Slashdot Mirror
SCO Not Lying About DoS Attack
Licensed2Hack writes "The Cooperative Association for Internet Data Analysis (CAIDA), part of the San Diego Supercomputer Center at the University of California, San Diego has an analysis of the recent DDOS on SCO.com. Netcraft also has more information in their article and analysis graphs. Seems SCO was hit with a 50,000 packet-per-second SYN flood peak, which yields approximately 20 Mb/s each way, or about the capacity of a DS3 line."
poor little darl..... :)
. . . that's just the slashdot effect. . .
Great! now they get headlines simply by *not* lying
We all know that SCO paid this security expert to say SCO was attacked...they are trying to make the OSS community look bad!
.... where did the synflood come from?
Jaysyn
There is a war going on for your mind.
Ha-ha!
Quick! Someone start knitting Satan a sweater!
libertarianswag.com
whether they're inept enough to leave themselves open to this sort of thing or if they're welcoming DDOS attacks with open arms for one reason or another...
Oops, oh well. SCO still sucks.
What if SCO orchastrated this themselves? It wouldn't be hard for them to attack themselves and then play sick.
puts ("Python r0cks\n");
The only result of this kind of attack will be tarnishing of the image of Open source developers. But, there is nothing much anyone can do about it.
New year Resolution: Don't change sig this year
SCO's like the boy who cried wolf too much. Why should people care when he actually gets bitten?
I'd rather see these two sites get taken down more than SCO.
Well hell, I could have sworn that said T1 when I read it; but it's still more like half a DS-3 than all of it.
What?
If any authorities look into this, I am gonna be pissed. I mean, if they can't bother to do anything when the anti-spam sites get attacked, then they better damn well not do anything now.
Of course, I am of the paranoid type who assumes that SCO would stage a DDoS against themselves just for the publicity, so what the hell do I know?
WWJD?
JWRTFM!
Well I guess the lying or incompetent question has been settled.
You say
this isnt suprising in the slightest
It's hard to have much sympathy, even though this is a dirty trick played by some h@xtor D00d that has nothing better to do with his time. The only way to beat a scurrilous bunch of deadbeats like SCO is to show to the public the kind of people they really are. Attacking them in this way only makes the Open-Source people look like a bunch of teenage kids that want to take on "The Man".
Stay tuned for new sig...
Or to put it another way, they weren't lying, they're just stupid?
Serve Gonk.
...SCO Must Prove Existence Of Santa Claus in Thirty Days
I'm scared of numbers that can't be written as a fraction. It's an irrational fear.
Everyone gets DoS'd, they should be happy it stopped.
With SCO there is just no telling if this was a PR stunt, if they set this up or if they really got attacked.
At this juncter, i don't think it really matters because of the simple fact we don't know what SCO is up to and with everything going on we have lost faith in SCO.
Attack or No attack is a trivial question compared to what we really know about SCO and there business practices.
SCO freaking what!
Are they sure it wasn't a SIN flood?
Last I checked a T1 was 1.544 mbps up and down; this would be more like the equivalent of half of a T3.
for all you dummies like me who thought, "T3? they never mentioned a T3"....DS3 = T3
Drill baby drill - on Mars
CAIDA Analysis of SCO DoS Please use this link, the other one goes to a slow XML server.
Why on earth did SCO respond to 700 million syn packets? if there was even a moderate level of syn protection turned on they would have just droped the majority of those packets. and the bandwith usage would be half.
Is there any site that you can go to to see what traffic loads are currently like on the major backbones and ISPs? My connection has been really slow for a couple of days, and I'm wondering if it's just my connection or if there's some huge DDoS going on right now....
The cause that fits much better with their general operating pattern is that they purposely left themselves open to this attack to present themselves as the poor, innocent victims of the evil, Constitution-burning, enemy combatant, Open Source villans.
I'd buy that one.
so, all of that speculation about an attack -necessarily- also taking out the ftp server at the same time ... what was up with that? 20mbps isn't enough to fill up a simple 100mbps local network. if the ds3 was their entire pipe, and the ftp server was in there too, you shouldn't have been able to get to the ftp server.
there's some pipe sizes i wouldn't mind having explained. nice diagram of how one side filled up and the other didn't? completely separate, and people are just dolts?
it's an honest question, i swear.
They should claim ownership of all IP stacks and charge threaten to sue for damages of $0.99 for each and every packet sent from an unlicensed stack.
-- Fighting mediocrity one bad post at a time.
SCO was hit with a 50,000 packet-per-second SYN flood peak
...
If their servers died from a synflood attack, there are 3 possible reasons:
- The IT guy is a monkey (likely, but still, he would have to be a really daft monkey)
- The IT guy has time-travelled from the mid-nineties and didn't know about synfloods
- The IT guy was told to compile a kernel without the synflood protection, so that Caldera/SCO would look like the poor company hit by naughty hackers.
Also, I might add, there are another aspect to consider : whoever hit SCO with a synflood attack has either:
- the brain of a monkey
- time-travelled from the end of the nineties and attacked SCO with what he thought was a really cool unbeatable DoS
- been told to attack SCO so that SCO looks like the poor company hit by naughty hackers.
Conclusion: The cause of this DoS was either:
- 2 particularly stupid monkeys
- 2 time-travellers
- 2 suckers paid by SCO
Dunno for you, but I know where my money would go if I had to bet
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
I said yesterday, Groklaw (a *LAW* site) was not an authority on computer attacks.
I was mod'ed troll.
You were mistaken. Which is odd, since memory shouldn't be a problem for you
The attack was just short of half a DS3 Line.
DS3 Line = 44.736Mbps for those of you who need a definition
-Certified TechnoWeinie
Then please kindly explain why the website was still available at http://216.250.128.20/ ?
Maybe we deserve this world ?
No.
DS1 is the circuit either a T1 or E1 rides on. E1's are the european equivelent to at T1. DS1 is the raw circuit.
If you need web hosting, you could do worse than here
For the mathematically challenged:
20mbit up + 20mbit down = 40mbit
Or 20mbit x 2 = 40mbit
20mbit comes into to SCO web server a second
20mbit goes out of SCO web server a second
Now, how much traffic was there in that second?
I'm not sure I can make it any clearer.
That just means they're incompetent. They should have had the company's internal network separated from their "outside" network (ftp, web servers, etc). They knew they were going to be the targets of these attacks, why didn't they purchase more bandwidth? They're swimming in $50 million dollars from that Canadian bank, why not spend a million on their network? After all, they are SUPPOSED to be a software company, and you would think a software company with half a collective brain would be able to ride out a DDOS.
