Slashdot Mirror
SCO Not Lying About DoS Attack
Licensed2Hack writes "The Cooperative Association for Internet Data Analysis (CAIDA), part of the San Diego Supercomputer Center at the University of California, San Diego has an analysis of the recent DDOS on SCO.com. Netcraft also has more information in their article and analysis graphs. Seems SCO was hit with a 50,000 packet-per-second SYN flood peak, which yields approximately 20 Mb/s each way, or about the capacity of a DS3 line."
whether they're inept enough to leave themselves open to this sort of thing or if they're welcoming DDOS attacks with open arms for one reason or another...
If any authorities look into this, I am gonna be pissed. I mean, if they can't bother to do anything when the anti-spam sites get attacked, then they better damn well not do anything now.
Of course, I am of the paranoid type who assumes that SCO would stage a DDoS against themselves just for the publicity, so what the hell do I know?
WWJD?
JWRTFM!
It's hard to have much sympathy, even though this is a dirty trick played by some h@xtor D00d that has nothing better to do with his time. The only way to beat a scurrilous bunch of deadbeats like SCO is to show to the public the kind of people they really are. Attacking them in this way only makes the Open-Source people look like a bunch of teenage kids that want to take on "The Man".
Stay tuned for new sig...
SCO was hit with a 50,000 packet-per-second SYN flood peak
...
If their servers died from a synflood attack, there are 3 possible reasons:
- The IT guy is a monkey (likely, but still, he would have to be a really daft monkey)
- The IT guy has time-travelled from the mid-nineties and didn't know about synfloods
- The IT guy was told to compile a kernel without the synflood protection, so that Caldera/SCO would look like the poor company hit by naughty hackers.
Also, I might add, there are another aspect to consider : whoever hit SCO with a synflood attack has either:
- the brain of a monkey
- time-travelled from the end of the nineties and attacked SCO with what he thought was a really cool unbeatable DoS
- been told to attack SCO so that SCO looks like the poor company hit by naughty hackers.
Conclusion: The cause of this DoS was either:
- 2 particularly stupid monkeys
- 2 time-travellers
- 2 suckers paid by SCO
Dunno for you, but I know where my money would go if I had to bet
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Then please kindly explain why the website was still available at http://216.250.128.20/ ?
Maybe we deserve this world ?
eems SCO was hit with a 50,000 packet-per-second SYN flood peak, which yields approximately 20 Mb/s each way, or about the capacity of a DS3 line."
And how, exactly, would you prepare for this? Ignoring syn-floods is very simple when it comes to keeping your server alive, but how do you deal with the bandwidth saturation?
The "each way" would indicate the syns were being replied to (dumb), but they still would have clogged the pipe.
My question is how this is possible without killing the bandwidth other servers on the subnet, namely ftp.sco.com and others? That was the original reason for the conclusion that SCO was lying, and I've yet to see something that refutes it
The other question, of course, if it was a DDOS, who did it? A group, or one person slaving many connections? Maybe somebody with a DS3 or two available to spare?
With the last two, one would think that the outgoing results of such an attack would be noticed?
Also, again with the main arguement that the ftp was online whilst the www was offline... why does the article say the FTP was down (and first to be attacked)??
Again, even when SCO shows a shred of the truth, it only reveals they're either incompetent or unethical.
It also doesn't explain why the NetCraft stats show their connection going dead like a switch was flipped.
Even with a SYN flood, there should have been a ramp up period of increasing latency, not an "on/off" situation.
I like you, Stuart. You're not like everyone else, here, at Slashdot.
Maybe there wasn't actually any syn packets... how hard would it be to make 700 Million ACKs with random destinations and sequence numbers? Doing so would only claim half their bandwidth, leaving them still up but able to cry loudly about being knocked offline by a SYN flood.
But if the website traffic is load-balanced across those multiple servers, wouldn't the server at 216.250.128.20 have been hit by the very same attack ? From the traceroute and DNS queries, it seemed to me that they had just changed their webserver's IP from 216.250.128.12 to 216.250.128.20, and messed up the DNS update and transition.
Maybe we deserve this world ?
Is it me or these articles do not offer any explanation for "why www.sco.com (216.250.128.12) server is down and ftp.sco.com (216.250.128.13) is still working without any slowdown, even though they are on the same network?"
If they state that all the available bandwith was consumed by attacks, then all the servers on the network would be unresponsive. So that could not have been a bandwidth issue. Therefore it leaves us with "SCO is a bunch on incompitent morons" version of the events.
This statement is false.
What a nice place to say that, isn't it?
The CAIDA article states: "The current attack successfully blocked access to SCO web and ftp servers"
I find that difficult to believe. The Groklaw article mentioned successful access to the FTP server for a few HOURS while the WWW server was not available.
Then, suddenly, the FTP server was also down, which was after the Groklaw article appeared.
So basically there two things which makes me wonder about this whole situation:
If the main reason for the service being denied was actually the traffic generated by this attack, which is basically what the CAIDA article seems to claim, then there is no indeed no distinction to be drawn between the two servers, and so should have gone down simultaneously.
"Even if you are on the right track, you'll get run over if you just sit there" - Will Rogers
That's like reading MSN for unbiased news about M$....
I rarely read replies, it's my opinion and if you thought about your opinion a little more, I'm OK with that.
