 Mbits/s capacity each way, though by the time you eat through the framing overhead for ATM, IP, TCP, etc. it's entirely possible to only wind up with only 32 Mbits/s usable payload. Sooooo... based on the CAIDA estimates, I'd say SCO had about 2/3 of their available bandwidth tied up by the attack.
I wasn't actually going anywhere with this. You can leave now.
Pardon my ignorance, but if they took the web server offline at 10-something am, then what was producing the backscatter of ack packets? Was the ISP doing this for them? Why on earth would they bother? And if there was no machine there to respond to the syn flood for hours, then where was the backscatter coming from?
Also, I thought most zombie machines were compromised MS boxes. Are there networks of thousands of 0wned linux boxes out there that script kiddies are nuking each other with?
Wating for enlightnement...
Seriously, fuck them.
because I have been enjoined by this Holy Office to abandon the false opinion which maintains that the Sun is the centre
sco> boot
wouldn't you rather play a nice game of chess?
sco> boot -s
wouldn't you rather play a nice game of chess?
--
"It is now safe to switch off your computer."
Ah come on, jeez people, you fall for crap hook line and sinker. You guys are so gullible its funny (if it weren't so sad)...
One individual source claiming something like this, does not make it true. That's besides the fact if you even scratch at the facts (don't even need to dig really), you'll see some contradictions.
Not only contradictions in the time of the so-called attack, but what was supposedly being attacked at the time.
If you look at CADIA or CAIDA or whatever they are, their claims, you'll see they talk about the sco ftp server being hit, but the ftp server WASN'T hit during this time period. The FTP server experienced no increase in average latency, I know, I tested it.
Ok, so one big hole in their theory. Want to try for two? no problem...
The logs are inconclusive. If you handed that over to any decent ISP and claimed it was proof of being attacked, they'd laugh at you.
There's simply NOT enough shown there to be evidence of an attack, or proof of anything. In fact, the data is so SPARSE (light, and weak), the data provided looks more like normal network traffic than anything else.
I've seen customers call up ISPs saying "Hey! Your DNS server is attacking me!", uh, no, mr. pinhead, it's not, it's just that every time you type in a url in your browser, dns has to resolve it, thereby doing lookups, what you're seeing mr. stupid customer is the dns resolver responses.
sometimes clients even claim to want to sue the ISP because the ISPs mail server is attacking them! Which we usually tell the customer "ok, sure, call your lawyer, and uh, when hell freezes over, I'm sure you'll let us know, thank you, bye now (click)"
the data the CADIA (CAIDA?) place provided is almost identical to the logs provided by these customers. It shows an equal amount of "evidence" (cough).
Are there sniffer traces (data captures) of raw packets during this time period? Nooo.... Just these stupid log files that mean NOTHING!
come on people, one source with such pathetic information, and not only is Slashdot and Groklaw ready to be convinced, so is the press and the stockmarket.
Now we'll have SCO posting MORE press bullshit (FUD) saying "see, we told you so!". get over it!
This proves *NOTHING* !
caveat1: could SCO have been attacked? Oh yes.
caveat2: am I saying they were NOT hit at all? NO!
If they were hit, it certainly wasn't as reported, and it certainly wasn't with as much severity as claimed, and it certainly wasn't for as long as claimed, etc etc etc...
I would be inclined to believe some "script kiddies" took advantage of the situation, but nothing extreme.
I am more inclined to believe that SCO manufactured this themselves. Would they LIE about contacting the secret service? Oh hell yes, they lied about contacting the FBI last time. Come on now... sheesh
You people give SCO far too much credit.
Why shouldn't I do it again? SCO paid me tons of money to do it the first time...
===Note: this IS written humorously... If you want to sue me, a better reason would be my use of Linux.===
Who thinks that it's possible that SCO really was the victim of a DDOS attack?
I hate SCO as much as everyone else, but it seems like everyone here is saying that this is a conspiracy because it makes the open source movement look bad. Not because there is any compelling evidence that SCO did it.
Sites get attacked every day. Yahoo.com had it's share of attacks back in the day and so did any number of sites.
The fact is that improperly maintained or administered sites *will* be hacked or DoS attacked by evil-hackers simply to prove that they can do it. SCO is simply a convenient target for some adolescent idiots like so many other sites.
