Slashdot Mirror
SCO Not Lying About DoS Attack
Licensed2Hack writes "The Cooperative Association for Internet Data Analysis (CAIDA), part of the San Diego Supercomputer Center at the University of California, San Diego has an analysis of the recent DDOS on SCO.com. Netcraft also has more information in their article and analysis graphs. Seems SCO was hit with a 50,000 packet-per-second SYN flood peak, which yields approximately 20 Mb/s each way, or about the capacity of a DS3 line."
.... where did the synflood come from?
Jaysyn
There is a war going on for your mind.
The only result of this kind of attack will be tarnishing of the image of Open source developers. But, there is nothing much anyone can do about it.
New year Resolution: Don't change sig this year
SCO's like the boy who cried wolf too much. Why should people care when he actually gets bitten?
I'd rather see these two sites get taken down more than SCO.
Or to put it another way, they weren't lying, they're just stupid?
Serve Gonk.
Everyone gets DoS'd, they should be happy it stopped.
With SCO there is just no telling if this was a PR stunt, if they set this up or if they really got attacked.
At this juncter, i don't think it really matters because of the simple fact we don't know what SCO is up to and with everything going on we have lost faith in SCO.
Attack or No attack is a trivial question compared to what we really know about SCO and there business practices.
SCO freaking what!
Why on earth did SCO respond to 700 million syn packets? if there was even a moderate level of syn protection turned on they would have just droped the majority of those packets. and the bandwith usage would be half.
The cause that fits much better with their general operating pattern is that they purposely left themselves open to this attack to present themselves as the poor, innocent victims of the evil, Constitution-burning, enemy combatant, Open Source villans.
I'd buy that one.
I said yesterday, Groklaw (a *LAW* site) was not an authority on computer attacks.
I was mod'ed troll.
You were mistaken. Which is odd, since memory shouldn't be a problem for you
Except for the fact they said it was 20 -each way-. Making it a total of around 40.
Since a DS3 would be 45Mb each way, it is still less than half.
This still doesn't add up. If they say that their entire DS3 was saturated why was it that I could reach ftp.sco.com during the attack? Here's what I get:
ftp.sco.com has address 216.250.128.13
www.sco.com has address 216.250.128.12
They have neighboring IP addresses. There isn't enough room for a broadcast address between them so they have to be on the same subnet. If they're not on the same subnet then this must be some newfangled magical technology that allows them to break up subnets in a new way without sacrificing an address for the broadcast. Translation: they're still lying. On the other hand, why should I care? This company is abusing the US legal system and costing me money through the waste of my tax dollars. I'm not saying this is the proper way to respond, but hell, I still don't believe that the situation was the way SCO described it anyway.
My Slashdot account is old enough to drink...
I don't see anything in your logic that says it couldn't be a combination of one from column 'A' and one from column 'B'.
I would personally go with 1 particularly stupid monkey and 1 sucker paid by SCO.
www.lucernesys.comHorizon: Calendar-based personal finance
Why is this rated interesting? That's a childish argument...
So what you're saying is, if law enforcement fails to perform their duties in one case, then as a result they should just quit, and not do anything at all?
Because Hitler killed millions in the '30s and '40s, and nobody did anything to stop him, we should therefore do nothing to prevent the massacres occurring in Nigeria and elsewhere at the present moment?
Do you see how what you've said is utterly ridiculous?
They are also going to say that it was caused by Open Sourced software...and how they are a threat the national security.
Life is not for the lazy.
Man, this whole thing sure is a lot of shoes in a lot of Slashdotters' mouths.
"Sufferin' succotash."
One other possibility for your second list: The vandal determined that the SCO server is vulnerable to a SYN flood and made use of that knowledge. I have no direct knowledge on these matters, but I suspect it's easier to set up a SYN flood attack than something more subtle.
Why spend time jimmying the back window if the door is open?
The United States of America: We mean well.
And just what do these childish OS hackers expect to gain from this? It is not like it is going to change anything. Yes they are suing people using Linux. But thats one of the problems with open source. If there is a legal issue with the code then its your problem. That is one of the great things about microsoft. At least when you are using their software, you know that you will have microsofts army of lawers to defend any legal issues there may be with the code. Which is cheaper, buying windows, or spending months in trial?