Oh well, SCO will be gone in less than a month, so we won't have to bother with this anymore...
Not :ZZ...just ZZ :)
...and by consuming all of the bandwidth of the network connecting the servers to the Internet. The current attack successfully blocked access to SCO web and ftp servers.
Actually, there seems to be something wrong here. During the attack, while I could not get to their web server, I found that their FTP server was much more responsive than most ftp servers I use. This means that they has some (lots?) bandwidth available.
Opus: the Swiss army knife of audio codec
eems SCO was hit with a 50,000 packet-per-second SYN flood peak, which yields approximately 20 Mb/s each way, or about the capacity of a DS3 line."
And how, exactly, would you prepare for this? Ignoring syn-floods is very simple when it comes to keeping your server alive, but how do you deal with the bandwidth saturation?
The "each way" would indicate the syns were being replied to (dumb), but they still would have clogged the pipe.
My question is how this is possible without killing the bandwidth other servers on the subnet, namely ftp.sco.com and others? That was the original reason for the conclusion that SCO was lying, and I've yet to see something that refutes it
The other question, of course, if it was a DDOS, who did it? A group, or one person slaving many connections? Maybe somebody with a DS3 or two available to spare?
With the last two, one would think that the outgoing results of such an attack would be noticed?
Also, again with the main arguement that the ftp was online whilst the www was offline... why does the article say the FTP was down (and first to be attacked)??
No, I don't this this is an American vs Europe thing. There is some subtle difference in aspect between using DS-X instead of T-X; I've never found a telco engineer who could explain it to me, but it's probably my own ignorance.
Wil
wiki
Information on how to stop SYN attacks has been available for ages.
Yeah, right.
Once upon a time, a T1 was 24 multiplexed analog telephone circuits plus some control channels.
DSx is the digital version with the same capacity. The analog infrastructure is mostly gone now, so the terms are used interchangably in most conversations.
Conformity is the jailer of freedom and enemy of growth. -JFK
No, it's more like the full capacity because the traffic was 20Mb/s in each direction. The DS3/T3 bandwidth is 45Mb/s, in one direction.
Complexity is Easy. Simplicity is Hard.
A T-1 has a capacity of 1.544 Mbps. An E-1 has a capacity of 2.048 Mbps. Why are they different? Who knows.
There have been more attacks on SCO
DVD Ripping, Divx, VCD, SVCD under Linux
Excellent!
My question is this: What are all those lines and numbers for?
What?
Again, even when SCO shows a shred of the truth, it only reveals they're either incompetent or unethical.
SCO still sucks.
Short yet inspired.
I blame the French.
My home server is tighter than that!
P.S. - But please don't try to prove me wrong!
This still doesn't add up. If they say that their entire DS3 was saturated why was it that I could reach ftp.sco.com during the attack? Here's what I get:
ftp.sco.com has address 216.250.128.13
www.sco.com has address 216.250.128.12
They have neighboring IP addresses. There isn't enough room for a broadcast address between them so they have to be on the same subnet. If they're not on the same subnet then this must be some newfangled magical technology that allows them to break up subnets in a new way without sacrificing an address for the broadcast. Translation: they're still lying. On the other hand, why should I care? This company is abusing the US legal system and costing me money through the waste of my tax dollars. I'm not saying this is the proper way to respond, but hell, I still don't believe that the situation was the way SCO described it anyway.
My Slashdot account is old enough to drink...
Hey Mods, the link in the grandparent is real information and actualy is "informative". Don't listen to this coward.
US Democracy:The best person for the job (among These pre-selected choices...)
But if the website traffic is load-balanced across those multiple servers, wouldn't the server at 216.250.128.20 have been hit by the very same attack ? From the traceroute and DNS queries, it seemed to me that they had just changed their webserver's IP from 216.250.128.12 to 216.250.128.20, and messed up the DNS update and transition.
Maybe we deserve this world ?
Interresting information in the Backscatter movie. I'd always wondered how DoS and DDoS attacks occur. It still leaves me with questions, though.
I assume that since the backscatter is so broad that it doesn't affect the presumed sender MUCH, but it does do damage to the them, no? After all, they now have to pay for, and attempt to distribute, responses to false information, correct? If so, DDoS attacks are much more of a bitch move than I'd originally thought.
My other question was wether or not DDoS attacks can physically damage the victim's machine. I'd assumed it couldn't and that the 'their servers must be in a melted, smoking mound by now!' jokes were just that, but I always wanted to ask anyway. Would someone be kind enough as to enlighten me a bit more?
Thanks
fs
Is it me or these articles do not offer any explanation for "why www.sco.com (216.250.128.12) server is down and ftp.sco.com (216.250.128.13) is still working without any slowdown, even though they are on the same network?"
If they state that all the available bandwith was consumed by attacks, then all the servers on the network would be unresponsive. So that could not have been a bandwidth issue. Therefore it leaves us with "SCO is a bunch on incompitent morons" version of the events.
Man, this whole thing sure is a lot of shoes in a lot of Slashdotters' mouths.
"Sufferin' succotash."
Ummm. No. A DS3 (or T3, or T1 for that matter) is full-duplex. A DS3 supports up to 45 megabits/second in BOTH directions. Read your own link a little more closely... "A DS3 is capable of moving over 5.5 Megabytes per second (45Mbps) in one direction - ***twice that when upload and download performance are combined***."
This statement is false.
What a nice place to say that, isn't it?
The CAIDA article states: "The current attack successfully blocked access to SCO web and ftp servers"
I find that difficult to believe. The Groklaw article mentioned successful access to the FTP server for a few HOURS while the WWW server was not available.
Then, suddenly, the FTP server was also down, which was after the Groklaw article appeared.
So basically there two things which makes me wonder about this whole situation:
If the main reason for the service being denied was actually the traffic generated by this attack, which is basically what the CAIDA article seems to claim, then there is no indeed no distinction to be drawn between the two servers, and so should have gone down simultaneously.
"Early in the attack, unknown perpetrators targeted SCO's web servers with a SYN flood of approximately 34,000 packets per second," CAIDA said. "Together www.sco.com and ftp.sco.com experienced a SYN flood of over 50,000 packets-per-second early Thursday morning."
