SCO Not Lying About DoS Attack

Licensed2Hack writes "The Cooperative Association for Internet Data Analysis (CAIDA), part of the San Diego Supercomputer Center at the University of California, San Diego has an analysis of the recent DDOS on SCO.com. Netcraft also has more information in their article and analysis graphs. Seems SCO was hit with a 50,000 packet-per-second SYN flood peak, which yields approximately 20 Mb/s each way, or about the capacity of a DS3 line."

awwww...

poor little darl..... :)

Oh come on

[puppetluva]

. . . that's just the slashdot effect. . .

Re:Oh come on

[twoslice]

Uhm, go here --> sco.com

...and JPriest starts another round of DDOS at SCO

Re:Oh come on

[00420]

it's only in Windows Media Video!

That doesn't mean you need Windows Media Player to watch it. I just watched it on MPlayer. It's pretty funny in some spots. I like when McBride says "We can look forward to a world that is not free." I think they should make that there company slogan :)

just another PR trick

[kpharmer]

Great! now they get headlines simply by *not* lying

Re:just another PR trick

[DaveAtFraud]

Well, for SCO that is remarkable and worthy of a headline.

Re:just another PR trick

[Andy+Smith]

Great! now they get headlines simply by *not* lying

No, they get headlines when people accuse them of lying and it turns out (apparently) that they weren't.

Re:just another PR trick

[hbo]

The headline was SCO Group Web Site Attacked Again Which, it turns out was correct. Lots of folks read Groklaw, or posted to both Slashdot and Groklaw, doubting that the attack was real. As I said over there:

I haven;t (sic) seen an explanation for the fact the earlier traceroutes stopped at multiple points in xo.net. Thos (sic) seem to indicate that there was filtering going on upstrean from SCO. This is a reasonable response to a DDOS by a backbone provider. That would also explain why there was now (sic) bandwidth problem on other systems close to www.sco.com. The putative attack traffic was never reaching SCO's colo.

We should resist the temptation to believe that everything SCO says is a lie, just because most things are. This could blind us to real threats from SCO, if they exist.

Re:just another PR trick

[madprof]

The Slashdot headline was "Security Experts Doubt SCO's Claims of DoS"...well there are lots of "experts" around here it seems, and they all thought it was a PR stunt.

How anyone could see PR value in this is beyond me.
The opinions that matter to SCO are those of the people who control the purse strings at companies who use Linux heavily. They are not about to jack in Linux/pay up because some script kiddies were playing games.
It just doesn't make sense that a company would fake a DDoS attack.

Re:just another PR trick

[hbo]

I believe It's a knee-jerk reaction to the threat that SCO is posing to Linux and the GPL, combined with its public record of lying. The history of Unix is a tangle that Gordius of Phyrigia would be satisfied with. Interpreting IBM's rights amid the confusing welter of licenses and side agreements will not be easy, and the outcome is not so tidily in the bag as some seem to hope. PJ at Groklaw has provided lots of useful and interesting research. I read Groklaw daily. But it's obvious that Groklaw is also an advocacy site, among other things, much as Slashdot is. I worry that PJ's biases might lead her to miss important information from time to time. Since I'd like to see SCOG fail and be ground into the earth by IBM, I'd prefer she had the clearest vision possible.

I have no evidence that Groklaw is missing tricks due to bias. It's just a worry of mine. The "SCO must be lying" bias at Groklaw and here is unmistakeable, however.

Re:just another PR trick

[Trepalium]

Maybe because the timing of it all was just too damn convenient. It happened couple days after RBC deciding there's something fishy about the contingency agreement, losing against IBM's motion to compel discovery, their stock prices have been dropping, and everyone's expectations that they will not be able to get anywhere near profitable this quarter without some very creative accounting. Of course little of this made it into the same press that prints SCO's outrageous accusations and 'open letters'.

All this happens, and then SCO suddenly becomes 'victimized by all these EVIL Open Source people', virtually guaranteeing the press won't report on SCO's other misfortune because it's 'unimportant' compared to this. Morover, they get to make Open Source people look like terrorists and bad people, and try to make it look like people should not be using software developed by these 'evil people'.

Re:just another PR trick

[Trepalium]

Not exactly. I merely believe that SCO will stoop to any low in order to exploit a situation. I believe SCO's managment are opportunists in the worst sense of the word. I believe that lies are just as valuable to these people as truth is, and they will use whichever suits their purpose best.