There is no evidence that these attacks are in any way connected to the recent Linux spat and are not some independent idiot who doesn't care one way or the other.
Also, as a community we should discouraget this kind of behavior, but it is also a mistake for any individual, company or judge to believe that the actions of a few wayward individuals reflects the sentiment of the entire community.
I mean, just because someone uses Windows and hacks Linux sites, does this mean that *all* Windows users hate Linux?? No, I know some people who use both and they love Linux, but use Windows for work and they like it too. Contrary to popular belief Windows users are as rabid and often are *more* rabid and fanatical than Linux users. I personally have spoken to people who believe that Microsoft deserves to overcharge the workd for everthing because, in his mind, they have "won" and that is thier "reward".
So you see... I believe that, while it's unfortunate the SCO is being attacked, it's not necessarily connected with Linux.
Perhaps SCO should secure thier site better.
GJC
Gregory Casamento
## Chief Maintainer for GNUstep
...my line is 20Mb/sec!!!
Ummm...nevermind.
--"It's Bradford Company, slash your last name, dot your first name"
"50,000 packet-per-second SYN flood peak, which yields approximately 20 Mb/s each way"
packets alone do not a ds3 make
a ds3 line can easily handle this amount of load which is miniscule
if their ds3 can't handle the load the probably paid for a ds3 but got something far less
Even though DDOS attacks are misuse of an Internet service and illegal, some of the tactics SCO have used in this case are very dubious too. Claiming ownership of chunks of a kernel without showing any proof and not waiting for the outcome of a court case.
:)
The damage they have caused companies involved in Linux far outweight a bit of network outage, unless they suffer a major loss since statistics say 80% of businesses that suffer a major outage go out of business within two years. We can always hope
Link to 80% statistic
I bet they find a reason to blame Slashdot and sue them over the SYN flood.
This is the first I've heard of this because I've been real busy. But what I want to know is why SCO is doing this. Why do they hate open sourcers so much that they would pay for a DS-3 just to clog thousands of poor linux users meager bandwidth? Oh, Darl! What profiteth you from this nefarious scheme?
Liberals call everyone Nazis yet they are the closest thing to it.
It's costing them money and bringing them on our turf instead of their preferred battleground (the media). Next we target their sources of funding, like Microsoft, HP, and the Royal Bank of Canada. Make it so nobody wants to associate with them and the money will dry up (since their media shenanigans apparently aren't enough for some investors). The benefits of a DDoS on their web site also include pissing off their ISP. I'm sure they're already considered high risk byo any prospective ISP.
Keep fighting the good fight...
Im going to be flat out with it. I couldnt care less if SCO is being flooded or not. Bad things happen to bad people. By all accounts (other than Darl's) SCO has been disingenuous with everyone. Karma is a bitch but ya know it happens
Maybe what it really means is Denial of Settlement.
you know, my router on my cable modem kept locking up for no reason, maybe a smurf attack from my ip (among others?). ~~newbie hacker...www.whataboutbob.org
Show me packet captures and log entires, or it never happened.
He said that it was interesting to read about the DDoS attack in the press, when it was he that was managing and re-directing the traffic from the DDoS attack.
So yes, according to my sources, which I deem to be reliable, the DDoS attack did happen. For the record though, every single other claim SCO has made I believe to be complete BS.
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
What does this say about SCO's network admins? Unless I am missing something, syncookies would have taken care of this easily.
It's all fun and games until someone gets their company bought out.
Only 'flamers' flame!
Does slashdot hate my posts?
Pretty funny when Bart says, "Hey Darl!" Check out this
screen capture.
Usurper_ii
Ron Paul
It's easy to assume SCO is lieing, just because they have previously raised FUD to a not so fine art. However, in this case, it makes sense to assume they are telling the truth (at least in large part).
Are there black hats who would conduct such an attack in a misguided defense of open source? 100% yes.
Would SCO fake such an attack? Maybe, if their goal is really to discredit open source at any cost. Reporting such an attack won't make their stock go back up. If anything, it will drop futher. Will it influence a judge? I won't say it's impossible, but it's unlikely at best. Will it help Darl hold on long enough to get 4 profitable quarters? It's likelyest to work against that rather than for it.