Whoa...both ftp and www experienced this? Their www server must be really badly configured compared to their ftp server (or their www server received -a lot- more flooding). During the SYN flood, www.sco.com was unavailable, but ftp.sco.com was easily reached. I checked several times.
And just what do these childish OS hackers expect to gain from this? It is not like it is going to change anything. Yes they are suing people using Linux. But thats one of the problems with open source. If there is a legal issue with the code then its your problem. That is one of the great things about microsoft. At least when you are using their software, you know that you will have microsofts army of lawers to defend any legal issues there may be with the code. Which is cheaper, buying windows, or spending months in trial?
My ass they will. If I can prove with out a shadow of a doubt that Microsoft has included my patented and copyrighted code in Office 2003, and I start suing end users (you) directly for it, do you honestly believe that Microsoft is going to come defend you?
The only thing Microsoft will defend is themselves and their revenue stream.
I'd rather be a conservative nutjob than a liberal with no nuts and no job.
It was bound to happen eventually, if only by random chance - as much as they talk, sooner or later they were bound to say something true.
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
And where does that revenue stream come from? The end users. Which are being sued. Therefore, Microsoft will protect the end users, because they are it's one and only revenue stream.
Yes, SCO are pretty low on the karma totem, however the 'experts' quoted on groklaw, as well as the far more numerous 'experts' who replied that yes they must be faking it .... were drawing their speculations on very little data.
If you cared to measure you sure didn't need to be CAIDA, many snort, pf and netfilter logs are showing the backscatter of this attack.
And to all the experts who've been holding that a large synflood is easy to fix by blocking the attacker IPs: get a fscking clue.
Both syn and bandwidth attacks use forged addresses children (which is why there is backscatter), each incoming syn is from a random IP, the ack goes to the forged addr, not the originator.
The best way I've seen to handle this involves sensors at enough upstream locations to measure the packet count ratio skewing which results. This isn't generally deployed
Now technically SCO could probably manage to forge that kind of data (just send out all the expected response traffic) but again there are enough sensor platforms out there now that such a deception would certainly be unmasked eventually.
Linux is Linux, if One need clarify their dist: <Dist>/GNU Linux
bsds are of course just BSD
Its those 100 lines of stolen code in the Linux kernel. Now SCO can sue more people. SCO, will you sue me soon, I hate being last, it gives me an inferiority complex.
404
How does a backscatter analysis prove that the site was attacked from the outside? The first thing a "wanna be victim" would do when faking an attack is to make sure that the effect can indeed be measured from the outside.
That's like reading MSN for unbiased news about M$....
I rarely read replies, it's my opinion and if you thought about your opinion a little more, I'm OK with that.
No, no, we are doing nothing to prevent those for entirely different reasons...
"Faith: Belief without evidence in what is told by one who speaks without knowledge, of things without parallel." - A.B.
In fact... a lot of SYN attacks don't use comprimised hosts at all! They actually send the request to a bunch of computers that are just running webservers, that's all. They spoof the destination IP and change it to the IP of the target to be attacked and all those webservers (usually ~40,000) respond at once to the host, essentially knocking it offline. It's happened to me before. :P
So you can use even a secure (but not 100% properly configured) server to launch an attack with... Intersting stuff.
They differ because they use the metric system in Europe.
What if it was the same people? I believe anumber of spammers do use linux, and they have had enough experience causing DDOS attacks against antispammers to attack SCO. Very suspicious.
Well.. maybe. Or Maybe not. But Definitely not sort of.
Isn't a T3 bi-directional 45mbps yielding an aggregate of 90mbps?
The peaks are large, but the majority of the time the load is much lower. 4,000 pps syn flood is under 1.5 Mbit/sec. So plenty of room for other traffic. SCO had both bandwidth problems from having a relatively small pipe and server load from the syn flood.
DS3's are full duplex. They have seperate upload and download channels, so its 45Mb in each direction.
I saw a lot more indepth analisis on Groklaw yesterday. I was especially interested in a VERY CLEVER Analisis where connections were instant even on there main webserver untill the packets reached level 3 of their tcp/ip stack.Untill SCO woke up to the fact that they were busted and had their ISP block all traffic. /. and Groklaw effect of people analising their b*llshit claims.
Funnily enough I have just been studying the stack for my CS Degree so I followed this line of enquirery with interest. As far as their ftp server stats, I just put this down to the
Maybe this magic telescope of theirs can find their stolon IP for them. I would love them to try and use this as an excuse to avoid discovery. ( Sorry your honour but those GNU/Linux Commie's destroyed all our proof).
Red eye's at night, hackers delight. Red eye's in the morning, proffessors warning.
Red eye's at night, Hackers delight. Red eye's in the morning, Professors Warning.
... UCSD's Network Telescope received more than 2.8 million response packets from SCO servers, indicating that SCO responded to more than 700 million attack packets over 32 hours.
Is the backscatter they observed their only evidence that the DDOS actually took place? If so, I would hardly call that proof that "SCO Not Lying About DoS Attack." Just an observation.Take'em Down NOW!! Slashdot Forever!! Take Down will happen on Dec 24th. All Slashdotter should attend. *Not to be taken seriously*
Once upon a time, a T1 was 24 multiplexed analog telephone circuits plus some control channels. DS1 is the digital version with the same capacity.
It actually goes farther than that. A T1 is a physical representation of a DS1 line. DS1 is the description of the overall protocol and requirement. T1 is the description of a DS1, carried over twisted-pair, copper (or other conductive metal) lines.
-- This space for rent.
> 20mbit goes out of SCO web server a second
> Now, how much traffic was there in that second?
Half a DS-3. A DS-3 is a full-duplex circuit with a clock speed of 44.736 Mb/s in each direction. On a DS-3 you can use this full 45 Mb/s (minus overhead) in each direction simultaneously. This is unlike a half-duplex ethernet that most non-telecom people are more familiar with -- where it makes sense to add transmit and receive to see how much of the 10 or 100 Mb/s channel is being used.
Perhaps SCO should use some of their millions of recent investments and get an OC48.
... of Security export from Australia?
No?
I thought so.
IANAL but write like a drunk one.
Oh never fear I have a mirror up whats the big deal
MoFscker
Please explain how it comes in a sturated pipe the ftp server, just one IP address away, was still available, as several other machines is same subnet.
Expectingly awaiting answer.
Robin.
IANAL but write like a drunk one.
Quoting the article in CAIDA report...