I know there are "Open Source people" who could and/or would stoop so low as to mount a DDoS attack on SCO. However, the fact that SCO's site isn't getting DDoSed all the time is a fairly good indicator that this 'undesirable element' is in the minority. There's a few of these kinds of jackasses in any crowd, and I wouldn't be surprised if SCO unknowningly had one or two in their midst.

If they know all of this....

[Jaysyn]

.... where did the synflood come from?

Jaysyn

Re:If they know all of this....

[jqh1]

it's said to be a D[istributed]DOS attack -- that means it came from all over, no?

Re:If they know all of this....

[hypnagogue]

.... where did the synflood come from?

Maybe nowhere. The analysis methodology used could be spoofed by SCO by them running a program on their respective servers that sends out SYN-ACK and SYN-RST to random IP addresses.

CAIDA would just assume it's a real DDOS attack. Remember "backscatter analysis" analyzes the response from the "target" site. They don't see and cannot prove the existance of the actual SYN flood.

Nelson said it best.

[xenoweeno]

Ha-ha!

SCO Not Lying?

[bc90021]

Quick! Someone start knitting Satan a sweater!

Re:SCO Not Lying?

[gizmonic]

Great idea, and to save postage we can just send it with Darl when he goes...

Who cares?

[Dragonshed]

SCO's like the boy who cried wolf too much. Why should people care when he actually gets bitten?

Re:Who cares?

[llamalover]

In the orginal fairy tale, I believe the boy gets eaten. Tragic, but at least the wolf is happy. McBride burger anyone?

Why Nothing Should be Done...

[gizmonic]

If any authorities look into this, I am gonna be pissed. I mean, if they can't bother to do anything when the anti-spam sites get attacked, then they better damn well not do anything now.

Of course, I am of the paranoid type who assumes that SCO would stage a DDoS against themselves just for the publicity, so what the hell do I know?

It's funny, laugh.

[gnuadam]

Well I guess the lying or incompetent question has been settled.

It's tough out there ya know

[IamGarageGuy+2]

It's hard to have much sympathy, even though this is a dirty trick played by some h@xtor D00d that has nothing better to do with his time. The only way to beat a scurrilous bunch of deadbeats like SCO is to show to the public the kind of people they really are. Attacking them in this way only makes the Open-Source people look like a bunch of teenage kids that want to take on "The Man".

Re:It's tough out there ya know

[i_r_sensitive]

The problem is that some Open Source people are teenage kids that want to take on "The Man".

For proof, look around /., they aren't that hard to find.

Responsible FOSS people are not responsible because they support FOSS, that was very likely a pre-existing condition.

And FOSS does have allure to children, or the child-like. The underdog, oppressed group, challenging traditional and accepted practice.

If they are not sophisticated enough to understand the reasons behind FOSS, why should we be surprised if they are unsophisicated enough to engage in irresponsible behaviour.

Too often the FOSS movement seems to highlight those aspects of itself which attract this element. We too rarely emphasize the responsibility inherent in FOSS. The responsibility to contribute, the responsibility to report bugs, the responsibility to respect other's choices as we wish them to respect ours.

Do we really want these people identifying themslves with our movement? I suspect not, but until we stop accentuating the us against big corporations et. al., and start accentuating some of the more mature aspects of what we stand for (which are at least as compelling as the other reasons...) we will continue to attract these people, and they will continue to make us look like children.

I don't know any more about this specific incident than any of you, and I hope none of you reading this know any more than I do... There is no reason to believe that some FOSS advocate perpetrated this, but it is apparent from some of the sentiments expressed that people are considering the possibility and lamenting it, if it turns out to be true. If it does, we need to consider what we can do to make our movement less appealing to the irresponsible.

So they're just incompetent then?

[JonMartin]

So have they just admitted that they don't bother protecting themselves from what is, in my understanding, a old and mitigatable form of attack?

Or to put it another way, they weren't lying, they're just stupid?

In other news...

[kirun]

...SCO Must Prove Existence Of Santa Claus in Thirty Days

SCO What..

[cybrthng]

Everyone gets DoS'd, they should be happy it stopped.

With SCO there is just no telling if this was a PR stunt, if they set this up or if they really got attacked.

At this juncter, i don't think it really matters because of the simple fact we don't know what SCO is up to and with everything going on we have lost faith in SCO.

Attack or No attack is a trivial question compared to what we really know about SCO and there business practices.

