Slashdot Mirror

← Back to Stories (view on slashdot.org)

SCO Not Lying About DoS Attack

Posted by michael on from the even-a-stopped-watch-is-right-twice-daily dept.

Licensed2Hack writes "The Cooperative Association for Internet Data Analysis (CAIDA), part of the San Diego Supercomputer Center at the University of California, San Diego has an analysis of the recent DDOS on SCO.com. Netcraft also has more information in their article and analysis graphs. Seems SCO was hit with a 50,000 packet-per-second SYN flood peak, which yields approximately 20 Mb/s each way, or about the capacity of a DS3 line."

32 of 615 comments (clear)

  1. In other news... by kirun · · Score: 5, Informative

    ...SCO Must Prove Existence Of Santa Claus in Thirty Days

    --
    I'm scared of numbers that can't be written as a fraction. It's an irrational fear.
  2. Correct URL by DavidMoore · · Score: 5, Informative

    CAIDA Analysis of SCO DoS Please use this link, the other one goes to a slow XML server.

  3. ftp? by Unordained · · Score: 2, Informative

    so, all of that speculation about an attack -necessarily- also taking out the ftp server at the same time ... what was up with that? 20mbps isn't enough to fill up a simple 100mbps local network. if the ds3 was their entire pipe, and the ftp server was in there too, you shouldn't have been able to get to the ftp server.

    there's some pipe sizes i wouldn't mind having explained. nice diagram of how one side filled up and the other didn't? completely separate, and people are just dolts?

    it's an honest question, i swear.

    1. Re:ftp? by Mentorix · · Score: 4, Informative

      This claim from netcraft bugged me since the first time I read it when it was linked to the last sco story. Let's spend some time debunking it.

      Let us assume that the resolution of netcrafts measurements has a resolution of 1 minute, hell, make it 10 seconds. How long do you think it takes for an average zombie machine to start churning out syn packets at full speed? I'd say after maybe a second or two, and I'm being generous. There's a >90% chance the zombies are all recieving commands through IRC or a similar set-up, this adds maybe 2 to 3 seconds to the response time. All in all it's fair to assume that within 5 seconds of the attackers push of the button all zombies will be spewing syn packets at their maximum rate.

      So in conclusion; Any attacker with a sufficient amount of zombies can push an amount of traffic into any network enough to saturate its bandwidth contraints within a mere *5* seconds. There is no reason *at all* why an attack like this should always look like a slow (1 - 10 minute) degradation of network performance, it can be done close to instantanious.

      Of course depending on your relation with your backbone provider you can always try to block it higher-up. Although, don't be surprised when some attackers actually saturate gigabit links...

      -- Witty saying #52; 404: file not found

  4. DS3 Line stats by Lipongo · · Score: 5, Informative

    The attack was just short of half a DS3 Line.

    DS3 Line = 44.736Mbps for those of you who need a definition

    --
    -Certified TechnoWeinie
  5. Re:T1? by man_of_mr_e · · Score: 5, Informative

    No.

    DS1 is the circuit either a T1 or E1 rides on. E1's are the european equivelent to at T1. DS1 is the raw circuit.

    --
    If you need web hosting, you could do worse than here
  6. Re:If they know all of this.... by jqh1 · · Score: 4, Informative

    it's said to be a D[istributed]DOS attack -- that means it came from all over, no?

    --
    who's moderating the meta-moderators?
  7. Re:T1? by Anonymous Coward · · Score: 4, Informative

    For the mathematically challenged:
    20mbit up + 20mbit down = 40mbit

    Or 20mbit x 2 = 40mbit

    20mbit comes into to SCO web server a second
    20mbit goes out of SCO web server a second
    Now, how much traffic was there in that second?

    I'm not sure I can make it any clearer.

  8. Re:T1? by duffbeer703 · · Score: 4, Informative

    Once upon a time, a T1 was 24 multiplexed analog telephone circuits plus some control channels.

    DSx is the digital version with the same capacity. The analog infrastructure is mostly gone now, so the terms are used interchangably in most conversations.

