Slashdot Mirror
SCO Not Lying About DoS Attack
Licensed2Hack writes "The Cooperative Association for Internet Data Analysis (CAIDA), part of the San Diego Supercomputer Center at the University of California, San Diego has an analysis of the recent DDOS on SCO.com. Netcraft also has more information in their article and analysis graphs. Seems SCO was hit with a 50,000 packet-per-second SYN flood peak, which yields approximately 20 Mb/s each way, or about the capacity of a DS3 line."
poor little darl..... :)
. . . that's just the slashdot effect. . .
Great! now they get headlines simply by *not* lying
We all know that SCO paid this security expert to say SCO was attacked...they are trying to make the OSS community look bad!
.... where did the synflood come from?
Jaysyn
There is a war going on for your mind.
Ha-ha!
Quick! Someone start knitting Satan a sweater!
libertarianswag.com
whether they're inept enough to leave themselves open to this sort of thing or if they're welcoming DDOS attacks with open arms for one reason or another...
Oops, oh well. SCO still sucks.
The only result of this kind of attack will be tarnishing of the image of Open source developers. But, there is nothing much anyone can do about it.
New year Resolution: Don't change sig this year
SCO's like the boy who cried wolf too much. Why should people care when he actually gets bitten?
If any authorities look into this, I am gonna be pissed. I mean, if they can't bother to do anything when the anti-spam sites get attacked, then they better damn well not do anything now.
Of course, I am of the paranoid type who assumes that SCO would stage a DDoS against themselves just for the publicity, so what the hell do I know?
WWJD?
JWRTFM!
Well I guess the lying or incompetent question has been settled.
You say
It's hard to have much sympathy, even though this is a dirty trick played by some h@xtor D00d that has nothing better to do with his time. The only way to beat a scurrilous bunch of deadbeats like SCO is to show to the public the kind of people they really are. Attacking them in this way only makes the Open-Source people look like a bunch of teenage kids that want to take on "The Man".
Stay tuned for new sig...
Or to put it another way, they weren't lying, they're just stupid?
Serve Gonk.
...SCO Must Prove Existence Of Santa Claus in Thirty Days
I'm scared of numbers that can't be written as a fraction. It's an irrational fear.
Everyone gets DoS'd, they should be happy it stopped.
With SCO there is just no telling if this was a PR stunt, if they set this up or if they really got attacked.
At this juncter, i don't think it really matters because of the simple fact we don't know what SCO is up to and with everything going on we have lost faith in SCO.
Attack or No attack is a trivial question compared to what we really know about SCO and there business practices.
SCO freaking what!
Drill baby drill - on Mars
CAIDA Analysis of SCO DoS Please use this link, the other one goes to a slow XML server.
Why on earth did SCO respond to 700 million syn packets? if there was even a moderate level of syn protection turned on they would have just droped the majority of those packets. and the bandwith usage would be half.
The cause that fits much better with their general operating pattern is that they purposely left themselves open to this attack to present themselves as the poor, innocent victims of the evil, Constitution-burning, enemy combatant, Open Source villans.
I'd buy that one.
so, all of that speculation about an attack -necessarily- also taking out the ftp server at the same time ... what was up with that? 20mbps isn't enough to fill up a simple 100mbps local network. if the ds3 was their entire pipe, and the ftp server was in there too, you shouldn't have been able to get to the ftp server.
there's some pipe sizes i wouldn't mind having explained. nice diagram of how one side filled up and the other didn't? completely separate, and people are just dolts?
it's an honest question, i swear.
SCO was hit with a 50,000 packet-per-second SYN flood peak
...
If their servers died from a synflood attack, there are 3 possible reasons:
- The IT guy is a monkey (likely, but still, he would have to be a really daft monkey)
- The IT guy has time-travelled from the mid-nineties and didn't know about synfloods
- The IT guy was told to compile a kernel without the synflood protection, so that Caldera/SCO would look like the poor company hit by naughty hackers.