In the absence of clear and unassailable proof that someone connected to SCO is prepared to lose millions, risk spending the rest of their lives in prison, and probably end up having their family name join the ranks of names that have become common words for really bad things (tm), as have Lynch and Gerrymander, all just to harm the reputation of OSS, the only sensible assumption is the DDOS originated outside SCO.
Who is John Cabal?
I have one thing to say. If the attacker isn't SCO, then PLEASE STOP. You are not helping. Infact, the only thing you are doing is proving SCO's attacks on the Open Source community correct (that we have no regards for the law).
Please let the lawyers handle this matter and stomp SCO into the ground. Victory will be just as sweet.
"Too bad the patrons of both, who affect the reputation of the site more than anything the site could ever do, don't have the same maturity level."
Why go AC on this? I'd modify that to say SOME of the patrons, but if I did, I sure wouldn't hesitate to put a mere nym on it. Both sites have set an example worthy of emulation, not just by media outlets, but by visitors or patrons.
Who is John Cabal?
According to the following article, the average SCO employee makes over $132,000 a year. (25,000 / 300 * 40 * 50 * .8 (to account for non-salary employee expenses)).
Source
The company estimates the attack cost it about $300,000 in lost productivity alone, based on estimates that the company pays as much as $25,000 an hour to employees, who were only able to achieve less than half their usual output. SCO has about 300 employees worldwide.
DDoS attacks are a fact of life on the Internet for some people. SCO should just sit down, shut up and accept what has happened. Hell, were they even PAYING per megabyte for traffic received? Probably not.
The host of the IRC server I run, however, was. In Australia, bandwidth is pretty much per megabyte everywhere, especially in the corporate sector.
We were hit with a DDoS attack a few months ago which was considerably bigger than SCO's little attack. Try figured up around the ability to saturate an entire 100Mbit/sec Fast Ethernet port. The main effect was not the traffic, it was the router simply overloading (A 7206 with an NPE-200 I believe) from the sheer amount of traffic flows created from the DDoS. It was a synflood attack, of sorts.
This particular attack came from a network of trojan clonebots. These were distributed by exploiting the recent RPC DCOM flaws in Windows. Upon infection, the client starts and connects to an IRC server as specified by a 'free' dynamic DNS host, pointing to the IRC server of the attacker's choice. They join a pre-determined channel, where the attacker can join and issue commands to about five thousand bots at once. These include synflood, infect, send files from users' PCs etc.
We were not the only IRC server hit. Several thousand dollars of bandwidth flowed past the router before the upstream placed a block on it. Unfortunately, an ACL on the router probably wouldn't help terribly much, as the router itself was suffering, not the IRC server being attacked.
SCO, being a company with many enemies, should have anticpiated such an attack and adjusted their configurations accordingly.
Unfortunately, I don't believe even the most robust enterprise class router could handle TCP-Intercept duties on a 50k/second SYN flood.
Prove me wrong.
Stewey
There are 10 kinds of people in the world. Those who understand binary and those who don't.
The netcraft stuff is crap. We all saw the site go down. Why does a graph solidify this fact any more. Still doesn't explain why a company that has been supposedly DDoS'd twice before hasn't taken basic counter measures to stop it from happening again. Doesn't explain how their intranet was affected in ANY manner. The hoax theory does still hold a lot of ground. Who's to say they didn't do it to themselves? Would explain the odd timeframes between press releases and the actual DoS. Couldn't come at a better time for SCO. This came awefully soon after the Dec. 5th decesion ordering SCO to show IBM the code in question. A few sites saying "of course it was down, here's proof" doesn't prove very much at all. Even if their ISP says there was a syn flood, doesn't prove that they didn't do it themselves. Sco employees leave their home computers to syn flood all day while at work isn't that hard to fathom. A couple of places with anecdotial evidence proves nothing to me.
Slashdot never "says" anything though. Slashdot is only a link to other websites that "say something".. am I right? The editors may say something in a comment along with the post, but doesn't the poster mainly say something?
in girum imus nocte et consumimur igni
IIRC, SCO gave a timeframe (12 hours, I believe) for fixing the problem, while the so-called attack was in progress. Doesn't this prove they are lying?
If it weren't for fog, the world would run at a really crappy framerate.
maybe they really do have a DS3 line...
Is it possible that SCOG themselves *FORGED* the "Backscatter" so they could get someone to jump to the conclusion that since there's detectable backscatter, there must have been requests?