My ass they will. If I can prove with out a shadow of a doubt that Microsoft has included my patented and copyrighted code in Office 2003, and I start suing end users (you) directly for it, do you honestly believe that Microsoft is going to come defend you?
The only thing Microsoft will defend is themselves and their revenue stream.
I'd rather be a conservative nutjob than a liberal with no nuts and no job.
Actualy, what bothers me is:
They tracked SCO was sending OUT X million responses to DoS attack. They should track packages that go IN too. Or,... they were originating from inside and faking outside which is not hard to do???
Please somebody start a site with HOWTO - SYN PROTECTION FOR SCO or HOWTO MAKE A SIMPLE FIREWALL
Signature Pro version 1.13.2-3 release 83.5 beta3try7 after-breakfast edition
How does a backscatter analysis prove that the site was attacked from the outside? The first thing a "wanna be victim" would do when faking an attack is to make sure that the effect can indeed be measured from the outside.
The Slashdot headline was "Security Experts Doubt SCO's Claims of DoS"...well there are lots of "experts" around here it seems, and they all thought it was a PR stunt.
How anyone could see PR value in this is beyond me.
The opinions that matter to SCO are those of the people who control the purse strings at companies who use Linux heavily. They are not about to jack in Linux/pay up because some script kiddies were playing games.
It just doesn't make sense that a company would fake a DDoS attack.
Missed this headline which is identical to the title of the story on Groklaw. Still, it was the "SCO is completely screwed and can never win" dittoheads that ran away with the idea that the DDOS was a hoax, not the Slashdot editors. (However I'm sure there's some overlap between the groups. 8)
"Even if you are on the right track, you'll get run over if you just sit there" - Will Rogers
"Do you see how what you've said is utterly ridiculous?"
Why? What he says is perfectly reasonable. Law enforcement has, time and time again, failed to go after DoS attackers. Even where there's clear and unambiguous evidence, right down to the very names and addresses of the people running the attack.
Should they give up and go home? Well from all appearances, they already have. As far as everyone else is concerned, the FBI computer crime division is completely fictional. If they don't even lift a finger to investigate when the very electronic infrastructure of the United States is under serious and prolonged and deliberate attack, then of what use are they?
Email is becoming unusable. I got 355 emails advertising wire fraud and illegal drugs yesterday alone. Millions of computers are infected, and attacking critical infrastructure. Spammers are writing viruses and stealing credit cards and hijacking IP ranges and domains every day, and we expect the FBI to suddenly wake up and respond to an easily prevented attack on SCO?
I believe It's a knee-jerk reaction to the threat that SCO is posing to Linux and the GPL, combined with its public record of lying. The history of Unix is a tangle that Gordius of Phyrigia would be satisfied with. Interpreting IBM's rights amid the confusing welter of licenses and side agreements will not be easy, and the outcome is not so tidily in the bag as some seem to hope. PJ at Groklaw has provided lots of useful and interesting research. I read Groklaw daily. But it's obvious that Groklaw is also an advocacy site, among other things, much as Slashdot is. I worry that PJ's biases might lead her to miss important information from time to time. Since I'd like to see SCOG fail and be ground into the earth by IBM, I'd prefer she had the clearest vision possible.
I have no evidence that Groklaw is missing tricks due to bias. It's just a worry of mine. The "SCO must be lying" bias at Groklaw and here is unmistakeable, however.
"Even if you are on the right track, you'll get run over if you just sit there" - Will Rogers
All this happens, and then SCO suddenly becomes 'victimized by all these EVIL Open Source people', virtually guaranteeing the press won't report on SCO's other misfortune because it's 'unimportant' compared to this. Morover, they get to make Open Source people look like terrorists and bad people, and try to make it look like people should not be using software developed by these 'evil people'.
I used up all my sick days, so I'm calling in dead.
Is every Christian responsible for the bombing of abortion clinics? Is every Muslim responsible for honor killings? Is every Linux user responsible for these attacks?