Their Internet Service Provider (ISP) appears to have filtered all traffic destined for the web and ftp servers until they came back online at 5 PM PST.
To the best of my recollection, I connected to the SCO ftp servers some time in the late afternoon (~4pm Mountain time). The www2.sco.com server also was up all the time. You would have a hard time checking this with netcraft though - SCO Unix does not provide uptime information.
...you left out hot-grits and Natalie Portman.
"If you put the federal government in charge of the Sahara Desert, in 5 years there'd be a shortage of sand". -Milton F.
Would port fowarding not get around your broadcast address requirement?
A pointless point to make anyway, I think, since CAIDA also claimed SCO's FTP servers were attacked. It wouldn't matter how you reached it, you did reach it. As I understand it, some folks were getting very snappy FTP connections. Hmmmm.
DS3 is ~45Mbit/sec bi-directional
(so 20 is about 44% utilized)
Of course, switched Ethernet is full duplex, too.
Old-style shared/half-duplex Ethernet is mostly historical.
Why would SCO have two seperate load-balancers, with one being entirely _unused_ in the first place ? If the attack was targeted at one IP, why didn't they pull the back-up online (assuming it is a back-up) ?
Any way I look at it, it's still glaring of incompetence...
Maybe we deserve this world ?
if it was a DDOS, who did it?...Maybe somebody with a DS3 or two available
a. Kiddies (self-labeled elite hackers) break into machines (perhaps machines rooted by viri/worms they had nothing to do with).
b. These 'owned' machines have a control channel either to the worm author(s) or whatever lowlife manages to wrest control, usually irc.
c. Upload ddos agent and switch it on.
Of course the system owners will often notice *something* has gone wrong and either shut the attack slaves down or if they're a bit sharper realize they're owned and fix it but I imagine most of 'em come back up still infected, ready for next time.
Linux is Linux, if One need clarify their dist: <Dist>/GNU Linux
bsds are of course just BSD
Take a look at the graph at CAIDA. The web server takes a beating for about an hour around 4am PST, and again for a bit longer around midnight. Just as the latter is leveling off, an even bigger spike hits the FTP server which lasts about an hour and then tails off over the next several. All in all a pretty poor DDoS attack if they couldn't sustain it for more than a few hours so the originator can't have been too smart. Bit bit like the victim that failed to have adequate SYN attack protection really... do you suppose there is a connection?
UNIX? They're not even circumcised! Savages!
"I didnt do it.. no body saw me do it ..can't prove anything /me ducks
.
.
"I disapprove of what you say, but I will defend to the death your right to say it." - Voltaire
A synflood is an attack on CPU resources, not bandwidth.
TCP is a stateful protocol. This means that the kernel of the target machine needs to allocate memory for each connection (about a K @ if memory serves)
Even with countermeasures in place (e.g. syncookies) the target needs to devote some resources (exercise left to the reader) to each incoming SYN.
Thus, yes it is quite possible to effectively shutdown a target without cutting off bandwidth. See also the CAIDA graph where they show the FTP server coming under an identical attack later.
Linux is Linux, if One need clarify their dist: <Dist>/GNU Linux
bsds are of course just BSD
Know what's better than MS's legal team defending you? IBM's legal behemoth!
EvilCON - Made Famous by
What I want to know is who are the guys running SCO's IT shop? I mean either they are just totally out of luck for work or dont care that they are working for litigious bastards. In the big world of slashdot readers somebody must know one of these guys(gals?). Whats the story? If we can pin down who they are maybe we can answer the question of: are the folks running the network/machines dumb or are they deliberately trying to get hit by DDOS and othe bad stuff.
I'm no expert at this, but wouldn't it be possible to just send out a few million false responses to get picked up? I mean, if their FTP server was running just fine and the whole thing is a question of this being valid then why say they were ever attacked at all? Just write a small deal that randomly generates an IP (maybe with some guidlines so if people find out where your replying to it doesn't turn out to be a site that would ruin the whole story such as www.microsoft.com or www.dod.gov) and have it send out responses to them. If it turns out that they attacked themselves then whos to say they were attacked and didn't just fake the actual attack having ever even been real? Please don't flame this, it really is a question out of curiosity.
Thanks for the info! I'm not religious in the institutional sense, but I have a lot of respect for real spirituality. I found that quote on this page, which was from a post here on /. that I can't seem to find anymore.
US Democracy:The best person for the job (among These pre-selected choices...)
...could I get your opinion on something else we heard when the attacks were first being reported?
I heard, that SCO's ISP was contacted for information regarding the attack, and that this contact was the first they had heard of any DoS happeneing to SCO that day.
What do you think?
ZZ, :wq, :x are all valid synonyms in vim. I don't think they all work in vi, but all work in vim.
You say
What if the sysadmin of SCO saw this SYN flood coming in, launched by a honest to goodness skript kiddie who has nothing better to do. The sysadmin calls Darl up, and he says to turn off SYN blocking for www.sco.com, so they get eaten alive by the packets, taking down their webserver. Sysadmin flips the "rape us" switch on his desk, lets in those SYN packets, and BAM!, there goes the web server. There isn't a slow buildup time, because the SYN flood is already in full swing. If I were Darl *shudder*, I think this would be a chance to to turn an attack that would have been easily shrugged off into some positive publicity. Sure, the webserver is down for some time, but the ftp, etc. servers are still up. Anyone think this is possible?
Great! Give SCO a reason to sue Microsoft.
The ______ Agenda
I mean really, would you put it past SCO at this point?
Is every Christian responsible for the bombing of abortion clinics? Is every Muslim responsible for honor killings? Is every Linux user responsible for these attacks?
I have little doubt that they were attacked. What seems strange to me though is that they were entirely giddy over the affair. They even went as far as issuing press releases about it. I haven't heard of any company that jumps to release PR about DDOS attacks so quickly. When forced to explain reports of DDOS attacks, a company may release a statement that clears the issues. But the first reports of these attacks came from SCO themselves. This is what raised suspicion, justifiably.
But people shouldn't jump to conspiracy theories so quickly. Doubt of their veracity, sure? Conviction that they are lying--not justified.
This will probably be marked as Troll/Flamebait for whatever reason, but in all honesty they deserve it and brought it upon themselves.
SCO is flat out jerking the US legal system with these far out LIES and no one's doing anything about it... so DDoS away!
Hopefully they'll soon learn the err of their ways.. or worse things shall happen! Time will only tell.
