Slashdot Mirror

← Back to Stories (view on slashdot.org)

SCO Not Lying About DoS Attack

Posted by michael on from the even-a-stopped-watch-is-right-twice-daily dept.

Licensed2Hack writes "The Cooperative Association for Internet Data Analysis (CAIDA), part of the San Diego Supercomputer Center at the University of California, San Diego has an analysis of the recent DDOS on SCO.com. Netcraft also has more information in their article and analysis graphs. Seems SCO was hit with a 50,000 packet-per-second SYN flood peak, which yields approximately 20 Mb/s each way, or about the capacity of a DS3 line."

40 of 615 comments (clear)

  1. awwww... by Anonymous Coward · · Score: 5, Funny

    poor little darl..... :)

  2. Oh come on by puppetluva · · Score: 5, Funny

    . . . that's just the slashdot effect. . .

    1. Re:Oh come on by 00420 · · Score: 5, Funny

      it's only in Windows Media Video!

      That doesn't mean you need Windows Media Player to watch it. I just watched it on MPlayer. It's pretty funny in some spots. I like when McBride says "We can look forward to a world that is not free." I think they should make that there company slogan :)

      --
      Have you tried Linux yet?
  3. just another PR trick by kpharmer · · Score: 5, Funny

    Great! now they get headlines simply by *not* lying

    1. Re:just another PR trick by madprof · · Score: 5, Insightful

      The Slashdot headline was "Security Experts Doubt SCO's Claims of DoS"...well there are lots of "experts" around here it seems, and they all thought it was a PR stunt.

      How anyone could see PR value in this is beyond me.
      The opinions that matter to SCO are those of the people who control the purse strings at companies who use Linux heavily. They are not about to jack in Linux/pay up because some script kiddies were playing games.
      It just doesn't make sense that a company would fake a DDoS attack.

    2. Re:just another PR trick by Trepalium · · Score: 5, Insightful
      Maybe because the timing of it all was just too damn convenient. It happened couple days after RBC deciding there's something fishy about the contingency agreement, losing against IBM's motion to compel discovery, their stock prices have been dropping, and everyone's expectations that they will not be able to get anywhere near profitable this quarter without some very creative accounting. Of course little of this made it into the same press that prints SCO's outrageous accusations and 'open letters'.

      All this happens, and then SCO suddenly becomes 'victimized by all these EVIL Open Source people', virtually guaranteeing the press won't report on SCO's other misfortune because it's 'unimportant' compared to this. Morover, they get to make Open Source people look like terrorists and bad people, and try to make it look like people should not be using software developed by these 'evil people'.

      --
      I used up all my sick days, so I'm calling in dead.
    3. Re:just another PR trick by Trepalium · · Score: 5, Insightful
      Not exactly. I merely believe that SCO will stoop to any low in order to exploit a situation. I believe SCO's managment are opportunists in the worst sense of the word. I believe that lies are just as valuable to these people as truth is, and they will use whichever suits their purpose best.

      I know there are "Open Source people" who could and/or would stoop so low as to mount a DDoS attack on SCO. However, the fact that SCO's site isn't getting DDoSed all the time is a fairly good indicator that this 'undesirable element' is in the minority. There's a few of these kinds of jackasses in any crowd, and I wouldn't be surprised if SCO unknowningly had one or two in their midst.

      --
      I used up all my sick days, so I'm calling in dead.
  4. If they know all of this.... by Jaysyn · · Score: 5, Insightful

    .... where did the synflood come from?

    Jaysyn

    --
    There is a war going on for your mind.
  5. Nelson said it best. by xenoweeno · · Score: 5, Funny

    Ha-ha!

  6. SCO Not Lying? by bc90021 · · Score: 5, Funny

    Quick! Someone start knitting Satan a sweater!

    --
    libertarianswag.com
    1. Re:SCO Not Lying? by gizmonic · · Score: 5, Funny

      Great idea, and to save postage we can just send it with Darl when he goes...

      --
      WWJD?
      JWRTFM!
  7. Who cares? by Dragonshed · · Score: 5, Insightful

    SCO's like the boy who cried wolf too much. Why should people care when he actually gets bitten?

    1. Re:Who cares? by llamalover · · Score: 5, Funny

      In the orginal fairy tale, I believe the boy gets eaten. Tragic, but at least the wolf is happy. McBride burger anyone?

  8. Why Nothing Should be Done... by gizmonic · · Score: 5, Interesting

    If any authorities look into this, I am gonna be pissed. I mean, if they can't bother to do anything when the anti-spam sites get attacked, then they better damn well not do anything now.