    --
    Conformity is the jailer of freedom and enemy of growth. -JFK
  9. Re:Then please explain by Zocalo · · Score: 5, Informative
    Because only in el cheapo hosting can you make the assumption that two adjacent IPs are on the same switch. It's quite common for high capacity corporate sites to have a load balancer of some kind in front of them that redirects to other IPs that you never see. Some of the more sophisticated devices even fiddle the TTL and other settings so they are totally invisible and what appears to be a single IP could easily be a distributed cluster of servers in every continent of the globe.

    Provided that the bandwidth to the load balancer did not get saturated in the DDoS, and the attack was targetted at a specific IP then it is perfectly possible for adjacent IPs to be fine. I and several others pointed this out as a possibility out in the original story and either got modded to oblivion or called idiots for it. C'est la vie.

    --
    UNIX? They're not even circumcised! Savages!
  10. Re:T1? by SpyderVR4 · · Score: 4, Informative

    Ummm. No. A DS3 (or T3, or T1 for that matter) is full-duplex. A DS3 supports up to 45 megabits/second in BOTH directions. Read your own link a little more closely... "A DS3 is capable of moving over 5.5 Megabytes per second (45Mbps) in one direction - ***twice that when upload and download performance are combined***."

  11. Re:Slightly OT by Anonymous Coward · · Score: 2, Informative

    Check out: http://www.internettrafficreport.com/main.htm

    It's helpful sometimes.

  12. Re:If they know all of this.... by hypnagogue · · Score: 4, Informative

    .... where did the synflood come from?
    Maybe nowhere. The analysis methodology used could be spoofed by SCO by them running a program on their respective servers that sends out SYN-ACK and SYN-RST to random IP addresses.

    CAIDA would just assume it's a real DDOS attack. Remember "backscatter analysis" analyzes the response from the "target" site. They don't see and cannot prove the existance of the actual SYN flood.
    --
    Liberty you never use is liberty you lose.
  13. Re:Proving my point... by Maserati · · Score: 2, Informative

    That sounds like my reminder to metamoderate. Groklaw is, of course, now carrying an article covering the CAIDA announcement.

    --
    Veteran, Bermuda Triangle Expeditionary Force, 1992-1951
  14. denial is the most predictable of human emotions by fw3 · · Score: 5, Informative
    First, by all means mod me down it's only /.

    Yes, SCO are pretty low on the karma totem, however the 'experts' quoted on groklaw, as well as the far more numerous 'experts' who replied that yes they must be faking it .... were drawing their speculations on very little data.

    If you cared to measure you sure didn't need to be CAIDA, many snort, pf and netfilter logs are showing the backscatter of this attack.

    And to all the experts who've been holding that a large synflood is easy to fix by blocking the attacker IPs: get a fscking clue.

    Both syn and bandwidth attacks use forged addresses children (which is why there is backscatter), each incoming syn is from a random IP, the ack goes to the forged addr, not the originator.

    The best way I've seen to handle this involves sensors at enough upstream locations to measure the packet count ratio skewing which results. This isn't generally deployed

    Now technically SCO could probably manage to forge that kind of data (just send out all the expected response traffic) but again there are enough sensor platforms out there now that such a deception would certainly be unmasked eventually.

    --
    Linux is Linux, if One need clarify their dist: <Dist>/GNU Linux
    bsds are of course just BSD
  15. Actually, it goes deeper than that by klasikahl · · Score: 5, Informative

    In fact... a lot of SYN attacks don't use comprimised hosts at all! They actually send the request to a bunch of computers that are just running webservers, that's all. They spoof the destination IP and change it to the IP of the target to be attacked and all those webservers (usually ~40,000) respond at once to the host, essentially knocking it offline. It's happened to me before. :P

    So you can use even a secure (but not 100% properly configured) server to launch an attack with... Intersting stuff.

    1. Re:Actually, it goes deeper than that by anthony_dipierro · · Score: 5, Informative

      They spoof the destination IP and change it to the IP of the target to be attacked and all those webservers (usually ~40,000) respond at once to the host, essentially knocking it offline.