We have secretly replaced these Slashdot mods' sense of humor with a rusty nail. Let's see if they notice!!
That is what one gets when one keeps crying wolf!
Unfortunately, the number of words in that sentence did not exhaust the immense volume of even the big lies told by SCO.
I hope the wolf is IBM.
All data is speech. All speech is Free.
I have no idea if SCO is using Cisco routers on their permiter, but I guess its not too unreasonable to assume this is a possibility. With a Cisco on the permiter, preventing a SYN attack requires all of 3 additional lines to the configuration. I'm guessing it also doesn't take too much more than this on any enterprise-class router.
p s2 120/products_configuration_guide_chapter09186a0080 0b6f0e.html
Configuring a Cisco perimeter router to prevent SYN flood attack against web server:
(config)#access-list 151 permit tcp any host
(config)#ip tcp intercept list 151
(config)#ip tcp intercept mode intercept
With Intercept mode enabled, all incoming SYN are held by router which proxy-answers w/syn-ack. Won't forward to server if Ack not recieved.
http://www.cisco.com/en/US/products/sw/secursw/
when we have our own experts at slashdot?
ISTM that some things *CAN* be done about it. The upstream dudes can monitor very closely to determine the nature of the beast.
Possibly, preventing the attack, and/or discovering the attacker.
FOSS can actually play a positive role here.
Use the tools Luke.
You are being MICROattacked, from various angles, in a SOFT manner.
It was a Gnu/DDos damnit!
Since we were just told [slashdot.org]that they lied
Am I the only one that sees that a full DS3 line goes BOTH WAYS at 45mb/sec, which would mean that 20mb/sec both ways would be around HALF of a DS3??
It is pitch black. You are likely to be eaten by a grue.
That both sites have published this retraction, after having previously published the original stories about the DDOS being a fabrication. Many, more "mainstream" and "credible", news sites probably would not have done so, or would have published the retraction loaded with "spin."
Worse, many other sites would have tried to cover up the truth, rather than risk suffering a little "egg on the face."
To the credit of both Groklaw and Slashdot, both have said "Oops, we were wrong," and handled things in a very mature fashion.
Good job, guys.
// TODO: Insert Cool Sig
The only people I know of with this kind of bandwidth at their finger tips are spammers using the SoBig worms. Then again anyone can take advantage of the same open proxies themselves for whatever purpose.
I'm gonna go out on a limb here.
What if the attack was an inside job, designed to create publicity?
That could explain why their LAN was affected during the "attack".
However, that having been said, I still haven't seen an explanation as to why ftp.sco was ok and responsive during the attack.
The bandwidth gobbled up by this attack would have killed everything on the same subnet, including the ftp.
-- This sig for rent.
You know, I hate SCO as much as the next guy, but what I hate more are the fools pulling off these attacks. They give me, and the linux side a bad name. A few silly individuals who are nothing more than vandals can create a widescale negative view that "those crazy linux zealot hackers are a bunch of immature brats who DOS people they don't like". Sure, intelligent people don't make this association, but since when has the general idiot consensus not been a large force to be reckoned with?
Revolutions are never about freedom or justice. They're about who's going to be top dog. -- Kilgore Trout
T1 stands for Trunk Level 1 and is a digital transmission link with a total signaling speed of 1.544Mbps. T-1 is a standard for digital transmission in North America (USA & Canada). T-1 is part of a progression of digital transmission pipes - a hierarchy known generically as the DS (Digital Signal Level) hierarchy.
T1 was originally supplied on two pairs of copper wire (transmit and recieve pairs), but is often delivered via multiplexed fiber optic cables. A T1 can be multiplexed into 24 64Kbps channels for telephone trunking (compatible with the analog phone system), but are still digital signals between the PBX and the ILEC/CLEC's phone switch.
The E1 is a standard in Europe (and UK) which is capable of 2.048Mbps and can be channelized into 32 64Kbps channels for phone trunking.
**most of this is paraphrased from Newton's Telecom Dictionary 16th Ed.
That it wasn't customers rushing to pay their linux liscense fees because the court case is going so well?
and Daryl wouldn't lie either.
Professional Politicians are not the solution, they ARE the problem.
But my routers won't route packets with random destinations. They'd all have to be destined to the system, even if the sequence numbers are off.
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
The current attack successfully blocked access to SCO web and ftp servers. A 50,000 packet-per-second SYN flood yields approximately 20 Mbits/second of Internet traffic in each direction, comparable to half the capacity of a DS3 line (roughly 45 MBits/second). The use of load balancers or proxies, SYN cookies, and Content Delivery Networks (CDNs) can help distribute the load of a denial-of-service attack, making it more difficult to saturate the available network and server resources.
Translation: even without special measures, there was plenty of capacity left. Furthermore, SCO could have taken trivial steps to protect themselves but they didn't. In fact, the fact that CAIDA's backscatter technique for detecting the attack worked is in itself an indication that SCO wasn't protecting themselves properly.
Since January 2003, tension between SCO and the open source community has increased as SCO has asserted that other operating systems have misused their intellectual property.
And what the hell does that have to do with anything? The open source community didn't launch a DDoS on SCO.
On a non-switched network, the machines need to check to see if a packet collision/error occured and can only run at half-duplex. A solitary server/workstation/printer on a dedicated switch port can be set to full-duplex because theoretically no collision should ever occur.
at least this is how it was explained to me once
The "attack" did not come from any open-source symphasizers.
After 24 hours the main argument that SCO was faking this was that their ftp server was up. It was very common knowledge and you can be absolutlely certain the hacker was reading the news about the hack. What happened then? Suddenly the attack slowed to the main server and it started up with double intensity to the ftp server! Look at the damn graph and see what other conclusion you can think of.
Any Leet SCO-hating fanatic would have doubled the attacks on the main server, or perhaps attacked every machine *except* the ftp site. That would have been the most clear "I hate you SCO and I'm going to mess with you as much as possible" attack. If they hated SCO they would want their attack to match the insults being directed at SCO as much as possible.
Instead the attack suddenly switched to be as exactly as possible a refutation of the publicity about the attack.
There is no question what the motives of the "attacker" are. And it is absolutly disgusting that SCO can get positive publicity for this nasty little stunt.
Yes, SCO are pretty low on the karma totem, however the 'experts' quoted on groklaw, as well as the far more numerous 'experts' who replied that yes they must be faking it .... were drawing their speculations on very little data.