I have little doubt that they were attacked. What seems strange to me though is that they were entirely giddy over the affair. They even went as far as issuing press releases about it. I haven't heard of any company that jumps to release PR about DDOS attacks so quickly. When forced to explain reports of DDOS attacks, a company may release a statement that clears the issues. But the first reports of these attacks came from SCO themselves. This is what raised suspicion, justifiably.
But people shouldn't jump to conspiracy theories so quickly. Doubt of their veracity, sure? Conviction that they are lying--not justified.
This will probably be marked as Troll/Flamebait for whatever reason, but in all honesty they deserve it and brought it upon themselves.
SCO is flat out jerking the US legal system with these far out LIES and no one's doing anything about it... so DDoS away!
Hopefully they'll soon learn the err of their ways.. or worse things shall happen! Time will only tell.
We have secretly replaced these Slashdot mods' sense of humor with a rusty nail. Let's see if they notice!!
You know, I hate SCO as much as the next guy, but what I hate more are the fools pulling off these attacks. They give me, and the linux side a bad name. A few silly individuals who are nothing more than vandals can create a widescale negative view that "those crazy linux zealot hackers are a bunch of immature brats who DOS people they don't like". Sure, intelligent people don't make this association, but since when has the general idiot consensus not been a large force to be reckoned with?
Revolutions are never about freedom or justice. They're about who's going to be top dog. -- Kilgore Trout
This is so obvious it's not even funny.
In nearly every scenario, you can trace the cause of something to its origin by determining who benefits the most from it. In this case,
Does linux benefit from this DDoS? No.
Does IBM's case benefit? No.
Does the linux community? No.
Do 1337 kiddies? No. (They don't get the credit - "linux hippies" get the "credit")
Does SCO? Yes. They'll likely try to get an extension on their court order, just as earlier predicted here on slashdot.
If I were in the FBI and looking into this scenario, I'd first look at SCO's accounting very, very carefully. My guess is that there's a debit of several dozen (hundred?) thousand for something like "Consulting Services" made within the last couple weeks.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
I know there are "Open Source people" who could and/or would stoop so low as to mount a DDoS attack on SCO. However, the fact that SCO's site isn't getting DDoSed all the time is a fairly good indicator that this 'undesirable element' is in the minority. There's a few of these kinds of jackasses in any crowd, and I wouldn't be surprised if SCO unknowningly had one or two in their midst.
I used up all my sick days, so I'm calling in dead.
Even though DDOS attacks are misuse of an Internet service and illegal, some of the tactics SCO have used in this case are very dubious too. Claiming ownership of chunks of a kernel without showing any proof and not waiting for the outcome of a court case.
:)
The damage they have caused companies involved in Linux far outweight a bit of network outage, unless they suffer a major loss since statistics say 80% of businesses that suffer a major outage go out of business within two years. We can always hope
Link to 80% statistic
How much more glory can you get than bitch slapping a huge headliner corporate in such a devious way that the security experts are fooled into believing the subject of the attack is making it all up!!
the synflood attack was so large that it brought down much of SCO's network by maxing out its network equipment. Yes, at first this would take down many machines. But SCO's first course of action would be to block all syn's to that ip at their upstream providers.
afterwards, their entire network is now back online except for that one ip. they can change the site's ip to any other ip and it should be fine
make sense?
Now, to be fair, it is POSSIBLE that SCO was attacked, but---
1: The web server and ftp server are on the same subnet> Ftp.sco.com is at 216.250.128.13, while the web server is at 216.250.128.12. For these to be on differnet networks would require subnets with 1 host per subnet (not very practical). Since the ftp server was not down for most or all of the alleged attack, it is clear that this was not the result of bandwidth saturation.
2: SCO has stated that their email servers were down but no credible third party corroboration has occurred.
IF (That is a big IF) SCO was attacked, it would have had to be a narrower time frame than they are stating, because such an attack would have taken everything down in their network.
It is also possible that they could have remedied the problem upstream quickly enough that nobody noticed, but decided to play up the story for sympathy reasons.
Either way, SCO is lying about something or is utterly incompetent.
LedgerSMB: Open source Accounting/ERP