      That wouldn't really be a SYN attack, as the response packets would have SYN and ACK set. It would also be much easier to protect against, as these bogus SYN/ACK packets could be dropped. But most importantly, there wouldn't be any backscatter, and certainly not the backscatter that CAIDA was seeing.

      So you can use even a secure (but not 100% properly configured) server to launch an attack with...

      Improperly configured so as to be able to launch an attack isn't secure. But, I'm really not sure how you could configure a machine not to respond to HTTP requests, anyway. Fortunately, as I mentioned above, this type of attack is much easier to ignore than a true SYN attack.

  16. T3 20mbps?? by SQLz · · Score: 2, Informative

    Isn't a T3 bi-directional 45mbps yielding an aggregate of 90mbps?

  17. Re:So they're just incompetent then? by Anonymous Coward · · Score: 3, Informative

    With syncookies.

  18. Re:Something is missing... by Cheeze · · Score: 2, Informative

    probably because the server was flooded, and not their bandwidth. I didn't read the article though, so this could be spelled out better.

    either way, who cares? 20Mbps isn't all that much bandwidth. There's just about no reason that they couldn't have their routers just drop the offending packets.

    i can't believe they didn't have some sort of load balancer or a cluser for their website. I am sure it gets slammed with people after each press release.

    --
    Why read the article when I can just make up a snap judgement?
  19. Re:T1? by fiber_halo · · Score: 2, Informative
    > 20mbit comes into to SCO web server a second
    > 20mbit goes out of SCO web server a second
    > Now, how much traffic was there in that second?

    Half a DS-3. A DS-3 is a full-duplex circuit with a clock speed of 44.736 Mb/s in each direction. On a DS-3 you can use this full 45 Mb/s (minus overhead) in each direction simultaneously. This is unlike a half-duplex ethernet that most non-telecom people are more familiar with -- where it makes sense to add transmit and receive to see how much of the 10 or 100 Mb/s channel is being used.

  20. Re:Bandwidth by anthony_dipierro · · Score: 4, Informative

    Wastes bandwidth sending the replies back, and wastes resources on the host making and sending the replies. Once you've determined a DoS is underway, drop the offending packets and be done with them.

    The whole point of a DDOS is that you can't recognize which packets are the offending ones. Sure, at some point a human is going to look at the situation and say, OK, we're going to shut down this machine until the DDOS has subsided, but it would be stupid to shut down a machine automatically whenever you're getting attacked.

    Wasting bandwidth is irrelevant if you're going to shut down the machine anyway.

  21. 20MBit/sec is not a DS3 line by strobert · · Score: 4, Informative

    DS3 is ~45Mbit/sec bi-directional
    (so 20 is about 44% utilized)

  22. Re:SCO Not lying... by Zocalo · · Score: 4, Informative

    Take a look at the graph at CAIDA. The web server takes a beating for about an hour around 4am PST, and again for a bit longer around midnight. Just as the latter is leveling off, an even bigger spike hits the FTP server which lasts about an hour and then tails off over the next several. All in all a pretty poor DDoS attack if they couldn't sustain it for more than a few hours so the originator can't have been too smart. Bit bit like the victim that failed to have adequate SYN attack protection really... do you suppose there is a connection?

    --
    UNIX? They're not even circumcised! Savages!
  23. Re:So they're just incompetent then? by Anonymous Coward · · Score: 1, Informative

    Syncookies aren't going to do shit against a 50,000 packet per second attack.

  24. Preventing SYN attacks using a Cisco router by WolfTattoo · · Score: 5, Informative

    I have no idea if SCO is using Cisco routers on their permiter, but I guess its not too unreasonable to assume this is a possibility. With a Cisco on the permiter, preventing a SYN attack requires all of 3 additional lines to the configuration. I'm guessing it also doesn't take too much more than this on any enterprise-class router.

    Configuring a Cisco perimeter router to prevent SYN flood attack against web server:
    (config)#access-list 151 permit tcp any host
    (config)#ip tcp intercept list 151
    (config)#ip tcp intercept mode intercept

    With Intercept mode enabled, all incoming SYN are held by router which proxy-answers w/syn-ack. Won't forward to server if Ack not recieved.

    http://www.cisco.com/en/US/products/sw/secursw/p s2 120/products_configuration_guide_chapter09186a0080 0b6f0e.html

  25. A tribute to the integrity of both /. and Groklaw by psykocrime · · Score: 4, Informative

    That both sites have published this retraction, after having previously published the original stories about the DDOS being a fabrication. Many, more "mainstream" and "credible", news sites probably would not have done so, or would have published the retraction loaded with "spin."

    Worse, many other sites would have tried to cover up the truth, rather than risk suffering a little "egg on the face."

    To the credit of both Groklaw and Slashdot, both have said "Oops, we were wrong," and handled things in a very mature fashion.

    Good job, guys.

    --
    // TODO: Insert Cool Sig
  26. Re:T1? by mcmaddog · · Score: 4, Informative

    T1 stands for Trunk Level 1 and is a digital transmission link with a total signaling speed of 1.544Mbps. T-1 is a standard for digital transmission in North America (USA & Canada). T-1 is part of a progression of digital transmission pipes - a hierarchy known generically as the DS (Digital Signal Level) hierarchy.
    T1 was originally supplied on two pairs of copper wire (transmit and recieve pairs), but is often delivered via multiplexed fiber optic cables. A T1 can be multiplexed into 24 64Kbps channels for telephone trunking (compatible with the analog phone system), but are still digital signals between the PBX and the ILEC/CLEC's phone switch.

    The E1 is a standard in Europe (and UK) which is capable of 2.048Mbps and can be channelized into 32 64Kbps channels for phone trunking.

    **most of this is paraphrased from Newton's Telecom Dictionary 16th Ed.

  27. DS3 capacity correction. by Anonymous Coward · · Score: 1, Informative
    If the contributor had actually RTFA, they would have seen this line in the original article: "A 50,000 packet-per-second SYN flood yields approximately 20 Mbits/second of Internet traffic in each direction, comparable to half the capacity of a DS3 line (roughly 45 MBits/second). " (emphasis mine)

    In fact, a DS3 has 44.736 Mbits/s capacity each way, though by the time you eat through the framing overhead for ATM, IP, TCP, etc. it's entirely possible to only wind up with only 32 Mbits/s usable payload. Sooooo... based on the CAIDA estimates, I'd say SCO had about 2/3 of their available bandwidth tied up by the attack.

    I wasn't actually going anywhere with this. You can leave now.

  28. 50k / second? by StewedSquirrel · · Score: 2, Informative

    Unfortunately, I don't believe even the most robust enterprise class router could handle TCP-Intercept duties on a 50k/second SYN flood.

    Prove me wrong.

    Stewey

    --
    There are 10 kinds of people in the world. Those who understand binary and those who don't.
    1. Re:50k / second? by WolfTattoo · · Score: 2, Informative

      Well, I'm not sure if I can 'prove' it since I've never been unfortunate enough to suffer a serious SYN flood attack on any of the networks I'm responsible for. However, just looking at the literature for the high-end Cisco 12000, it can handle from 2.5Gbps to 40Gbps per slot with a maximum aggregate 750 Mpps (Million packets per second) forwarding capacity. Considering the processor power required for these kinds of loads,I don't think the router itself would have a problem using TCP Intercept to protect against this level of attack. Of course, upstream bandwidth may then become the bottleneck. http://www.cisco.com/en/US/products/hw/routers/ps1 67/index.html Again, I can't "prove" it one way or the other, but I am fairly certain that todays more industrial strength routers shouldn't have too much difficulty keeping up with these kinds of loads when properly configured. SYN Floods are relatively easy to protect against these days, and there isn't too much processing overhead to determine if SYN packets are unsolicited.

  29. Re:Shoes by krappie · · Score: 2, Informative

    why the hell does everyone keep saying "if their internal network went down, that means their internal network was exposed!"

    that bandwidth has to come from somewhere.. if their network equipment goes down do you expect their internal network to stay online? of course after the attack was blocked by sco's upstream providers the internal network was surely up