SCO Group Web Site Attacked Again 564
FreeLinux writes "With not much SCO news today, it seemed that this story was needed - Reuters is reporting that, SCO is again suffering under a DDoS attack that has crippled their web site and email system since Wednesday morning. For the third time this year, the SCO Group's Web site came under attack, apparently by hackers unhappy with the company's legal threats against users of the Linux operating system. The denial-of-service attack started at 6:20 a.m. EST Wednesday and continued through the day, said Blake Stowell, spokesman for the Lindon-based company."
And groklaw... (Score:5, Informative)
Or not. (Score:5, Informative)
Re:And groklaw... (Score:5, Informative)
And a DDoS doesn't have a timeframe. SCO claimed they will be able to get up and going again within 12 hours. So they know it's a DDoS, and don't know who's doing it, but know when it'll stop?
Good one SCO. Makes us chuckle.
More SCO FUD (Score:5, Informative)
If it is a DDoS attack, SCO are incompetent for not blocking it. Or it is just more FUD.
Self Inflicted (Score:5, Informative)
FUD (Score:5, Informative)
See the netcraft stats for that little bit. If SCO make any claim that this is a DDOS, they are lying through their teeth and the evidence was collected as it happened - see the members zone at Groklaw for the raw Traceroute returns.
Re:Come on guys... (Score:5, Informative)
Yes. SCO should do that instead of lying about their downtime [groklaw.net]
Improper use of "Hacker" (Score:5, Informative)
I expect the blatient misuse of hacker as a synonym for computer criminal in the mainstream press, but I woulda hoped that Slashdot would do better.
It's not even a very good hoax (Score:5, Informative)
It's clear that SCO's run out of technical people; not only are they faking technical problems, they can't even make up a technically sound attack on their own systems.
Re:Improper use of "Hacker" (Score:3, Informative)
It's not like you can just download a program and have control over a pile of zombie machines. You do have to do a little bit of work. Scanning subnets, logging into machines, uploading tools, etc.. to make an 'effective' ddos net. Not just download, run, click, dead server.
Re:And groklaw... (Score:5, Informative)
Anyhow folks, the consensus at Groklaw is that either SCO are lying through their teeth and this is all FUD, or their network admin staff are a bunch of incompetents.
There are no prizes for guessing what the
In specific, the outage at www.sco.com started before the reported time by several hours, was already under analysis by Groklaw before the claimed time, the pattern of the servers shutoff is NOT consistent with a SYN DDOS (the claimed attack), but it is consistent with either a planned shutdown, or a network cable being unplugged.
There was no slowdown of service - see netcraft for the stats. SCO claim e-mail and other services were compromised which do not use the TCP SYN/ACK and are not therefore vulnerable to this attack (when on different servers (which they are, see groklaw for a list). ftp.sco.com remained up, despite being on the same subnet, and smtp.sco.com would respond throughout the duration of the supposed 'attack'.
The above is a synopsis of Work presented for analysis at Groklaw, any mistakes are my own, any credit is due to the authors on Groklaw and to PJ.
Perhaps Further Evidence... (Score:5, Informative)
No hiccups today. Center7 did promise last time that they could and would isolate everyone else from SCO, so there is another explanation, but...
Re:Come on guys... (Score:3, Informative)
Comment removed (Score:1, Informative)
Re:Come on guys... (Score:5, Informative)
ftp.sco.com is 216.250.128.13. www.sco.com is 216.250.128.12. They are on the same network segment. However, the first is completely and normally responsive, while the second is entirely unresponsive. This is not in any way characteristic of any sort of modern flood-type denial-of-service attack -- that is, a DDoS aimed at flooding the network itself. Whatever is disturbing SCO, it is not a DoS of the sort they evidently believe it to be.
Unfortunately, SCO has taken the "cargo cult security" measure of blocking pings, so it is not possible to gather any information about their disturbance in that fashion. I suspect that the best method to gather information about SCO's disturbance is, in fact, for SCO to fully and legally respond to IBM's discovery requirements.
("SYN flood" is obviously wrong. Although some firewalls and IDS still report TCP-based DoS floods as "SYN floods", the condition that used to be associated with SYN floods has been fixed in current operating systems. Unless they are running a system old enough to be called grossly negligent, they aren't susceptible to TCB starvation. The current unavailability of www.sco.com looks more like someone tripped over the Ethernet cable.)
Re:Bogus (Score:2, Informative)
www.sco.com = 216.250.128.12
Your posting is NOT very informative, go back to MCSE school please.
Re:Improper use of "Hacker" (Score:1, Informative)
I expect the blatient misuse of hacker as a synonym for computer criminal in the mainstream press, but I woulda hoped that Slashdot would do better.