SCO freaking what!

"SCO Not Lying "

[fiannaFailMan]

SCO Not Lying

Now that is news.

Correct URL

[DavidMoore]

CAIDA Analysis of SCO DoS Please use this link, the other one goes to a slow XML server.

still doesn't explain everything.

[xsecrets]

Why on earth did SCO respond to 700 million syn packets? if there was even a moderate level of syn protection turned on they would have just droped the majority of those packets. and the bandwith usage would be half.

If they are actually telling the truth, ...

[burgburgburg]

which is an extraordinarily large leap of faith considering that lying for Darl, David et. al. is like breathing for you and I, then it means that the nicest thing one could say is that they have incredibly bad sysadmins. As Groklaw pointed out, there are lots of tools out there to protect against Syn flood attacks.

The cause that fits much better with their general operating pattern is that they purposely left themselves open to this attack to present themselves as the poor, innocent victims of the evil, Constitution-burning, enemy combatant, Open Source villans.

I'd buy that one.

Yes but one fact remains

[Rosco+P.+Coltrane]

SCO was hit with a 50,000 packet-per-second SYN flood peak

If their servers died from a synflood attack, there are 3 possible reasons:

- The IT guy is a monkey (likely, but still, he would have to be a really daft monkey)

- The IT guy has time-travelled from the mid-nineties and didn't know about synfloods

- The IT guy was told to compile a kernel without the synflood protection, so that Caldera/SCO would look like the poor company hit by naughty hackers.

Also, I might add, there are another aspect to consider : whoever hit SCO with a synflood attack has either:

- the brain of a monkey

- time-travelled from the end of the nineties and attacked SCO with what he thought was a really cool unbeatable DoS

- been told to attack SCO so that SCO looks like the poor company hit by naughty hackers.

Conclusion: The cause of this DoS was either:

- 2 particularly stupid monkeys
- 2 time-travellers
- 2 suckers paid by SCO

Dunno for you, but I know where my money would go if I had to bet ...

Re:Yes but one fact remains

Monkeys! Always bet on the monkeys!

Re:Yes but one fact remains

[gl4ss]

you forgot one:

-the it guys had left the building few months ago.

---

Re:Yes but one fact remains

[Smitedogg]

I was leaning more towards a time-traveling monkey overlord, personally.

Then again, it's not nice to always blame Darl.

Dogg

Re:Yes but one fact remains

[Silvers]

While a single source DoS stream is 'really stupid', a DDoS using hacked machines is notoriously hard to stop and trace.

Anyway, this is my analysis. When only the WWW server was targetted, the flow was not enough to saturate the link, but there was no syn protection in front of the www server. (or poorly configured, or something along those lines) Mainly because the FTP site was still up and running on the same subnet. But from the report, later on the FTP server was also attacked, bringing up total bandwidth up even higher, possibly killing the link.

So quite obviously the www server was not protected from syn's nor was the link fully eaten up by these packets. Since the ftp server was responsive until it became a target, as well as the fact that these reports mention that the amount of traffic significantly increased when the ftp attack was launched.

There's very little to be done about a DDoS if it can saturate your link, but in this case it wasn't completely utilized (atleast until the ftp attack started), and the www server just wasn't getting adequate protection (many firewalls have syn attack thresholds where they will age out syn connections extremely fast and only pass on ones that complete to the server)

Anyway, just the analysis of a college kid.

Re:Yes but one fact remains

[Xenographic]

Pity SCO never bothered to use TCP cookies, which are old news. Live and learn.

What no one else has mentioned, however, is how SCO came up with those fake signs when the protesters came--you know, the ones assosciating Linux and communism, which you can find photos of on Groklaw--I mean, I have no proof of anything, nor do I accuse them without proof, but I cannot put self-sabotage beyond them any more. It's not like they haven't done things of this nature before.

Their willingness to use it as PR is also troubling. How ironic, though, that we'd criticize someone for coming clean about an attack when so many who study security wish that companies were more forthcoming about them. On the other hand, this is a DoS attack--no confidential information is at stake--so this is just the sort of attack they probably need not mention...