Does anyone know in detail whether this kind of reverse DDoS is possible?
Given their track record, i'm sure it wouldn't come as a surprise to anyone if they did.
If your sig is indeed not a troll, let me remind you that copyright infringement is a civil, not a criminal offence, unlike theft which is.
It's proven there was a DDOS, by analysing the destination of SCO's reply's to the DOS.
Nobody has a trace of the origin of the spoofed packages.
It could be Darl himself who spoofed his own server from within the own network.
One fact remains: bad network and/or IT.
For a firm like SCO, they should lose stock, because being incompetent.
Why is it that the SYN flood did not take out the network at the router level, as opposed to a specific server on the Ethernet backbone?
The attack was not significant enough to have that effect. As SCO didn't enable SYN cookies, a very low-bandwidth attack was sufficient to push the server off the net.
I regularly see DoS attacks which just take out a single host and not the entire surrounding network. It's actually the second-most desired scenario (after withstanding the attack completely).
Why on Earth would the attacker(s) suddenly decided to also attack the FTP server?
Why did they decide to attack the web server in the first place?
Maybe thy thought that www.sco.com was the only server SCO had on the net, and learnt about ftp.sco.com only after reading the GrokLaw article? This is not as ridiculous as it might seem because even moderately skilled people don't carry out DoS attacks for fun these days, but sell their DDoS botnets for profit. Others use them for blackmail. (As far as I know, these incidents are real and not the fabrication of "security experts", although I haven't witnessed one personally.)
Or lower.
What do IBM grid/clusters do while they are not playing chess/protein folding or gene cracking ?. Maybe someone accidently told some a master node to go walk through SCO's web site for evidence. I'd suspect that the node could have then found some SCO PR statements. It tried to parse these but discovered , as the rest of us have, seriously illogical statements. Then (without normal human intelligence to disregard SCO PR statements with a laugh) it decided to summon up more compute power to help solve the meaning of SCO PR statements. It then ended up in an endless loop trying to come to a conclusion, trying to find meaning, but failing spectacularly. Just joking IBM.
Would would people have thought that the claims of being DOS attacked were lies in the first place? Nobody thought so the first time around ...
Mod this up!
With the millions of people in the world I don't find it surprising that at least one of them (and that is all it takes) is pissed off enough over SCO's FUD to mount this kind of attack. And more than that I don't give a rip. Does that make me a bad person?
The race isn't always to the swift... but that's the way to bet!
if the network equipment the machine is connected to cant handle the packets per second or the bandwidth and drops, how the hell is any software change going to make a difference?
15,000 pps isnt shit
you are correct though, if the machine manages to stay online, syncookies are great.. but if your entire network goes offline.. good luck
by the way.. what NO ONE here seems to understand is this:
a simple synflood by a home user to a webserver can be easily prevented by syncookies. for anyone to even CARE about a synflood nowadays, it has to be huge. In the case of SCO, it took down their entire network because their network equipment couldnt handle it.. syncookies wouldnt do a damn thing
gah.. yes.. everyone knows what a synflood is and how to prevent it. what you are referring to are examples of how to prevent a simple synflood that only affects one machine.
for anyone to even CARE about a synflood nowadays, it has to be so large that network equipment fails. When sco's routers went down along with their entire network, syncookies arent going to do a damn thing
sco took the obvious and correct course of action, they blocked all syn's to www.sco.com in their upstream providers.. this keeps their entire network online, but their site www.sco.com will still be offline and theres nothing they can do
A DS3 line is 44Mb/s eatch way.
http://ebgp.net/ccc/
I am not sure about the SYN attack, but for sure they are lying about all their code they say they found in linux and have been telling the media about from day one. What they tell the judge is not the same as they tell the media. You can read it all at www.groklaw.net The webside has all the transcription from the courthouse and SCO is saying there that they really dont know what code it is and cannot tell until they get all the source code from IBM AIX and Dynix. But the judge told SCO to bring all the code they say is infringing within 30 days. They never expected to go to court and they are screwed. -Skuggi.
All you had to do was read the article and quote it properly. A DS3 can hold 45mb/s in both directions, so 20mb/s both ways is about half of a DS3, which if you had RTFA you would have been informed of this.