The peaks are large, but the majority of the time the load is much lower. 4,000 pps syn flood is under 1.5 Mbit/sec. So plenty of room for other traffic. SCO had both bandwidth problems from having a relatively small pipe and server load from the syn flood.
I saw a lot more indepth analisis on Groklaw yesterday. I was especially interested in a VERY CLEVER Analisis where connections were instant even on there main webserver untill the packets reached level 3 of their tcp/ip stack.Untill SCO woke up to the fact that they were busted and had their ISP block all traffic. /. and Groklaw effect of people analising their b*llshit claims.
Funnily enough I have just been studying the stack for my CS Degree so I followed this line of enquirery with interest. As far as their ftp server stats, I just put this down to the
Maybe this magic telescope of theirs can find their stolon IP for them. I would love them to try and use this as an excuse to avoid discovery. ( Sorry your honour but those GNU/Linux Commie's destroyed all our proof).
Red eye's at night, hackers delight. Red eye's in the morning, proffessors warning.
Red eye's at night, Hackers delight. Red eye's in the morning, Professors Warning.
Okay, I'm willing to accept they were DDoSed. An upstream provider blocking it at the router level makes sense too. But I'm still not willing to accept that SCO isn't lying. What about their Intranet being brought down by this? What about the customer support services being brought down? This could be caused by gross incompetence, an inside job, or complete and utter lies. Choose one, none are flattering to any company, especially one that claims to sell an 'enterprise class' operating system.
I used up all my sick days, so I'm calling in dead.
That is what one gets when one keeps crying wolf!
Unfortunately, the number of words in that sentence did not exhaust the immense volume of even the big lies told by SCO.
I hope the wolf is IBM.
All data is speech. All speech is Free.
The "attack" did not come from any open-source symphasizers.
After 24 hours the main argument that SCO was faking this was that their ftp server was up. It was very common knowledge and you can be absolutlely certain the hacker was reading the news about the hack. What happened then? Suddenly the attack slowed to the main server and it started up with double intensity to the ftp server! Look at the damn graph and see what other conclusion you can think of.
Any Leet SCO-hating fanatic would have doubled the attacks on the main server, or perhaps attacked every machine *except* the ftp site. That would have been the most clear "I hate you SCO and I'm going to mess with you as much as possible" attack. If they hated SCO they would want their attack to match the insults being directed at SCO as much as possible.
Instead the attack suddenly switched to be as exactly as possible a refutation of the publicity about the attack.
There is no question what the motives of the "attacker" are. And it is absolutly disgusting that SCO can get positive publicity for this nasty little stunt.
You realize that netcraft runs FreeBSD, right?
Not Free(as in beer). Free(as in "I'm free to beat you over the head for being a dumbass")
There's also the fact that some HTML doctypes on sco.com changed from 4.01 to XHTML during the outage. That's the sort of thing that happens in a scheduled upgrade, not an attack. There may have been a real DDOS (after all, Microsoft presumably has its own backdoors in windows, eh?) But SCO appears to have had foreknowledge of it. Who the hell puts out slick press releases talking up the severity of the attack while the attack is on going? That's not the behaviour of a normal company.
Pardon my ignorance, but if they took the web server offline at 10-something am, then what was producing the backscatter of ack packets? Was the ISP doing this for them? Why on earth would they bother? And if there was no machine there to respond to the syn flood for hours, then where was the backscatter coming from?
Also, I thought most zombie machines were compromised MS boxes. Are there networks of thousands of 0wned linux boxes out there that script kiddies are nuking each other with?
Wating for enlightnement...
Sites get attacked every day. Yahoo.com had it's share of attacks back in the day and so did any number of sites.
The fact is that improperly maintained or administered sites *will* be hacked or DoS attacked by evil-hackers simply to prove that they can do it. SCO is simply a convenient target for some adolescent idiots like so many other sites.
There is no evidence that these attacks are in any way connected to the recent Linux spat and are not some independent idiot who doesn't care one way or the other.
Also, as a community we should discouraget this kind of behavior, but it is also a mistake for any individual, company or judge to believe that the actions of a few wayward individuals reflects the sentiment of the entire community.
I mean, just because someone uses Windows and hacks Linux sites, does this mean that *all* Windows users hate Linux?? No, I know some people who use both and they love Linux, but use Windows for work and they like it too. Contrary to popular belief Windows users are as rabid and often are *more* rabid and fanatical than Linux users. I personally have spoken to people who believe that Microsoft deserves to overcharge the workd for everthing because, in his mind, they have "won" and that is thier "reward".
So you see... I believe that, while it's unfortunate the SCO is being attacked, it's not necessarily connected with Linux.
Perhaps SCO should secure thier site better.
GJC
Gregory Casamento
## Chief Maintainer for GNUstep
Especially one that claims law enforcement is looking into it. Generally in these cases, you don't want to spook the attacker until the authorities can track him/her down. The press release just gives the attacker forewarning so he/she can start covering up their tracks.
I used up all my sick days, so I'm calling in dead.
Maybe they should outsource their hosting..to, oh, say...the admins at Lindows.com?
I do find it amusing (and quite possibly ironic), though, that you host an IRC server, and yet don't mention the fact that IRC is the main channel for zombie attacks.
You mention the router as the 'suffer'ing entity. Well, the router is designed to route packets. That's what it does, and it does it well.
It's layer 8 that causes the problems...and those problems are augmented by layer 8 making calls into layer 7.