Also, I might add, there are another aspect to consider : whoever hit SCO with a synflood attack has either:
- the brain of a monkey
- time-travelled from the end of the nineties and attacked SCO with what he thought was a really cool unbeatable DoS
- been told to attack SCO so that SCO looks like the poor company hit by naughty hackers.
Conclusion: The cause of this DoS was either:
- 2 particularly stupid monkeys
- 2 time-travellers
- 2 suckers paid by SCO
Dunno for you, but I know where my money would go if I had to bet
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
The attack was just short of half a DS3 Line.
DS3 Line = 44.736Mbps for those of you who need a definition
-Certified TechnoWeinie
What's so "illegitimate" about the goatse guy (or tubgirl, for that matter)? Apart from what you want to see taken down?
sic transit gloria mundi
Then please kindly explain why the website was still available at http://216.250.128.20/ ?
Maybe we deserve this world ?
No.
DS1 is the circuit either a T1 or E1 rides on. E1's are the european equivelent to at T1. DS1 is the raw circuit.
If you need web hosting, you could do worse than here
For the mathematically challenged:
20mbit up + 20mbit down = 40mbit
Or 20mbit x 2 = 40mbit
20mbit comes into to SCO web server a second
20mbit goes out of SCO web server a second
Now, how much traffic was there in that second?
I'm not sure I can make it any clearer.
The sites you mention provide a public service. How else can a whole community effectively make new comers go "DUDE! What in the fuck did you send me to that?!?!" and all laugh together? Most people only get hit once by those sites.
I'd liken it to a practical joke compared to a bully... You don't retaliate against the joke, but you sure as shit would love to kick the shit out of the bully
That's scary.
eems SCO was hit with a 50,000 packet-per-second SYN flood peak, which yields approximately 20 Mb/s each way, or about the capacity of a DS3 line."
And how, exactly, would you prepare for this? Ignoring syn-floods is very simple when it comes to keeping your server alive, but how do you deal with the bandwidth saturation?
The "each way" would indicate the syns were being replied to (dumb), but they still would have clogged the pipe.
My question is how this is possible without killing the bandwidth other servers on the subnet, namely ftp.sco.com and others? That was the original reason for the conclusion that SCO was lying, and I've yet to see something that refutes it
The other question, of course, if it was a DDOS, who did it? A group, or one person slaving many connections? Maybe somebody with a DS3 or two available to spare?
With the last two, one would think that the outgoing results of such an attack would be noticed?
Also, again with the main arguement that the ftp was online whilst the www was offline... why does the article say the FTP was down (and first to be attacked)??
Did you just call SCO a legitimate business? *Backs away very slowly*
Once upon a time, a T1 was 24 multiplexed analog telephone circuits plus some control channels.
DSx is the digital version with the same capacity. The analog infrastructure is mostly gone now, so the terms are used interchangably in most conversations.
Conformity is the jailer of freedom and enemy of growth. -JFK
Again, even when SCO shows a shred of the truth, it only reveals they're either incompetent or unethical.
I blame the French.
This still doesn't add up. If they say that their entire DS3 was saturated why was it that I could reach ftp.sco.com during the attack? Here's what I get:
ftp.sco.com has address 216.250.128.13
www.sco.com has address 216.250.128.12
They have neighboring IP addresses. There isn't enough room for a broadcast address between them so they have to be on the same subnet. If they're not on the same subnet then this must be some newfangled magical technology that allows them to break up subnets in a new way without sacrificing an address for the broadcast. Translation: they're still lying. On the other hand, why should I care? This company is abusing the US legal system and costing me money through the waste of my tax dollars. I'm not saying this is the proper way to respond, but hell, I still don't believe that the situation was the way SCO described it anyway.
My Slashdot account is old enough to drink...
But if the website traffic is load-balanced across those multiple servers, wouldn't the server at 216.250.128.20 have been hit by the very same attack ? From the traceroute and DNS queries, it seemed to me that they had just changed their webserver's IP from 216.250.128.12 to 216.250.128.20, and messed up the DNS update and transition.