Actually, it was based mainly on SCO's three press releases. Even if they were attacked, they should have been able to head off a syn flood attack. Second, it doesn't make sense that their intranet went down, too.
See, even if they were telling the truth about the attack, it's odd how they had three press releases ready, they already know it was those nasty open source people, and there are false statements that were made by them surrounding the issue.
It's only natural that people thought the whole thing was made up.
Do you have ESP?
This is so obvious it's not even funny.
In nearly every scenario, you can trace the cause of something to its origin by determining who benefits the most from it. In this case,
Does linux benefit from this DDoS? No.
Does IBM's case benefit? No.
Does the linux community? No.
Do 1337 kiddies? No. (They don't get the credit - "linux hippies" get the "credit")
Does SCO? Yes. They'll likely try to get an extension on their court order, just as earlier predicted here on slashdot.
If I were in the FBI and looking into this scenario, I'd first look at SCO's accounting very, very carefully. My guess is that there's a debit of several dozen (hundred?) thousand for something like "Consulting Services" made within the last couple weeks.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
In fact, a DS3 has 44.736 Mbits/s capacity each way, though by the time you eat through the framing overhead for ATM, IP, TCP, etc. it's entirely possible to only wind up with only 32 Mbits/s usable payload. Sooooo... based on the CAIDA estimates, I'd say SCO had about 2/3 of their available bandwidth tied up by the attack.
I wasn't actually going anywhere with this. You can leave now.
Pardon my ignorance, but if they took the web server offline at 10-something am, then what was producing the backscatter of ack packets? Was the ISP doing this for them? Why on earth would they bother? And if there was no machine there to respond to the syn flood for hours, then where was the backscatter coming from?
Also, I thought most zombie machines were compromised MS boxes. Are there networks of thousands of 0wned linux boxes out there that script kiddies are nuking each other with?
Wating for enlightnement...
Seriously, fuck them.
because I have been enjoined by this Holy Office to abandon the false opinion which maintains that the Sun is the centre
sco> boot
wouldn't you rather play a nice game of chess?
sco> boot -s
wouldn't you rather play a nice game of chess?
--
"It is now safe to switch off your computer."
The great thing about civil trials in the US is that you don't even need to prove without a shadow of a doubt, you only need a preponderance of evidence.
Ah come on, jeez people, you fall for crap hook line and sinker. You guys are so gullible its funny (if it weren't so sad)...
One individual source claiming something like this, does not make it true. That's besides the fact if you even scratch at the facts (don't even need to dig really), you'll see some contradictions.
Not only contradictions in the time of the so-called attack, but what was supposedly being attacked at the time.
If you look at CADIA or CAIDA or whatever they are, their claims, you'll see they talk about the sco ftp server being hit, but the ftp server WASN'T hit during this time period. The FTP server experienced no increase in average latency, I know, I tested it.
Ok, so one big hole in their theory. Want to try for two? no problem...
The logs are inconclusive. If you handed that over to any decent ISP and claimed it was proof of being attacked, they'd laugh at you.
There's simply NOT enough shown there to be evidence of an attack, or proof of anything. In fact, the data is so SPARSE (light, and weak), the data provided looks more like normal network traffic than anything else.
I've seen customers call up ISPs saying "Hey! Your DNS server is attacking me!", uh, no, mr. pinhead, it's not, it's just that every time you type in a url in your browser, dns has to resolve it, thereby doing lookups, what you're seeing mr. stupid customer is the dns resolver responses.
sometimes clients even claim to want to sue the ISP because the ISPs mail server is attacking them! Which we usually tell the customer "ok, sure, call your lawyer, and uh, when hell freezes over, I'm sure you'll let us know, thank you, bye now (click)"
the data the CADIA (CAIDA?) place provided is almost identical to the logs provided by these customers. It shows an equal amount of "evidence" (cough).
Are there sniffer traces (data captures) of raw packets during this time period? Nooo.... Just these stupid log files that mean NOTHING!
come on people, one source with such pathetic information, and not only is Slashdot and Groklaw ready to be convinced, so is the press and the stockmarket.
Now we'll have SCO posting MORE press bullshit (FUD) saying "see, we told you so!". get over it!
This proves *NOTHING* !
caveat1: could SCO have been attacked? Oh yes.
caveat2: am I saying they were NOT hit at all? NO!
If they were hit, it certainly wasn't as reported, and it certainly wasn't with as much severity as claimed, and it certainly wasn't for as long as claimed, etc etc etc...
I would be inclined to believe some "script kiddies" took advantage of the situation, but nothing extreme.
I am more inclined to believe that SCO manufactured this themselves. Would they LIE about contacting the secret service? Oh hell yes, they lied about contacting the FBI last time. Come on now... sheesh
You people give SCO far too much credit.
Who thinks that it's possible that SCO really was the victim of a DDOS attack?
I hate SCO as much as everyone else, but it seems like everyone here is saying that this is a conspiracy because it makes the open source movement look bad. Not because there is any compelling evidence that SCO did it.
Sites get attacked every day. Yahoo.com had it's share of attacks back in the day and so did any number of sites.
The fact is that improperly maintained or administered sites *will* be hacked or DoS attacked by evil-hackers simply to prove that they can do it. SCO is simply a convenient target for some adolescent idiots like so many other sites.
There is no evidence that these attacks are in any way connected to the recent Linux spat and are not some independent idiot who doesn't care one way or the other.
Also, as a community we should discouraget this kind of behavior, but it is also a mistake for any individual, company or judge to believe that the actions of a few wayward individuals reflects the sentiment of the entire community.
I mean, just because someone uses Windows and hacks Linux sites, does this mean that *all* Windows users hate Linux?? No, I know some people who use both and they love Linux, but use Windows for work and they like it too. Contrary to popular belief Windows users are as rabid and often are *more* rabid and fanatical than Linux users. I personally have spoken to people who believe that Microsoft deserves to overcharge the workd for everthing because, in his mind, they have "won" and that is thier "reward".
So you see... I believe that, while it's unfortunate the SCO is being attacked, it's not necessarily connected with Linux.
Perhaps SCO should secure thier site better.
GJC
Gregory Casamento
## Chief Maintainer for GNUstep
...my line is 20Mb/sec!!!
Ummm...nevermind.
--"It's Bradford Company, slash your last name, dot your first name"
Even though DDOS attacks are misuse of an Internet service and illegal, some of the tactics SCO have used in this case are very dubious too. Claiming ownership of chunks of a kernel without showing any proof and not waiting for the outcome of a court case.