Now, to be fair, it is POSSIBLE that SCO was attacked, but---
1: The web server and ftp server are on the same subnet> Ftp.sco.com is at 216.250.128.13, while the web server is at 216.250.128.12. For these to be on differnet networks would require subnets with 1 host per subnet (not very practical). Since the ftp server was not down for most or all of the alleged attack, it is clear that this was not the result of bandwidth saturation.
2: SCO has stated that their email servers were down but no credible third party corroboration has occurred.
IF (That is a big IF) SCO was attacked, it would have had to be a narrower time frame than they are stating, because such an attack would have taken everything down in their network.
It is also possible that they could have remedied the problem upstream quickly enough that nobody noticed, but decided to play up the story for sympathy reasons.
Either way, SCO is lying about something or is utterly incompetent.
LedgerSMB: Open source Accounting/ERP
Why is this event considered news? Who cares what script kiddies are doing in their spare time. Does news of a denial of service attack have any implication on SCO's claims of ownership of the linux source code?
HA HA
Why worry? Each of us is wearing an unlicensed "nucular" accelerator on his back.
Sig changed for readability by G.W.
they have a deadline!
http://www.internetwk.com/breakingNews/showArticle .jhtml?articleID=16700474
---snip---
SCO's Internet servers run on a third-party hosting company which -- ironically enough -- uses Linux. SCO claims that it owns the copyright to Linux, and that users who fail to purchase licenses from SCO are violating SCO's intellectual property. Carlon said SCO has not investigated whether its web hosting company has a clean Linux license.
"We have not had discussions with them regarding the license. They have not requested a license, nor have we really gone after them from a licensing perspective," Carlon said.
---snip---
Irony #98756 regarding SCO's Linux lawsuit.
1) Folks were able to connect to the ftp subnet address with no delays. If the bandwidth were saturated by 34,000 packets/sec there should/would have been considerable ftp acess delays, if a reply would have been sent at all.
2) The uptime.netcraft chart shows no significant response time hash during the two weeks prior to the 'attack', right up to the instant sco.com was turned off. The Network Telescope graphs of examples of SYN flooding show large response time hash amplitudes during an attack.
3) "Network Telescopes" work on the assumption that the spoofed address of a syn flood packet is bogus, so the possibility exists that a portion of them will cover a range of IP addresses where little or no network traffic can be expected. The bigger the range of unused IP addresses that is monitored the bigger the 'lens" of the "Telescope". This 'back scatter' the telescope 'sees' is the victim's box responding with SYN_ACK packets to the spoofed addresses. The Network Telescope cannot distinquish between true and pseudo backscatter. Pseudo backscatter would be SYN_ACK packets that the 'victim' spews out to random IP addresses to make it look like their site is under attack. They turn off normal SYN_ACK handshaking so the site appears 'down'. While they are doing this on one box other boxes on their subnet will be able to response to the normal handshake without any undue delay because the number of valid incoming SYN packets remains the same - hence the lack of hash on uptime.netcraft graphs. Someone at SCO monitored GrokLaw to see the effect of their PR predicting a "12 hour outage" and noticed folks mentioning the fact that the FTP site on the same subnet and, according to ARIN the same location, was not experiencing any delays that would be associated with a massive SYN flood attack, especially one at 34,000/sec. According to SCO, not only did the attack knock their site off line, it also messed up their email, internal databases, and their phones!
I believe SCO committed this 'attack' as a pretext to modify their website by removing some pages and adding others. More significant will be the claims they will make later regarding the availability of documents the court has ordered them to produce.
Running with Linux for over 20 years!
SCO's site is down again (since noon).
/.ers are trying to get
/.ers who seek a quick laugh by
Probably because 50 000
the video.
1st : Funny how it always hit them outside of
buisseness hours.
2nd : Come on SCO, 5 times a day, someone posts a
link to your site on slashdot, to be able to
handle this, you need a lot more than one
webserver, get a few dozens and a better pipe.
I know that you think : We have only one client,
so one webserver should do, but you forgot the
thousands of
reading your site.
If you attack a community, rightly or wrongly, what moron wouldn't expect that community to fight back?
Bleeding SCO dry as quickly as possible may be the only way to end the insanity. The question will be whether this whole situation resolves as a mere survival of the fittest example, or as a true legal precedent setting case that supports the open source and free (as in both beer and libre) software models.