My guess is that they plan to use this to (attempt) to discredit IBM in the courtroom. First, presume that someone in the OS community did it (proof not required?), associate IBM and OS, then claim that IBM is part of a conspiracy against them (they already have, actually, in their breifs--I could be mistaken, but I thought that it was one IBM moved to strike since they didn't even state it with particularity [e.g. didn't say who IBM had conspired with])

Even so, I'm reasonably sure that SCO cannot prevail in the courtroom, especially given how McBride claimed to be expecting the outcome of the last hearing over discovery. So we're pretty sure that SCO won't prevail in the lawsuit--indeed, the counterclaims from IBM may well be the end of them--and we can be pretty sure that IBM won't just buy them out (bad precident). It could be a Pump & Dump--I've seen others who think that someone is painting the tape (trying to keep SCOX share prices up)--but the SEC, at least so far, doesn't appear to think so.

I just wonder if there's some other "win" scenario wherein SCO doesn't actually win the lawsuit or much of anything else.

Here's a thought--albeit one terrible, completely, utterly and totally speculative unsupported by any solid evidence--what if SCO's entire purpose here is to discredit Open Source? In that scenario, they don't have to "win" anything--just make sure that we suffer as much as possible while they go down...

Oh well, I'm not sure how much Darl can hold on. They postponed the earnings report, which the Motley Fool lists as a textbook showing of internal strife. The lawyers and the banks are jockeying for position over the remains of SCO should it lose, according to their agreements which you can find on Groklaw. The court has gone soundly against them thus far in the discovery hearing. It's practically game over if the share price drops low enough, for any reason, according to more agreements with RBC.

I wonder if Darl can keep it together long enough that SCO even exists for the remainder of the lawsuit, given that it'll take some time?

Only time will tell.

DS3 Line stats

[Lipongo]

The attack was just short of half a DS3 Line.

DS3 Line = 44.736Mbps for those of you who need a definition

Re:T1?

[man_of_mr_e]

No.

DS1 is the circuit either a T1 or E1 rides on. E1's are the european equivelent to at T1. DS1 is the raw circuit.

Re:T1?

For the mathematically challenged:
20mbit up + 20mbit down = 40mbit

Or 20mbit x 2 = 40mbit

20mbit comes into to SCO web server a second
20mbit goes out of SCO web server a second
Now, how much traffic was there in that second?

I'm not sure I can make it any clearer.

Re:bad for open source

[kirun]

Well, we can tell people we didn't want it.

You don't win arguments by silencing your opponent (which is what DDoS is), you win them by being right. All evidence so far is the OSS community is right.

Whoever launched these attacks has made everybody look bad. Annoying SCO isn't going to make them say "Hey! Let's be nice now!". Their business model is now suing people. It's not as if their software was selling much.

If you're reading this DDoS dude, don't do it again, mmkay?

Bandwidth

[phorm]

eems SCO was hit with a 50,000 packet-per-second SYN flood peak, which yields approximately 20 Mb/s each way, or about the capacity of a DS3 line."

And how, exactly, would you prepare for this? Ignoring syn-floods is very simple when it comes to keeping your server alive, but how do you deal with the bandwidth saturation?

The "each way" would indicate the syns were being replied to (dumb), but they still would have clogged the pipe.

My question is how this is possible without killing the bandwidth other servers on the subnet, namely ftp.sco.com and others? That was the original reason for the conclusion that SCO was lying, and I've yet to see something that refutes it

The other question, of course, if it was a DDOS, who did it? A group, or one person slaving many connections? Maybe somebody with a DS3 or two available to spare?
With the last two, one would think that the outgoing results of such an attack would be noticed?

Also, again with the main arguement that the ftp was online whilst the www was offline... why does the article say the FTP was down (and first to be attacked)??

Re:Bandwidth

[anthony_dipierro]

Wastes bandwidth sending the replies back, and wastes resources on the host making and sending the replies. Once you've determined a DoS is underway, drop the offending packets and be done with them.

The whole point of a DDOS is that you can't recognize which packets are the offending ones. Sure, at some point a human is going to look at the situation and say, OK, we're going to shut down this machine until the DDOS has subsided, but it would be stupid to shut down a machine automatically whenever you're getting attacked.

Wasting bandwidth is irrelevant if you're going to shut down the machine anyway.

Re:Bandwidth

[Avihson]

My point exactly on ftp.sco.com, I check them during the incident, and response time seemed normal.

What bothers me avout the whole incident is that we just have one confirmation that there was a 32 hour attack on SCO.
Just where are all the zombies? What OS where they running? What vulnerability on the zombies was exploited? Where are the rest of the confirmations that this was a DDOS?

Answers to the above questions were flying all over the 'net when Microsoft was DDOSed, where are they now? I know more people hate Microsoft than SCO, but the people with the tools to detect the DDoS attacks are vendor neutral.

An interesting quote from CAIDA:
"Around 2:50 AM PST Thursday morning, December 11, the attacker(s) began to attack SCO's ftp (file transfer protocol) servers in addition to continuing the web server attack. Together www.sco.com and ftp.sco.com experienced a SYN flood of over 50,000 packet-per-second early Thursday morning. By mid-morning Thursday (9 AM PST), the attack rate had reduced considerably to around 3,700 packets per second. Throughout Thursday morning, the ftp server received the brunt of the attack, although the high-intensity attack on the ftp server lasted for a considerably shorter duration than the web server attack. At 10:40 AM PST, SCO removed their web servers from the Internet and stopped responding to the incoming attack traffic. Their Internet Service Provider (ISP) appears to have filtered all traffic destined for the web and ftp servers until they came back online at 5 PM PST."

So not only did the ISP filter the traffic for the ftp servers, it seems to have mirrored the ftp server, since I was able to explore the ftp site and also download download an ISO: SCOX Dev CD

So the Bandwidth to the DDoSed ftp server either was not saturated, or the ftp server was not DDoSed, or maybe, just maybe, it was an inside job!

Re:bad for open source

[aheath]

"The only result of this kind of attack will be tarnishing of the image of Open source developers."

Are you making an assumption that an open source developer is responsible for the DOS attack against SCO? Should the open source community be viewed as guilty until proven innocent?

Hopefully no one in the open source community is involved in the most recent DOS attack against SCO or any other attacks against SCO's network infrastructure. Let's think of the open source community as innocent until proven guilty beyond a resonable doubt.

Re:DOS attacks...

[FuzzyBad-Mofo]

Did you just call SCO a legitimate business? *Backs away very slowly*

Re:T1?

[duffbeer703]

Once upon a time, a T1 was 24 multiplexed analog telephone circuits plus some control channels.

DSx is the digital version with the same capacity. The analog infrastructure is mostly gone now, so the terms are used interchangably in most conversations.

Silver Lining?

[KnightNavro]

They may have actually been attacked, but at least they still look like the news grubbing idiots they are. As the Cadia article points out, it was a SYN attack. From earlier today, SYN attacks are very easy to defend with even the most basic systems.

Again, even when SCO shows a shred of the truth, it only reveals they're either incompetent or unethical.

Re:Then please explain

[Zocalo]

Because only in el cheapo hosting can you make the assumption that two adjacent IPs are on the same switch. It's quite common for high capacity corporate sites to have a load balancer of some kind in front of them that redirects to other IPs that you never see. Some of the more sophisticated devices even fiddle the TTL and other settings so they are totally invisible and what appears to be a single IP could easily be a distributed cluster of servers in every continent of the globe.

Provided that the bandwidth to the load balancer did not get saturated in the DDoS, and the attack was targetted at a specific IP then it is perfectly possible for adjacent IPs to be fine. I and several others pointed this out as a possibility out in the original story and either got modded to oblivion or called idiots for it. C'est la vie.

Re:ftp?

[NecroPuppy]

It also doesn't explain why the NetCraft stats show their connection going dead like a switch was flipped.

Even with a SYN flood, there should have been a ramp up period of increasing latency, not an "on/off" situation.

Still doesn't make sense ?

[Jesrad]

But if the website traffic is load-balanced across those multiple servers, wouldn't the server at 216.250.128.20 have been hit by the very same attack ? From the traceroute and DNS queries, it seemed to me that they had just changed their webserver's IP from 216.250.128.12 to 216.250.128.20, and messed up the DNS update and transition.

Shoes

[Overly+Critical+Guy]

Man, this whole thing sure is a lot of shoes in a lot of Slashdotters' mouths.

Re:Shoes

[A+Binary+Rebel]

This is probally going to get me labled as anti-linux forever on /. but why is this modded troll? Its true.

I am as anti-sco pro-linux anti-ms as anyother /. junkie. But I also learned a long time ago to never point fingers and to never speak to soon.

This should be modded up to at least neutrel.

Re:Shoes

[Trepalium]

Okay, I'm willing to accept they were DDoSed. An upstream provider blocking it at the router level makes sense too. But I'm still not willing to accept that SCO isn't lying. What about their Intranet being brought down by this? What about the customer support services being brought down? This could be caused by gross incompetence, an inside job, or complete and utter lies. Choose one, none are flattering to any company, especially one that claims to sell an 'enterprise class' operating system.

Re:Shoes

[citog]

Because disagreeing with /. today gets you hammered by moderators...

Re:T1?

[SpyderVR4]

Ummm. No. A DS3 (or T3, or T1 for that matter) is full-duplex. A DS3 supports up to 45 megabits/second in BOTH directions. Read your own link a little more closely... "A DS3 is capable of moving over 5.5 Megabytes per second (45Mbps) in one direction - ***twice that when upload and download performance are combined***."

Re:SCO Paid Someone...!

[Unordained]

and even then, only paid them with an I.O.U. -- to be payable if they win against IBM ...

Re:SCO Not lying...

[corrie]

This statement is false.

What a nice place to say that, isn't it?

The CAIDA article states: "The current attack successfully blocked access to SCO web and ftp servers"

I find that difficult to believe. The Groklaw article mentioned successful access to the FTP server for a few HOURS while the WWW server was not available.

Then, suddenly, the FTP server was also down, which was after the Groklaw article appeared.

So basically there two things which makes me wonder about this whole situation:

• 1. Why is it that the SYN flood did not take out the network at the router level, as opposed to a specific server on the Ethernet backbone?

• 2. Why was there such a suspicious timing involved with the FTP server also becoming unavailable after the Groklaw article appeared? Why on Earth would the attacker(s) suddenly decided to also attack the FTP server?

If the main reason for the service being denied was actually the traffic generated by this attack, which is basically what the CAIDA article seems to claim, then there is no indeed no distinction to be drawn between the two servers, and so should have gone down simultaneously.

Re:SCO Paid Someone...!

[justsomebody]

Actualy, what bothers me is:

They tracked SCO was sending OUT X million responses to DoS attack. They should track packages that go IN too. Or,... they were originating from inside and faking outside which is not hard to do???

Please somebody start a site with HOWTO - SYN PROTECTION FOR SCO or HOWTO MAKE A SIMPLE FIREWALL

"SCO Not Lying"

[fanatic]

It was bound to happen eventually, if only by random chance - as much as they talk, sooner or later they were bound to say something true.

denial is the most predictable of human emotions

[fw3]

First, by all means mod me down it's only /.

Yes, SCO are pretty low on the karma totem, however the 'experts' quoted on groklaw, as well as the far more numerous 'experts' who replied that yes they must be faking it .... were drawing their speculations on very little data.

If you cared to measure you sure didn't need to be CAIDA, many snort, pf and netfilter logs are showing the backscatter of this attack.

And to all the experts who've been holding that a large synflood is easy to fix by blocking the attacker IPs: get a fscking clue.

Both syn and bandwidth attacks use forged addresses children (which is why there is backscatter), each incoming syn is from a random IP, the ack goes to the forged addr, not the originator.

The best way I've seen to handle this involves sensors at enough upstream locations to measure the packet count ratio skewing which results. This isn't generally deployed

Now technically SCO could probably manage to forge that kind of data (just send out all the expected response traffic) but again there are enough sensor platforms out there now that such a deception would certainly be unmasked eventually.

Actually, it goes deeper than that

[klasikahl]

In fact... a lot of SYN attacks don't use comprimised hosts at all! They actually send the request to a bunch of computers that are just running webservers, that's all. They spoof the destination IP and change it to the IP of the target to be attacked and all those webservers (usually ~40,000) respond at once to the host, essentially knocking it offline. It's happened to me before. :P

So you can use even a secure (but not 100% properly configured) server to launch an attack with... Intersting stuff.

Re:Actually, it goes deeper than that

[anthony_dipierro]

They spoof the destination IP and change it to the IP of the target to be attacked and all those webservers (usually ~40,000) respond at once to the host, essentially knocking it offline.

That wouldn't really be a SYN attack, as the response packets would have SYN and ACK set. It would also be much easier to protect against, as these bogus SYN/ACK packets could be dropped. But most importantly, there wouldn't be any backscatter, and certainly not the backscatter that CAIDA was seeing.

So you can use even a secure (but not 100% properly configured) server to launch an attack with...

Improperly configured so as to be able to launch an attack isn't secure. But, I'm really not sure how you could configure a machine not to respond to HTTP requests, anyway. Fortunately, as I mentioned above, this type of attack is much easier to ignore than a true SYN attack.

SCO MIRROR

[segment]

Oh never fear I have a mirror up whats the big deal

20MBit/sec is not a DS3 line

[strobert]

DS3 is ~45Mbit/sec bi-directional
(so 20 is about 44% utilized)

Re:SCO Not lying...

[Zocalo]

Take a look at the graph at CAIDA. The web server takes a beating for about an hour around 4am PST, and again for a bit longer around midnight. Just as the latter is leveling off, an even bigger spike hits the FTP server which lasts about an hour and then tails off over the next several. All in all a pretty poor DDoS attack if they couldn't sustain it for more than a few hours so the originator can't have been too smart. Bit bit like the victim that failed to have adequate SYN attack protection really... do you suppose there is a connection?

Why?

[etymxris]

Is every Christian responsible for the bombing of abortion clinics? Is every Muslim responsible for honor killings? Is every Linux user responsible for these attacks?

I have little doubt that they were attacked. What seems strange to me though is that they were entirely giddy over the affair. They even went as far as issuing press releases about it. I haven't heard of any company that jumps to release PR about DDOS attacks so quickly. When forced to explain reports of DDOS attacks, a company may release a statement that clears the issues. But the first reports of these attacks came from SCO themselves. This is what raised suspicion, justifiably.

But people shouldn't jump to conspiracy theories so quickly. Doubt of their veracity, sure? Conviction that they are lying--not justified.

Cry Wolf

[LuYu]

That is what one gets when one keeps crying wolf!

Unfortunately, the number of words in that sentence did not exhaust the immense volume of even the big lies told by SCO.

I hope the wolf is IBM.

Preventing SYN attacks using a Cisco router

[WolfTattoo]

I have no idea if SCO is using Cisco routers on their permiter, but I guess its not too unreasonable to assume this is a possibility. With a Cisco on the permiter, preventing a SYN attack requires all of 3 additional lines to the configuration. I'm guessing it also doesn't take too much more than this on any enterprise-class router.

Configuring a Cisco perimeter router to prevent SYN flood attack against web server:
(config)#access-list 151 permit tcp any host
(config)#ip tcp intercept list 151
(config)#ip tcp intercept mode intercept

With Intercept mode enabled, all incoming SYN are held by router which proxy-answers w/syn-ack. Won't forward to server if Ack not recieved.

http://www.cisco.com/en/US/products/sw/secursw/p s2 120/products_configuration_guide_chapter09186a0080 0b6f0e.html

Re:ftp?

[Mentorix]

This claim from netcraft bugged me since the first time I read it when it was linked to the last sco story. Let's spend some time debunking it.

Let us assume that the resolution of netcrafts measurements has a resolution of 1 minute, hell, make it 10 seconds. How long do you think it takes for an average zombie machine to start churning out syn packets at full speed? I'd say after maybe a second or two, and I'm being generous. There's a >90% chance the zombies are all recieving commands through IRC or a similar set-up, this adds maybe 2 to 3 seconds to the response time. All in all it's fair to assume that within 5 seconds of the attackers push of the button all zombies will be spewing syn packets at their maximum rate.

So in conclusion; Any attacker with a sufficient amount of zombies can push an amount of traffic into any network enough to saturate its bandwidth contraints within a mere *5* seconds. There is no reason *at all* why an attack like this should always look like a slow (1 - 10 minute) degradation of network performance, it can be done close to instantanious.

Of course depending on your relation with your backbone provider you can always try to block it higher-up. Although, don't be surprised when some attackers actually saturate gigabit links...

-- Witty saying #52; 404: file not found

A tribute to the integrity of both /. and Groklaw

[psykocrime]

That both sites have published this retraction, after having previously published the original stories about the DDOS being a fabrication. Many, more "mainstream" and "credible", news sites probably would not have done so, or would have published the retraction loaded with "spin."

Worse, many other sites would have tried to cover up the truth, rather than risk suffering a little "egg on the face."

To the credit of both Groklaw and Slashdot, both have said "Oops, we were wrong," and handled things in a very mature fashion.

Good job, guys.

Re:T1?

[mcmaddog]

T1 stands for Trunk Level 1 and is a digital transmission link with a total signaling speed of 1.544Mbps. T-1 is a standard for digital transmission in North America (USA & Canada). T-1 is part of a progression of digital transmission pipes - a hierarchy known generically as the DS (Digital Signal Level) hierarchy.
T1 was originally supplied on two pairs of copper wire (transmit and recieve pairs), but is often delivered via multiplexed fiber optic cables. A T1 can be multiplexed into 24 64Kbps channels for telephone trunking (compatible with the analog phone system), but are still digital signals between the PBX and the ILEC/CLEC's phone switch.

The E1 is a standard in Europe (and UK) which is capable of 2.048Mbps and can be channelized into 32 64Kbps channels for phone trunking.

**most of this is paraphrased from Newton's Telecom Dictionary 16th Ed.

Are you sure?

[BCW2]

That it wasn't customers rushing to pay their linux liscense fees because the court case is going so well?

and Daryl wouldn't lie either.

This is more bullshit from SCO

[spitzak]

The "attack" did not come from any open-source symphasizers.

After 24 hours the main argument that SCO was faking this was that their ftp server was up. It was very common knowledge and you can be absolutlely certain the hacker was reading the news about the hack. What happened then? Suddenly the attack slowed to the main server and it started up with double intensity to the ftp server! Look at the damn graph and see what other conclusion you can think of.

Any Leet SCO-hating fanatic would have doubled the attacks on the main server, or perhaps attacked every machine *except* the ftp site. That would have been the most clear "I hate you SCO and I'm going to mess with you as much as possible" attack. If they hated SCO they would want their attack to match the insults being directed at SCO as much as possible.

Instead the attack suddenly switched to be as exactly as possible a refutation of the publicity about the attack.

There is no question what the motives of the "attacker" are. And it is absolutly disgusting that SCO can get positive publicity for this nasty little stunt.

follow the ant trail

[CAIMLAS]

This is so obvious it's not even funny.

In nearly every scenario, you can trace the cause of something to its origin by determining who benefits the most from it. In this case,

Does linux benefit from this DDoS? No.
Does IBM's case benefit? No.
Does the linux community? No.
Do 1337 kiddies? No. (They don't get the credit - "linux hippies" get the "credit")
Does SCO? Yes. They'll likely try to get an extension on their court order, just as earlier predicted here on slashdot.

If I were in the FBI and looking into this scenario, I'd first look at SCO's accounting very, very carefully. My guess is that there's a debit of several dozen (hundred?) thousand for something like "Consulting Services" made within the last couple weeks.

Backscatter from where?

[ajc314159]

Pardon my ignorance, but if they took the web server offline at 10-something am, then what was producing the backscatter of ack packets? Was the ISP doing this for them? Why on earth would they bother? And if there was no machine there to respond to the syn flood for hours, then where was the backscatter coming from?

Also, I thought most zombie machines were compromised MS boxes. Are there networks of thousands of 0wned linux boxes out there that script kiddies are nuking each other with?

Wating for enlightnement...

These attacks may have nothing to do with Linux...

[borgheron]

Sites get attacked every day. Yahoo.com had it's share of attacks back in the day and so did any number of sites.

The fact is that improperly maintained or administered sites *will* be hacked or DoS attacked by evil-hackers simply to prove that they can do it. SCO is simply a convenient target for some adolescent idiots like so many other sites.

There is no evidence that these attacks are in any way connected to the recent Linux spat and are not some independent idiot who doesn't care one way or the other.

Also, as a community we should discouraget this kind of behavior, but it is also a mistake for any individual, company or judge to believe that the actions of a few wayward individuals reflects the sentiment of the entire community.

I mean, just because someone uses Windows and hacks Linux sites, does this mean that *all* Windows users hate Linux?? No, I know some people who use both and they love Linux, but use Windows for work and they like it too. Contrary to popular belief Windows users are as rabid and often are *more* rabid and fanatical than Linux users. I personally have spoken to people who believe that Microsoft deserves to overcharge the workd for everthing because, in his mind, they have "won" and that is thier "reward".

So you see... I believe that, while it's unfortunate the SCO is being attacked, it's not necessarily connected with Linux.

Perhaps SCO should secure thier site better.

GJC

They can't complain too much

[gilesjuk]

Even though DDOS attacks are misuse of an Internet service and illegal, some of the tactics SCO have used in this case are very dubious too. Claiming ownership of chunks of a kernel without showing any proof and not waiting for the outcome of a court case.

The damage they have caused companies involved in Linux far outweight a bit of network outage, unless they suffer a major loss since statistics say 80% of businesses that suffer a major outage go out of business within two years. We can always hope :)

Link to 80% statistic

maybe?

[di0s]

Maybe what it really means is Denial of Settlement.