:)
The damage they have caused companies involved in Linux far outweight a bit of network outage, unless they suffer a major loss since statistics say 80% of businesses that suffer a major outage go out of business within two years. We can always hope
Link to 80% statistic
I bet they find a reason to blame Slashdot and sue them over the SYN flood.
This is the first I've heard of this because I've been real busy. But what I want to know is why SCO is doing this. Why do they hate open sourcers so much that they would pay for a DS-3 just to clog thousands of poor linux users meager bandwidth? Oh, Darl! What profiteth you from this nefarious scheme?
Liberals call everyone Nazis yet they are the closest thing to it.
Im going to be flat out with it. I couldnt care less if SCO is being flooded or not. Bad things happen to bad people. By all accounts (other than Darl's) SCO has been disingenuous with everyone. Karma is a bitch but ya know it happens
Maybe what it really means is Denial of Settlement.
you know, my router on my cable modem kept locking up for no reason, maybe a smurf attack from my ip (among others?). ~~newbie hacker...www.whataboutbob.org
Show me packet captures and log entires, or it never happened.
He said that it was interesting to read about the DDoS attack in the press, when it was he that was managing and re-directing the traffic from the DDoS attack.
So yes, according to my sources, which I deem to be reliable, the DDoS attack did happen. For the record though, every single other claim SCO has made I believe to be complete BS.
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
What does this say about SCO's network admins? Unless I am missing something, syncookies would have taken care of this easily.
Pretty funny when Bart says, "Hey Darl!" Check out this
screen capture.
Usurper_ii
Ron Paul
It's easy to assume SCO is lieing, just because they have previously raised FUD to a not so fine art. However, in this case, it makes sense to assume they are telling the truth (at least in large part).
Are there black hats who would conduct such an attack in a misguided defense of open source? 100% yes.
Would SCO fake such an attack? Maybe, if their goal is really to discredit open source at any cost. Reporting such an attack won't make their stock go back up. If anything, it will drop futher. Will it influence a judge? I won't say it's impossible, but it's unlikely at best. Will it help Darl hold on long enough to get 4 profitable quarters? It's likelyest to work against that rather than for it.
In the absence of clear and unassailable proof that someone connected to SCO is prepared to lose millions, risk spending the rest of their lives in prison, and probably end up having their family name join the ranks of names that have become common words for really bad things (tm), as have Lynch and Gerrymander, all just to harm the reputation of OSS, the only sensible assumption is the DDOS originated outside SCO.
Who is John Cabal?
And where does that revenue stream come from? The end users. Which are being sued. Therefore, Microsoft will protect the end users, because they are it's one and only revenue stream.
OMG are you really that naive? What's your name and mailing address? How about I sue you, tomorrow, for infringing on my patents and copyrights. I am slow to provide evidence and when I do, it is unclear (like SCO). I could tie you up in court for months or years and you would incur tens of thousands of dollars in legal bills.
Now how exactly do you propose that Microsoft would step in and provide lawyers and defend you??
I think you may have been the person who invented the 1. Do something stupid 2. ??? 3. Profit business model. Either that or you're legally retarded.
I'd rather be a conservative nutjob than a liberal with no nuts and no job.
I have one thing to say. If the attacker isn't SCO, then PLEASE STOP. You are not helping. Infact, the only thing you are doing is proving SCO's attacks on the Open Source community correct (that we have no regards for the law).
Please let the lawyers handle this matter and stomp SCO into the ground. Victory will be just as sweet.
"Too bad the patrons of both, who affect the reputation of the site more than anything the site could ever do, don't have the same maturity level."
Why go AC on this? I'd modify that to say SOME of the patrons, but if I did, I sure wouldn't hesitate to put a mere nym on it. Both sites have set an example worthy of emulation, not just by media outlets, but by visitors or patrons.
Who is John Cabal?
DDoS attacks are a fact of life on the Internet for some people. SCO should just sit down, shut up and accept what has happened. Hell, were they even PAYING per megabyte for traffic received? Probably not.
The host of the IRC server I run, however, was. In Australia, bandwidth is pretty much per megabyte everywhere, especially in the corporate sector.
We were hit with a DDoS attack a few months ago which was considerably bigger than SCO's little attack. Try figured up around the ability to saturate an entire 100Mbit/sec Fast Ethernet port. The main effect was not the traffic, it was the router simply overloading (A 7206 with an NPE-200 I believe) from the sheer amount of traffic flows created from the DDoS. It was a synflood attack, of sorts.
This particular attack came from a network of trojan clonebots. These were distributed by exploiting the recent RPC DCOM flaws in Windows. Upon infection, the client starts and connects to an IRC server as specified by a 'free' dynamic DNS host, pointing to the IRC server of the attacker's choice. They join a pre-determined channel, where the attacker can join and issue commands to about five thousand bots at once. These include synflood, infect, send files from users' PCs etc.
We were not the only IRC server hit. Several thousand dollars of bandwidth flowed past the router before the upstream placed a block on it. Unfortunately, an ACL on the router probably wouldn't help terribly much, as the router itself was suffering, not the IRC server being attacked.
SCO, being a company with many enemies, should have anticpiated such an attack and adjusted their configurations accordingly.
Unfortunately, I don't believe even the most robust enterprise class router could handle TCP-Intercept duties on a 50k/second SYN flood.
Prove me wrong.
Stewey
There are 10 kinds of people in the world. Those who understand binary and those who don't.
Slashdot never "says" anything though. Slashdot is only a link to other websites that "say something".. am I right? The editors may say something in a comment along with the post, but doesn't the poster mainly say something?
in girum imus nocte et consumimur igni
IIRC, SCO gave a timeframe (12 hours, I believe) for fixing the problem, while the so-called attack was in progress. Doesn't this prove they are lying?
If it weren't for fog, the world would run at a really crappy framerate.
If your sig is indeed not a troll, let me remind you that copyright infringement is a civil, not a criminal offence, unlike theft which is.
Why is it that the SYN flood did not take out the network at the router level, as opposed to a specific server on the Ethernet backbone?
The attack was not significant enough to have that effect. As SCO didn't enable SYN cookies, a very low-bandwidth attack was sufficient to push the server off the net.
I regularly see DoS attacks which just take out a single host and not the entire surrounding network. It's actually the second-most desired scenario (after withstanding the attack completely).