And once again it must be pointed out that the original sense of Hacker included the breaking into of computer systems. It was only in the late 80s and early 90s that certain people (like ESR, who unilaterally "deprecated" the original meaning in the Jargon File) decided to change the definition, and tried to introduce the ridiculous "cracker" word.
For once, the mainstream press has it right, and most younger engineers with no sense of history have it wrong.
One of the meanings of hacking is cracking security. Get over it.
Re:Improper use of "Hacker" (Score:2, Informative)
Re:Come on guys... (Score:3, Informative)
Re:Come on guys... (Score:2, Informative)
There may be other shutdowns I'm unaware of. Many other DNSBLs are being subject to attacks, but several are handling them very well.
lies (Score:5, Informative)
The following machines are running currently-reachable FTP servers:
216.250.128.7
216.250.128.13
216.250.128.14
216.250.128.15
216.250.128.16
216.250.128.17
I was able to download /pub/ls-lR from ftp.sco.com (216.250.128.13) 74.91 KB/s (600 Kb/s). My broadband is rated at 640 Kb/s, so the bottleneck was likely at my end. These machines are almost certainly on the same subnet and are likely connected to the same gear (SCO's subnetting is their choice, but if ftp.sco.com and www.sco.com are on different subnets, their subnet masks are 255.255.255.254 and they must have only two IPs per subnet - I don't believe this is even possible as you need a network and a broadcast IP for each subnet).
The fact that all of these machines are reachable and that at least one of them can saturate a broadband link indicates that SCO is not having any bandwidth problems. I also performed some ICMP tests and the machine is not sending out port-unreachables, timestamp-replies or netmask-replies - these seem blocked upstream. I'm getting a little nervous sending out these funny packets as I don't want anyone to accuse me of anything, but everything indicates that the machine is completely offline. If they allowed some ICMP replies through upstream, receiving a reply would show that the machine is actually online, but somehow cannot handle TCP requests (and the problem is not bandwidth as shown, so it would have to be something wrong with the host, such as a firewall rule); if they allowed through ICMP replies and the machine did not respond whereas others on the subnet did respond, it would show that the machine is almost definitely offline unless it has a more restrictive firewall than the other machines (very unlikely given that this, as-claimed, could have been prevented with syncookies). As it stands, one can only say that the machine is very likely offline (unplugged or turned off).
SCO's incoming mail server seems to be working fine. They only have one MX record for sco.com and it resolves to 216.250.130.2 for me at the moment. I only connected to it and saw a banner, but easy way to test this further is to send a message to an invalid address @sco.com and see if a bounce gets back. I don't want to give them an email address.
All of this is current as of 2003-12-10 21:57, Mountain time (SCO is in Utah). Further investigation lead nowhere; thus the delay in the post.
Re:Improper use of "Hacker" (Score:3, Informative)
Re:Doubts on SCO, Groklaw in the mainstream press (Score:3, Informative)
Is it real? (Score:3, Informative)
Justin.
Re:per groklaw: adjacent hosts are fine (Score:5, Informative)
So, on those grounds, I'd be prepared to accept that SCO is telling the truth and they are indeed under a DDoS SYN attack against their webserver. However, as normal for SCO, they then go and overcook the situation and claim that their internal network and Intranet has been hit as well. The only possible way this could be the case is if they are using the same server(s) for their public web as their Intranet which is one of the dumbest possible things you could do.
That leaves us with three possibilities:
Don't let anyone on your network participate (Score:2, Informative)
iptables -A OUTPUT -p tcp -d www.sco.com -j DROP
iptables -A OUTPUT -p udp -d www.sco.com -j DROP
OR
ipfw add 1 deny ip from me to www.sco.com
Re:Come on guys... (Score:3, Informative)
You get
In real life they may be in different corners of the globe, because in real high end network installations people use loopback addresses and you never ever see the actual physicals. They may even be on martian networks (and usually are) that are uplinks to a firewall or load balancer which quite often does forwarding with no increment of TTL so that people do not know that it is there.
So the fact that ftp.sco.com is accessible while www is not does not mean a thing.
Same goes for SYN cookies and SYN floods. The part of the attack that brings the target machine down is now well mitigated and most systems are not vulnerable to it. This still leaves the service part. The bad thing about SYN floods is that in order not to go down the target site has to discard SYNs. This is usually done by rate limiting them. Once SYNs have been rate limited, a sufficiently thick flood of SYNs from random addresses will render the site unresponsive and inaccessible, no matter what patches have been applied, because for every legit SYN you will have up to hundreds of non-legit ones.
Note that I am not defending SCO.
I am simply sick of "security" and "network reliability" cretinoids that continue to make claims based solely on IP addressing. This claims are invalid, void and outright stupid.