    Of course, I am of the paranoid type who assumes that SCO would stage a DDoS against themselves just for the publicity, so what the hell do I know?

    --
    WWJD?
    JWRTFM!
  9. It's funny, laugh. by gnuadam · · Score: 5, Funny

    Well I guess the lying or incompetent question has been settled.

    --
    You say :wq, I say ZZ. Why can't we all just get along?
  10. It's tough out there ya know by IamGarageGuy+2 · · Score: 5, Interesting

    It's hard to have much sympathy, even though this is a dirty trick played by some h@xtor D00d that has nothing better to do with his time. The only way to beat a scurrilous bunch of deadbeats like SCO is to show to the public the kind of people they really are. Attacking them in this way only makes the Open-Source people look like a bunch of teenage kids that want to take on "The Man".

    --
    Stay tuned for new sig...
  11. In other news... by kirun · · Score: 5, Informative

    ...SCO Must Prove Existence Of Santa Claus in Thirty Days

    --
    I'm scared of numbers that can't be written as a fraction. It's an irrational fear.
  12. "SCO Not Lying " by fiannaFailMan · · Score: 5, Funny
    SCO Not Lying
    Now that is news.
    --
    Drill baby drill - on Mars
  13. Correct URL by DavidMoore · · Score: 5, Informative

    CAIDA Analysis of SCO DoS Please use this link, the other one goes to a slow XML server.

  14. still doesn't explain everything. by xsecrets · · Score: 5, Insightful

    Why on earth did SCO respond to 700 million syn packets? if there was even a moderate level of syn protection turned on they would have just droped the majority of those packets. and the bandwith usage would be half.

  15. If they are actually telling the truth, ... by burgburgburg · · Score: 5, Insightful
    which is an extraordinarily large leap of faith considering that lying for Darl, David et. al. is like breathing for you and I, then it means that the nicest thing one could say is that they have incredibly bad sysadmins. As Groklaw pointed out, there are lots of tools out there to protect against Syn flood attacks.

    The cause that fits much better with their general operating pattern is that they purposely left themselves open to this attack to present themselves as the poor, innocent victims of the evil, Constitution-burning, enemy combatant, Open Source villans.

    I'd buy that one.

  16. Yes but one fact remains by Rosco+P.+Coltrane · · Score: 5, Interesting

    SCO was hit with a 50,000 packet-per-second SYN flood peak

    If their servers died from a synflood attack, there are 3 possible reasons:

    - The IT guy is a monkey (likely, but still, he would have to be a really daft monkey)

    - The IT guy has time-travelled from the mid-nineties and didn't know about synfloods

    - The IT guy was told to compile a kernel without the synflood protection, so that Caldera/SCO would look like the poor company hit by naughty hackers.

    Also, I might add, there are another aspect to consider : whoever hit SCO with a synflood attack has either:

    - the brain of a monkey

    - time-travelled from the end of the nineties and attacked SCO with what he thought was a really cool unbeatable DoS

    - been told to attack SCO so that SCO looks like the poor company hit by naughty hackers.

    Conclusion: The cause of this DoS was either:

    - 2 particularly stupid monkeys
    - 2 time-travellers
    - 2 suckers paid by SCO

    Dunno for you, but I know where my money would go if I had to bet ...

    --
    "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
    1. Re:Yes but one fact remains by Smitedogg · · Score: 5, Funny
      I was leaning more towards a time-traveling monkey overlord, personally.

      Then again, it's not nice to always blame Darl.

      Dogg

  17. DS3 Line stats by Lipongo · · Score: 5, Informative

    The attack was just short of half a DS3 Line.

    DS3 Line = 44.736Mbps for those of you who need a definition

    --
    -Certified TechnoWeinie
  18. Re:T1? by man_of_mr_e · · Score: 5, Informative

    No.

    DS1 is the circuit either a T1 or E1 rides on. E1's are the european equivelent to at T1. DS1 is the raw circuit.

    --
    If you need web hosting, you could do worse than here
  19. Re:bad for open source by kirun · · Score: 5, Insightful

    Well, we can tell people we didn't want it.

    You don't win arguments by silencing your opponent (which is what DDoS is), you win them by being right. All evidence so far is the OSS community is right.

    Whoever launched these attacks has made everybody look bad. Annoying SCO isn't going to make them say "Hey! Let's be nice now!". Their business model is now suing people. It's not as if their software was selling much.

    If you're reading this DDoS dude, don't do it again, mmkay?

    --
    I'm scared of numbers that can't be written as a fraction. It's an irrational fear.
  20. Bandwidth by phorm · · Score: 5, Interesting

    eems SCO was hit with a 50,000 packet-per-second SYN flood peak, which yields approximately 20 Mb/s each way, or about the capacity of a DS3 line."

    And how, exactly, would you prepare for this? Ignoring syn-floods is very simple when it comes to keeping your server alive, but how do you deal with the bandwidth saturation?

    The "each way" would indicate the syns were being replied to (dumb), but they still would have clogged the pipe.

    My question is how this is possible without killing the bandwidth other servers on the subnet, namely ftp.sco.com and others? That was the original reason for the conclusion that SCO was lying, and I've yet to see something that refutes it

    The other question, of course, if it was a DDOS, who did it? A group, or one person slaving many connections? Maybe somebody with a DS3 or two available to spare?
    With the last two, one would think that the outgoing results of such an attack would be noticed?

    Also, again with the main arguement that the ftp was online whilst the www was offline... why does the article say the FTP was down (and first to be attacked)??

  21. Re:Then please explain by Zocalo · · Score: 5, Informative
    Because only in el cheapo hosting can you make the assumption that two adjacent IPs are on the same switch. It's quite common for high capacity corporate sites to have a load balancer of some kind in front of them that redirects to other IPs that you never see. Some of the more sophisticated devices even fiddle the TTL and other settings so they are totally invisible and what appears to be a single IP could easily be a distributed cluster of servers in every continent of the globe.

    Provided that the bandwidth to the load balancer did not get saturated in the DDoS, and the attack was targetted at a specific IP then it is perfectly possible for adjacent IPs to be fine. I and several others pointed this out as a possibility out in the original story and either got modded to oblivion or called idiots for it. C'est la vie.

    --
    UNIX? They're not even circumcised! Savages!
  22. Shoes by Overly+Critical+Guy · · Score: 5, Insightful

    Man, this whole thing sure is a lot of shoes in a lot of Slashdotters' mouths.

    --
    "Sufferin' succotash."
    1. Re:Shoes by A+Binary+Rebel · · Score: 5, Insightful

      This is probally going to get me labled as anti-linux forever on /. but why is this modded troll? Its true.

      I am as anti-sco pro-linux anti-ms as anyother /. junkie. But I also learned a long time ago to never point fingers and to never speak to soon.

      This should be modded up to at least neutrel.

    2. Re:Shoes by Trepalium · · Score: 5, Interesting

      Okay, I'm willing to accept they were DDoSed. An upstream provider blocking it at the router level makes sense too. But I'm still not willing to accept that SCO isn't lying. What about their Intranet being brought down by this? What about the customer support services being brought down? This could be caused by gross incompetence, an inside job, or complete and utter lies. Choose one, none are flattering to any company, especially one that claims to sell an 'enterprise class' operating system.

      --
      I used up all my sick days, so I'm calling in dead.
  23. Re:SCO Not lying... by corrie · · Score: 5, Interesting

    This statement is false.

    What a nice place to say that, isn't it?

    The CAIDA article states: "The current attack successfully blocked access to SCO web and ftp servers"

    I find that difficult to believe. The Groklaw article mentioned successful access to the FTP server for a few HOURS while the WWW server was not available.

    Then, suddenly, the FTP server was also down, which was after the Groklaw article appeared.

    So basically there two things which makes me wonder about this whole situation:

    • 1. Why is it that the SYN flood did not take out the network at the router level, as opposed to a specific server on the Ethernet backbone?
    • 2. Why was there such a suspicious timing involved with the FTP server also becoming unavailable after the Groklaw article appeared? Why on Earth would the attacker(s) suddenly decided to also attack the FTP server?

    If the main reason for the service being denied was actually the traffic generated by this attack, which is basically what the CAIDA article seems to claim, then there is no indeed no distinction to be drawn between the two servers, and so should have gone down simultaneously.

  24. "SCO Not Lying" by fanatic · · Score: 5, Funny

    It was bound to happen eventually, if only by random chance - as much as they talk, sooner or later they were bound to say something true.

    --
    "that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
  25. denial is the most predictable of human emotions by fw3 · · Score: 5, Informative
    First, by all means mod me down it's only /.

    Yes, SCO are pretty low on the karma totem, however the 'experts' quoted on groklaw, as well as the far more numerous 'experts' who replied that yes they must be faking it .... were drawing their speculations on very little data.

    If you cared to measure you sure didn't need to be CAIDA, many snort, pf and netfilter logs are showing the backscatter of this attack.

    And to all the experts who've been holding that a large synflood is easy to fix by blocking the attacker IPs: get a fscking clue.

    Both syn and bandwidth attacks use forged addresses children (which is why there is backscatter), each incoming syn is from a random IP, the ack goes to the forged addr, not the originator.

    The best way I've seen to handle this involves sensors at enough upstream locations to measure the packet count ratio skewing which results. This isn't generally deployed

    Now technically SCO could probably manage to forge that kind of data (just send out all the expected response traffic) but again there are enough sensor platforms out there now that such a deception would certainly be unmasked eventually.

    --
    Linux is Linux, if One need clarify their dist: <Dist>/GNU Linux
    bsds are of course just BSD
  26. Actually, it goes deeper than that by klasikahl · · Score: 5, Informative

    In fact... a lot of SYN attacks don't use comprimised hosts at all! They actually send the request to a bunch of computers that are just running webservers, that's all. They spoof the destination IP and change it to the IP of the target to be attacked and all those webservers (usually ~40,000) respond at once to the host, essentially knocking it offline. It's happened to me before. :P

    So you can use even a secure (but not 100% properly configured) server to launch an attack with... Intersting stuff.

    1. Re:Actually, it goes deeper than that by anthony_dipierro · · Score: 5, Informative

      They spoof the destination IP and change it to the IP of the target to be attacked and all those webservers (usually ~40,000) respond at once to the host, essentially knocking it offline.

      That wouldn't really be a SYN attack, as the response packets would have SYN and ACK set. It would also be much easier to protect against, as these bogus SYN/ACK packets could be dropped. But most importantly, there wouldn't be any backscatter, and certainly not the backscatter that CAIDA was seeing.

      So you can use even a secure (but not 100% properly configured) server to launch an attack with...

      Improperly configured so as to be able to launch an attack isn't secure. But, I'm really not sure how you could configure a machine not to respond to HTTP requests, anyway. Fortunately, as I mentioned above, this type of attack is much easier to ignore than a true SYN attack.

  27. Why? by etymxris · · Score: 5, Insightful

    Is every Christian responsible for the bombing of abortion clinics? Is every Muslim responsible for honor killings? Is every Linux user responsible for these attacks?

    I have little doubt that they were attacked. What seems strange to me though is that they were entirely giddy over the affair. They even went as far as issuing press releases about it. I haven't heard of any company that jumps to release PR about DDOS attacks so quickly. When forced to explain reports of DDOS attacks, a company may release a statement that clears the issues. But the first reports of these attacks came from SCO themselves. This is what raised suspicion, justifiably.

    But people shouldn't jump to conspiracy theories so quickly. Doubt of their veracity, sure? Conviction that they are lying--not justified.

  28. Preventing SYN attacks using a Cisco router by WolfTattoo · · Score: 5, Informative

    I have no idea if SCO is using Cisco routers on their permiter, but I guess its not too unreasonable to assume this is a possibility. With a Cisco on the permiter, preventing a SYN attack requires all of 3 additional lines to the configuration. I'm guessing it also doesn't take too much more than this on any enterprise-class router.

    Configuring a Cisco perimeter router to prevent SYN flood attack against web server:
    (config)#access-list 151 permit tcp any host
    (config)#ip tcp intercept list 151
    (config)#ip tcp intercept mode intercept

    With Intercept mode enabled, all incoming SYN are held by router which proxy-answers w/syn-ack. Won't forward to server if Ack not recieved.

    http://www.cisco.com/en/US/products/sw/secursw/p s2 120/products_configuration_guide_chapter09186a0080 0b6f0e.html

  29. Are you sure? by BCW2 · · Score: 5, Funny

    That it wasn't customers rushing to pay their linux liscense fees because the court case is going so well?

    and Daryl wouldn't lie either.

    --
    Professional Politicians are not the solution, they ARE the problem.
  30. Backscatter from where? by ajc314159 · · Score: 5, Interesting

    Pardon my ignorance, but if they took the web server offline at 10-something am, then what was producing the backscatter of ack packets? Was the ISP doing this for them? Why on earth would they bother? And if there was no machine there to respond to the syn flood for hours, then where was the backscatter coming from?

    Also, I thought most zombie machines were compromised MS boxes. Are there networks of thousands of 0wned linux boxes out there that script kiddies are nuking each other with?

    Wating for enlightnement...