Why on Earth would the attacker(s) suddenly decided to also attack the FTP server?
Why did they decide to attack the web server in the first place?
Maybe thy thought that www.sco.com was the only server SCO had on the net, and learnt about ftp.sco.com only after reading the GrokLaw article? This is not as ridiculous as it might seem because even moderately skilled people don't carry out DoS attacks for fun these days, but sell their DDoS botnets for profit. Others use them for blackmail. (As far as I know, these incidents are real and not the fabrication of "security experts", although I haven't witnessed one personally.)
Would would people have thought that the claims of being DOS attacked were lies in the first place? Nobody thought so the first time around ...
With the millions of people in the world I don't find it surprising that at least one of them (and that is all it takes) is pissed off enough over SCO's FUD to mount this kind of attack. And more than that I don't give a rip. Does that make me a bad person?
The race isn't always to the swift... but that's the way to bet!
if the network equipment the machine is connected to cant handle the packets per second or the bandwidth and drops, how the hell is any software change going to make a difference?
15,000 pps isnt shit
you are correct though, if the machine manages to stay online, syncookies are great.. but if your entire network goes offline.. good luck
by the way.. what NO ONE here seems to understand is this:
a simple synflood by a home user to a webserver can be easily prevented by syncookies. for anyone to even CARE about a synflood nowadays, it has to be huge. In the case of SCO, it took down their entire network because their network equipment couldnt handle it.. syncookies wouldnt do a damn thing
gah.. yes.. everyone knows what a synflood is and how to prevent it. what you are referring to are examples of how to prevent a simple synflood that only affects one machine.
for anyone to even CARE about a synflood nowadays, it has to be so large that network equipment fails. When sco's routers went down along with their entire network, syncookies arent going to do a damn thing
sco took the obvious and correct course of action, they blocked all syn's to www.sco.com in their upstream providers.. this keeps their entire network online, but their site www.sco.com will still be offline and theres nothing they can do
A DS3 line is 44Mb/s eatch way.
http://ebgp.net/ccc/
Duh, that'll be the incorrect spelling of "courageous" in the title, twat.
Now, to be fair, it is POSSIBLE that SCO was attacked, but---
1: The web server and ftp server are on the same subnet> Ftp.sco.com is at 216.250.128.13, while the web server is at 216.250.128.12. For these to be on differnet networks would require subnets with 1 host per subnet (not very practical). Since the ftp server was not down for most or all of the alleged attack, it is clear that this was not the result of bandwidth saturation.
2: SCO has stated that their email servers were down but no credible third party corroboration has occurred.
IF (That is a big IF) SCO was attacked, it would have had to be a narrower time frame than they are stating, because such an attack would have taken everything down in their network.
It is also possible that they could have remedied the problem upstream quickly enough that nobody noticed, but decided to play up the story for sympathy reasons.
Either way, SCO is lying about something or is utterly incompetent.
LedgerSMB: Open source Accounting/ERP
Why is this event considered news? Who cares what script kiddies are doing in their spare time. Does news of a denial of service attack have any implication on SCO's claims of ownership of the linux source code?
HA HA
Why worry? Each of us is wearing an unlicensed "nucular" accelerator on his back.
Sig changed for readability by G.W.
They differ on the number of B-chan (DS0) segments in the data stream, a E1 uses 32 channels (32*64Kbps), whereas a T1 uses 24 channels (24*64Kbps, with some bits lost to framing).
T1s usually strip off 1 B-chan/DS0 for signalling, leaving 23*64Kbps usable bandwidth, E1s sometimes strip off 2 B-chans/DS0s for signalling, leaving 30*64Kbps, but the signalling is often left out if the E1 is part of an E3 or bigger trunk, so in many situations the full 2.048Mbps is usable.
1) Folks were able to connect to the ftp subnet address with no delays. If the bandwidth were saturated by 34,000 packets/sec there should/would have been considerable ftp acess delays, if a reply would have been sent at all.
2) The uptime.netcraft chart shows no significant response time hash during the two weeks prior to the 'attack', right up to the instant sco.com was turned off. The Network Telescope graphs of examples of SYN flooding show large response time hash amplitudes during an attack.
3) "Network Telescopes" work on the assumption that the spoofed address of a syn flood packet is bogus, so the possibility exists that a portion of them will cover a range of IP addresses where little or no network traffic can be expected. The bigger the range of unused IP addresses that is monitored the bigger the 'lens" of the "Telescope". This 'back scatter' the telescope 'sees' is the victim's box responding with SYN_ACK packets to the spoofed addresses. The Network Telescope cannot distinquish between true and pseudo backscatter. Pseudo backscatter would be SYN_ACK packets that the 'victim' spews out to random IP addresses to make it look like their site is under attack. They turn off normal SYN_ACK handshaking so the site appears 'down'. While they are doing this on one box other boxes on their subnet will be able to response to the normal handshake without any undue delay because the number of valid incoming SYN packets remains the same - hence the lack of hash on uptime.netcraft graphs. Someone at SCO monitored GrokLaw to see the effect of their PR predicting a "12 hour outage" and noticed folks mentioning the fact that the FTP site on the same subnet and, according to ARIN the same location, was not experiencing any delays that would be associated with a massive SYN flood attack, especially one at 34,000/sec. According to SCO, not only did the attack knock their site off line, it also messed up their email, internal databases, and their phones!
I believe SCO committed this 'attack' as a pretext to modify their website by removing some pages and adding others. More significant will be the claims they will make later regarding the availability of documents the court has ordered them to produce.
Running with Linux for over 20 years!
If you attack a community, rightly or wrongly, what moron wouldn't expect that community to fight back?
Bleeding SCO dry as quickly as possible may be the only way to end the insanity. The question will be whether this whole situation resolves as a mere survival of the fittest example, or as a true legal precedent setting case that supports the open source and free (as in both beer and libre) software models.
And just what do these childish OS hackers expect to gain from this?
Well I see no motive myself. In the endless stream of comments on SCO, here and in other news sites, i don't recall anybody proposing something as pointless (IMHO) as a DDos. If the motive is difficult to find it's time to look for a different suspect.
Which is cheaper, buying windows, or spending months in trial?
IMHO, this is a good explanation of SCO bizarre behaviour, now that i think of it. I don't see any reason why somebody should consider SCO as a viable business partner after these months, so why are they killing themselves? They work for somebody else.
---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol