Posted on 12/12/2003 6:40:39 AM PST by Golden Eagle
SCO Hit By Another DDoS Attack
By Jim Wagner
The SCO Group (Quote, Chart), which is embroiled in a legal battle over copyright claims over some code in the Linux open source operating system, confirmed Wednesday a massive distributed denial of service attack (DdoS) on its corporate Web site.
Officials at the SCO Group (Quote, Chart) said a Denial of Service (define) attack took down its Web site at 4:20 a.m. Wednesday, and will remain inaccessible for at least the next 12 hours. The breach also took out its customer support and e-mail service.
Blake Stowell, SCO spokesperson, said this is the third time this year an unknown attacker has brought down its site, and suspects someone in the open source community is behind the illegal activities.
The legal authorities have been contacted, and the company's ISP is working on resolving the problem. Stowell said the two previous attacks were cleaned up in 24 hours or so, and expects the site to go live again Thursday morning.
SCO is currently embroiled in a contract dispute with IBM, which has extended to the entire Linux open source community. SCO claims Big Blue breached a contract with the company by contributing unauthorized portions of its Unix-based (define) AIX operating system code to the open source movement. SCO claims that, as a result, Linux is an unauthorized derivative of its UNIX intellectual property.
IBM has denied the claims and countersued. A federal judge recently ruled that SCO Group has 30 days to pass along detailed information about its claims, a key ruling expected to help advance the discovery in the case, which is expected to go to trial in April of 2005.
The legal battle has inflamed many in the open source community, and the attacks have only made matters worse. Darl McBride, SCO CEO, chastised open source leaders for not policing its own after an August DoS attack brought his site down.
After the August attack, Eric Raymond, president of the Open Source Initiative, said he was contacted by the attacker and suspected the individual was an "experienced Internet engineer" in the open source community.
At the time, Raymond said, "we must never make this mistake again, whether against SCO or any other predator. When we use criminal means to fight them, no matter what the provocation is, we bring ourselves down to the level of the thieves and liars now running SCO. That is unethical and bad tactics to boot."
Stowell said there's no way, right now, of knowing who the culprit is behind today's attack and have not found the person behind the first two attacks. Given the method of DoS attacks, which flood the TCP/IP (define) stack with useless traffic from a remote computer, it's going to be difficult to find the source of the attack.
"If it's anything (like the August attack), then it would probably be someone from the Linux community, but there's no way of knowing that for 100 percent sure," he said.
The company said the attack started around 2:20 a.m. (EST) Wednesday morning and caused its Web site and corporate operational traffic to be unavailable during the morning hours including e-mail, the company intranet, and customer support operations.
The DDoS attack on SCO is called a "syn attack" and took place when several thousand servers were compromised by an unknown person; it overloaded SCO's Web site with illegitimate Web site requests.
Despite being the likely (and even previously admitted) ones responsible for these hack attacks on a US Business from no telling what part of the world, it's amazing to watch the linux "community" attempt to escape all blame, and actually try to blame SCO. And of course if it wasn't SCO, it obviously had to be Microsoft, right gang?
That's what I was thinking. I am usually of the opinion that hackers need to be tarred and feathered and horse-whipped, but when they choose targets like SCO I just can't muster any outrage.
-ccm
SlashDot had an item noting that the FTP server for SCO was working just fine during the "attack". If the site had been under attack, it would seem that the bandwidth would be used up, and the FTP server would not be available, either - such was not the case.
Personally, I think the bandwidth is being used up by 1) lawyers filing lawsuits, and 2) employees sending out their resumes...
So you condone it then. According to dictionary.com you do.
condone - To overlook, forgive, or disregard (an offense) without protest or censure.
Well that certainly could be seen as the perpetrator's "motive" by anyone investigating the latest incident. Is it true the FBI is investigating now? I've only seen that posted on message boards like Slashdot that are notorious for being incorrect.
So it's all SCO's fault, that they're being hacked. Or that they are actually faking the incident themselves, LOL. What other excuses do you have that don't include the linux worldwide "community"?
Only "of course" because that is what most people think. Actually most all the recently announced vulnerabilities for M$ware have originated in China, and groups like X-Focus over there, so they are probably more likely to be anti-American in nature more than anything. However that wouldn't necesarily erase one's suspicions of Linux users, either.
There are some problems with this hypothesis.
Firstly, for a distributed denial of service attack to occur many different servers with high speed connections need to have been previously compromised, as the article states. This is the second time SCO has claimed distributed denial of service attacks but I have not hear of a large number of machines being used in a coordinate attack in the news. Note that I am not saying there are no machines being compromised, just that I am questioning the distributed part of SCO's claims. They made this same claim before, that they were under a distributed attack, but it was not validated by the rest of the technical media, or major backbone carriers. True distributed attack cause network problems at the core network level.
Secondly, denial of service attacks may be perpetrated by a very small number of host computers, even an individual computer on a high speed connection. If SCO has been attacked, it may be by one motivated individual. One thing is constant between distribute denial of service attacks and individual denial of service attacks and that is that they do not only cause the target host to stall, but the upstream connections as well. People trying to reach other machines on the same sub-network will experience connection problems. If there is a denial of service attack coming from remote hosts running robots, it will take some time to clear them all out. Often the people with the compromised computer do not even know they are flooding the network until someone informs them. With a distributed denial of service attack, this problem is much greater, but even with individual cracked machines spewing traffic, there are going to be nework problems with *all* of the hosts that are on the same sub-network until all the problems are dealt with. I have noticed no problem going to ftp.caldera.com or ftp.sco.com or ftp2.sco.com or ftp.beta.caldera.com either. If www.sco.com is down becaues of a network denial of service attack then all the hosts on the same subnetwork should likewise be having problems.
The last and most important point that I have is the method of attack claimed by SCO, the so-called SYN attack, has been around since 1999! This style attack was novel four years ago! Every major network router has software updates to deal with this attack. There are many points along the network path in which this problem could be complete eliminated. Furthermore, every major operating system can deal with the problem at the low-level network layer. I'll repeat this to be clear, the problems associated with SYN attacks have been solved for at very least three years from the network to the webserver. The truth is no backbone providers allow this sort of attack to go on for very long. Ever since the major distributed denial of service attacks in September 2000, the network core has been able to deal with distributed denial of service attacks. It is still possible for an individual computer to spew packets for a little while, but it will be shut off like a spigot. If SCO is still vunderable to SYN attacks then they and their ISP and their upstream providers are all of them incompetent!
In conclusion let me say I am highly suspicious of SCO's claims that they are suffering from a distributed denial of service attack. I am even more sceptical that are being brought to their knees by SYN attacks. They could be the target of crack attempts by a few determined individuals, but the thought that they are being flattened by SYN attacks from Linux users all across the net (which is their implication) does not hold water. Something else is going on.
Attack on SCO's servers intensifies
As many as 50,000 packets per second hit the company's servers on Wednesday night. By Thursday morning, the attack had been reduced to some 3,000 packets per second and the company's servers were responding to one in every three requests.
A single SYN packet is the minimum TCP size, 48 bytes. So, 48 bytes is 384 bits multiplied by 50,000/s is 19.2 megabits/second. This is a non-trivial amount of traffic, greater than that of old 10 Base-T network, and respectable for internet traffic. However, there are websites which can sustain this rate, but it's not cheap. The lower value works out to 1.1 Mb/s which is sustainable by many webservers, and is not a lot by major site standards. What is one megabit sustained these day? Has it gone under $500 per month? Twenty megabits is in the $1,000 range I believe.
As I said in my previous post, I am not saying that SCO is inventing the attacks. What I am saying echoes the article:
Security experts said that previous attacks in May and August should have been adequate warning for the company to have taken steps to protect its connection to the Internet.
One to twenty megabits per second are expensive speeds, not crippling speeds. For tens of thousands of dollars per month you can afford hundreds of megabits per second sustained traffic.
These attacks are easily dealt with. I am suprised that the SYN attacks (if this is what it was) actually made it to their servers. They should have been blocked by their upstream before the hostile traffic ever made it to their servers.
It is for these reasons that I believe the Linux community is not responsible for these attacks. There is an individual, or a small group of individuals that are perpetrating them. Twenty megabits is doable from one well-connected host. Istead of crying martyr, SCO should be repairing problems and leaning on their ISP to block attacks.
Don't trust the postings or articles on Slashdot, but when they link to Groklaw, read carefully. The best legal analysis of the whole SCO case, and debunking of the DoS claims, are at Groklaw.
Istead of crying martyr, SCO should be repairing problems and leaning on their ISP to block attacks.
Maybe, but the Linux "community" needs to be condeming the attacks instead of condoning them, or making ridiculous claims that SCO is faking the problem, a problem that was previously admitted by open source advocate Eric Raymond the last time these attacks happened.
Not maybe, absolutely. SCO should be able to protect itself from a four year old network problem.
The community does condenm the attacks. There cranks will laugh at anyone's misery. Blaming the Linux community is equally wrong as saying SCO brought this on themselves.
LMAO, where?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.