Maybe we deserve this world ?
Is it me or these articles do not offer any explanation for "why www.sco.com (216.250.128.12) server is down and ftp.sco.com (216.250.128.13) is still working without any slowdown, even though they are on the same network?"
If they state that all the available bandwith was consumed by attacks, then all the servers on the network would be unresponsive. So that could not have been a bandwidth issue. Therefore it leaves us with "SCO is a bunch on incompitent morons" version of the events.
Man, this whole thing sure is a lot of shoes in a lot of Slashdotters' mouths.
"Sufferin' succotash."
Ummm. No. A DS3 (or T3, or T1 for that matter) is full-duplex. A DS3 supports up to 45 megabits/second in BOTH directions. Read your own link a little more closely... "A DS3 is capable of moving over 5.5 Megabytes per second (45Mbps) in one direction - ***twice that when upload and download performance are combined***."
This statement is false.
What a nice place to say that, isn't it?
The CAIDA article states: "The current attack successfully blocked access to SCO web and ftp servers"
I find that difficult to believe. The Groklaw article mentioned successful access to the FTP server for a few HOURS while the WWW server was not available.
Then, suddenly, the FTP server was also down, which was after the Groklaw article appeared.
So basically there two things which makes me wonder about this whole situation:
If the main reason for the service being denied was actually the traffic generated by this attack, which is basically what the CAIDA article seems to claim, then there is no indeed no distinction to be drawn between the two servers, and so should have gone down simultaneously.
Check out: http://www.internettrafficreport.com/main.htm
It's helpful sometimes.
And just what do these childish OS hackers expect to gain from this? It is not like it is going to change anything. Yes they are suing people using Linux. But thats one of the problems with open source. If there is a legal issue with the code then its your problem. That is one of the great things about microsoft. At least when you are using their software, you know that you will have microsofts army of lawers to defend any legal issues there may be with the code. Which is cheaper, buying windows, or spending months in trial?
My ass they will. If I can prove with out a shadow of a doubt that Microsoft has included my patented and copyrighted code in Office 2003, and I start suing end users (you) directly for it, do you honestly believe that Microsoft is going to come defend you?
The only thing Microsoft will defend is themselves and their revenue stream.
I'd rather be a conservative nutjob than a liberal with no nuts and no job.
That sounds like my reminder to metamoderate. Groklaw is, of course, now carrying an article covering the CAIDA announcement.
Veteran, Bermuda Triangle Expeditionary Force, 1992-1951
It was bound to happen eventually, if only by random chance - as much as they talk, sooner or later they were bound to say something true.
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
Yes, SCO are pretty low on the karma totem, however the 'experts' quoted on groklaw, as well as the far more numerous 'experts' who replied that yes they must be faking it .... were drawing their speculations on very little data.
If you cared to measure you sure didn't need to be CAIDA, many snort, pf and netfilter logs are showing the backscatter of this attack.
And to all the experts who've been holding that a large synflood is easy to fix by blocking the attacker IPs: get a fscking clue.
Both syn and bandwidth attacks use forged addresses children (which is why there is backscatter), each incoming syn is from a random IP, the ack goes to the forged addr, not the originator.
The best way I've seen to handle this involves sensors at enough upstream locations to measure the packet count ratio skewing which results. This isn't generally deployed
Now technically SCO could probably manage to forge that kind of data (just send out all the expected response traffic) but again there are enough sensor platforms out there now that such a deception would certainly be unmasked eventually.
Linux is Linux, if One need clarify their dist: <Dist>/GNU Linux
bsds are of course just BSD
How does a backscatter analysis prove that the site was attacked from the outside? The first thing a "wanna be victim" would do when faking an attack is to make sure that the effect can indeed be measured from the outside.
In fact... a lot of SYN attacks don't use comprimised hosts at all! They actually send the request to a bunch of computers that are just running webservers, that's all. They spoof the destination IP and change it to the IP of the target to be attacked and all those webservers (usually ~40,000) respond at once to the host, essentially knocking it offline. It's happened to me before. :P
So you can use even a secure (but not 100% properly configured) server to launch an attack with... Intersting stuff.
Isn't a T3 bi-directional 45mbps yielding an aggregate of 90mbps?
The peaks are large, but the majority of the time the load is much lower. 4,000 pps syn flood is under 1.5 Mbit/sec. So plenty of room for other traffic. SCO had both bandwidth problems from having a relatively small pipe and server load from the syn flood.
I saw a lot more indepth analisis on Groklaw yesterday. I was especially interested in a VERY CLEVER Analisis where connections were instant even on there main webserver untill the packets reached level 3 of their tcp/ip stack.Untill SCO woke up to the fact that they were busted and had their ISP block all traffic. /. and Groklaw effect of people analising their b*llshit claims.
Funnily enough I have just been studying the stack for my CS Degree so I followed this line of enquirery with interest. As far as their ftp server stats, I just put this down to the
Maybe this magic telescope of theirs can find their stolon IP for them. I would love them to try and use this as an excuse to avoid discovery. ( Sorry your honour but those GNU/Linux Commie's destroyed all our proof).
Red eye's at night, hackers delight. Red eye's in the morning, proffessors warning.
Red eye's at night, Hackers delight. Red eye's in the morning, Professors Warning.
> 20mbit goes out of SCO web server a second
> Now, how much traffic was there in that second?
Half a DS-3. A DS-3 is a full-duplex circuit with a clock speed of 44.736 Mb/s in each direction. On a DS-3 you can use this full 45 Mb/s (minus overhead) in each direction simultaneously. This is unlike a half-duplex ethernet that most non-telecom people are more familiar with -- where it makes sense to add transmit and receive to see how much of the 10 or 100 Mb/s channel is being used.
Oh never fear I have a mirror up whats the big deal
MoFscker
DS3 is ~45Mbit/sec bi-directional
(so 20 is about 44% utilized)
Take a look at the graph at CAIDA. The web server takes a beating for about an hour around 4am PST, and again for a bit longer around midnight. Just as the latter is leveling off, an even bigger spike hits the FTP server which lasts about an hour and then tails off over the next several. All in all a pretty poor DDoS attack if they couldn't sustain it for more than a few hours so the originator can't have been too smart. Bit bit like the victim that failed to have adequate SYN attack protection really... do you suppose there is a connection?
UNIX? They're not even circumcised! Savages!
"I didnt do it.. no body saw me do it ..can't prove anything /me ducks
.
.
"I disapprove of what you say, but I will defend to the death your right to say it." - Voltaire
Is every Christian responsible for the bombing of abortion clinics? Is every Muslim responsible for honor killings? Is every Linux user responsible for these attacks?
I have little doubt that they were attacked. What seems strange to me though is that they were entirely giddy over the affair. They even went as far as issuing press releases about it. I haven't heard of any company that jumps to release PR about DDOS attacks so quickly. When forced to explain reports of DDOS attacks, a company may release a statement that clears the issues. But the first reports of these attacks came from SCO themselves. This is what raised suspicion, justifiably.
But people shouldn't jump to conspiracy theories so quickly. Doubt of their veracity, sure? Conviction that they are lying--not justified.
This will probably be marked as Troll/Flamebait for whatever reason, but in all honesty they deserve it and brought it upon themselves.
SCO is flat out jerking the US legal system with these far out LIES and no one's doing anything about it... so DDoS away!
Hopefully they'll soon learn the err of their ways.. or worse things shall happen! Time will only tell.
We have secretly replaced these Slashdot mods' sense of humor with a rusty nail. Let's see if they notice!!
That is what one gets when one keeps crying wolf!
Unfortunately, the number of words in that sentence did not exhaust the immense volume of even the big lies told by SCO.
I hope the wolf is IBM.
All data is speech. All speech is Free.
I have no idea if SCO is using Cisco routers on their permiter, but I guess its not too unreasonable to assume this is a possibility. With a Cisco on the permiter, preventing a SYN attack requires all of 3 additional lines to the configuration. I'm guessing it also doesn't take too much more than this on any enterprise-class router.
p s2 120/products_configuration_guide_chapter09186a0080 0b6f0e.html
Configuring a Cisco perimeter router to prevent SYN flood attack against web server:
(config)#access-list 151 permit tcp any host
(config)#ip tcp intercept list 151
(config)#ip tcp intercept mode intercept
With Intercept mode enabled, all incoming SYN are held by router which proxy-answers w/syn-ack. Won't forward to server if Ack not recieved.
http://www.cisco.com/en/US/products/sw/secursw/
That both sites have published this retraction, after having previously published the original stories about the DDOS being a fabrication. Many, more "mainstream" and "credible", news sites probably would not have done so, or would have published the retraction loaded with "spin."
Worse, many other sites would have tried to cover up the truth, rather than risk suffering a little "egg on the face."
To the credit of both Groklaw and Slashdot, both have said "Oops, we were wrong," and handled things in a very mature fashion.
Good job, guys.
// TODO: Insert Cool Sig
You know, I hate SCO as much as the next guy, but what I hate more are the fools pulling off these attacks. They give me, and the linux side a bad name. A few silly individuals who are nothing more than vandals can create a widescale negative view that "those crazy linux zealot hackers are a bunch of immature brats who DOS people they don't like". Sure, intelligent people don't make this association, but since when has the general idiot consensus not been a large force to be reckoned with?
Revolutions are never about freedom or justice. They're about who's going to be top dog. -- Kilgore Trout
T1 stands for Trunk Level 1 and is a digital transmission link with a total signaling speed of 1.544Mbps. T-1 is a standard for digital transmission in North America (USA & Canada). T-1 is part of a progression of digital transmission pipes - a hierarchy known generically as the DS (Digital Signal Level) hierarchy.
T1 was originally supplied on two pairs of copper wire (transmit and recieve pairs), but is often delivered via multiplexed fiber optic cables. A T1 can be multiplexed into 24 64Kbps channels for telephone trunking (compatible with the analog phone system), but are still digital signals between the PBX and the ILEC/CLEC's phone switch.
The E1 is a standard in Europe (and UK) which is capable of 2.048Mbps and can be channelized into 32 64Kbps channels for phone trunking.
**most of this is paraphrased from Newton's Telecom Dictionary 16th Ed.
That it wasn't customers rushing to pay their linux liscense fees because the court case is going so well?
and Daryl wouldn't lie either.
Professional Politicians are not the solution, they ARE the problem.
The "attack" did not come from any open-source symphasizers.
After 24 hours the main argument that SCO was faking this was that their ftp server was up. It was very common knowledge and you can be absolutlely certain the hacker was reading the news about the hack. What happened then? Suddenly the attack slowed to the main server and it started up with double intensity to the ftp server! Look at the damn graph and see what other conclusion you can think of.
Any Leet SCO-hating fanatic would have doubled the attacks on the main server, or perhaps attacked every machine *except* the ftp site. That would have been the most clear "I hate you SCO and I'm going to mess with you as much as possible" attack. If they hated SCO they would want their attack to match the insults being directed at SCO as much as possible.
Instead the attack suddenly switched to be as exactly as possible a refutation of the publicity about the attack.
There is no question what the motives of the "attacker" are. And it is absolutly disgusting that SCO can get positive publicity for this nasty little stunt.
This is so obvious it's not even funny.
In nearly every scenario, you can trace the cause of something to its origin by determining who benefits the most from it. In this case,
Does linux benefit from this DDoS? No.
Does IBM's case benefit? No.
Does the linux community? No.
Do 1337 kiddies? No. (They don't get the credit - "linux hippies" get the "credit")
Does SCO? Yes. They'll likely try to get an extension on their court order, just as earlier predicted here on slashdot.
If I were in the FBI and looking into this scenario, I'd first look at SCO's accounting very, very carefully. My guess is that there's a debit of several dozen (hundred?) thousand for something like "Consulting Services" made within the last couple weeks.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Pardon my ignorance, but if they took the web server offline at 10-something am, then what was producing the backscatter of ack packets? Was the ISP doing this for them? Why on earth would they bother? And if there was no machine there to respond to the syn flood for hours, then where was the backscatter coming from?
Also, I thought most zombie machines were compromised MS boxes. Are there networks of thousands of 0wned linux boxes out there that script kiddies are nuking each other with?
Wating for enlightnement...
Sites get attacked every day. Yahoo.com had it's share of attacks back in the day and so did any number of sites.
The fact is that improperly maintained or administered sites *will* be hacked or DoS attacked by evil-hackers simply to prove that they can do it. SCO is simply a convenient target for some adolescent idiots like so many other sites.
There is no evidence that these attacks are in any way connected to the recent Linux spat and are not some independent idiot who doesn't care one way or the other.
Also, as a community we should discouraget this kind of behavior, but it is also a mistake for any individual, company or judge to believe that the actions of a few wayward individuals reflects the sentiment of the entire community.
I mean, just because someone uses Windows and hacks Linux sites, does this mean that *all* Windows users hate Linux?? No, I know some people who use both and they love Linux, but use Windows for work and they like it too. Contrary to popular belief Windows users are as rabid and often are *more* rabid and fanatical than Linux users. I personally have spoken to people who believe that Microsoft deserves to overcharge the workd for everthing because, in his mind, they have "won" and that is thier "reward".
So you see... I believe that, while it's unfortunate the SCO is being attacked, it's not necessarily connected with Linux.
Perhaps SCO should secure thier site better.
GJC
Gregory Casamento
## Chief Maintainer for GNUstep
" Perhaps SCO should use some of their millions of recent investments and get an OC48."
Are you kidding? Do you know what one of those costs? That would seriously affect the Crack budget. No way is that going to happen.
Even though DDOS attacks are misuse of an Internet service and illegal, some of the tactics SCO have used in this case are very dubious too. Claiming ownership of chunks of a kernel without showing any proof and not waiting for the outcome of a court case.
:)
The damage they have caused companies involved in Linux far outweight a bit of network outage, unless they suffer a major loss since statistics say 80% of businesses that suffer a major outage go out of business within two years. We can always hope
Link to 80% statistic
Maybe what it really means is Denial of Settlement.
Unfortunately, I don't believe even the most robust enterprise class router could handle TCP-Intercept duties on a 50k/second SYN flood.
Prove me wrong.
Stewey
There are 10 kinds of people in the world. Those who understand binary and those who don't.
Maybe they should outsource their hosting..to, oh, say...the admins at Lindows.com?
I do find it amusing (and quite possibly ironic), though, that you host an IRC server, and yet don't mention the fact that IRC is the main channel for zombie attacks.
You mention the router as the 'suffer'ing entity. Well, the router is designed to route packets. That's what it does, and it does it well.
It's layer 8 that causes the problems...and those problems are augmented by layer 8 making calls into layer 7.
Now, to be fair, it is POSSIBLE that SCO was attacked, but---
1: The web server and ftp server are on the same subnet> Ftp.sco.com is at 216.250.128.13, while the web server is at 216.250.128.12. For these to be on differnet networks would require subnets with 1 host per subnet (not very practical). Since the ftp server was not down for most or all of the alleged attack, it is clear that this was not the result of bandwidth saturation.
2: SCO has stated that their email servers were down but no credible third party corroboration has occurred.
IF (That is a big IF) SCO was attacked, it would have had to be a narrower time frame than they are stating, because such an attack would have taken everything down in their network.
It is also possible that they could have remedied the problem upstream quickly enough that nobody noticed, but decided to play up the story for sympathy reasons.
Either way, SCO is lying about something or is utterly incompetent.
LedgerSMB: Open source Accounting/ERP