Forgot your password?
typodupeerror
Caldera The Internet

SCO Group Web Site Attacked Again 564

Posted by simoniker
from the bad-boy-come-again dept.
FreeLinux writes "With not much SCO news today, it seemed that this story was needed - Reuters is reporting that, SCO is again suffering under a DDoS attack that has crippled their web site and email system since Wednesday morning. For the third time this year, the SCO Group's Web site came under attack, apparently by hackers unhappy with the company's legal threats against users of the Linux operating system. The denial-of-service attack started at 6:20 a.m. EST Wednesday and continued through the day, said Blake Stowell, spokesman for the Lindon-based company."
This discussion has been archived. No new comments can be posted.

SCO Group Web Site Attacked Again

Comments Filter:
  • And groklaw... (Score:5, Informative)

    by gnuadam (612852) on Wednesday December 10, 2003 @11:31PM (#7686601) Journal
    ...and the happy folks at Groklaw [groklaw.net] already have a statement up with arguments to effect that SCO is fibbing. They think the attack could be a hoax.
  • Or not. (Score:5, Informative)

    by Meowing (241289) on Wednesday December 10, 2003 @11:32PM (#7686610) Homepage
    There's been a ton of discussion of this on Groklaw [groklaw.net] today -- consensus is that either this is no attack, or their network is run by doofuses.
  • Re:And groklaw... (Score:5, Informative)

    by Anonymous Coward on Wednesday December 10, 2003 @11:33PM (#7686617)
    SCO's ISP has also been contacted by zdnet. Although SCO claim to have contacted them and to be working with them on the attack with law enforcement officials, it's the first they'd heard of it.

    And a DDoS doesn't have a timeframe. SCO claimed they will be able to get up and going again within 12 hours. So they know it's a DDoS, and don't know who's doing it, but know when it'll stop?

    Good one SCO. Makes us chuckle.
  • More SCO FUD (Score:5, Informative)

    by RobGarth (75504) <<rgarth> <at> <gmail.com>> on Wednesday December 10, 2003 @11:35PM (#7686650) Homepage
    http://www.groklaw.net/article.php?story=200312101 63721614

    If it is a DDoS attack, SCO are incompetent for not blocking it. Or it is just more FUD.
  • Self Inflicted (Score:5, Informative)

    by bstadil (7110) on Wednesday December 10, 2003 @11:36PM (#7686652) Homepage
    Head over to Netcraft News [netcraft.com] and see how this server "died". If this is a DDOS attach I am Queen of Spain.
  • FUD (Score:5, Informative)

    by SkArcher (676201) on Wednesday December 10, 2003 @11:36PM (#7686657) Journal
    This is a load of rubbish. See Groklaw [groklaw.net] for a much deeper and more insightful look at what really happened, a full explanation of the technicalities of the DDOS attack (claimed as a SYN attack that took up all the bandwidth and flattened their e-mail - and yet you can still get to ftp.sco.com (on same subnet), smtp.sco.com all other XO.net fed servers. Groklaw also noticed that the machine was down well before the press release claims and that it went straight down - no hiccups or other indications of a DDOS attack, just a straight gone - switched off or unplugged most likely.

    See the netcraft stats for that little bit. If SCO make any claim that this is a DDOS, they are lying through their teeth and the evidence was collected as it happened - see the members zone at Groklaw for the raw Traceroute returns.
  • Re:Come on guys... (Score:5, Informative)

    by rebeka thomas (673264) on Wednesday December 10, 2003 @11:36PM (#7686663)
    > Grow up. Settle it by the law.

    Yes. SCO should do that instead of lying about their downtime [groklaw.net]
  • by gaijin99 (143693) on Wednesday December 10, 2003 @11:40PM (#7686698) Journal
    Launching a DDoS does not require the slightest bit of hacking. Unless downloading and using a simple program counts as hacking. The proper term to use would have been "criminal", or perhaps "script-kiddie" (though I've always prefered "script-monkey" myself).

    I expect the blatient misuse of hacker as a synonym for computer criminal in the mainstream press, but I woulda hoped that Slashdot would do better.

  • by iabervon (1971) on Wednesday December 10, 2003 @11:42PM (#7686719) Homepage Journal
    According to Groklaw [groklaw.net], not only is it implausible that this is a real attack, it's not even competently done. SCO blames a SYN flood, which is trivial to ignore. Their ISP hasn't had anything to do about it. While they say their email server was down, it actually wasn't. Their FTP server on the next IP over (and on the same block of addresses) had no problems. Their internal network almost certainly isn't anywhere near their Web server, network wise, and, if it was, it would almost certainly have a firewall that's not the web server.

    It's clear that SCO's run out of technical people; not only are they faking technical problems, they can't even make up a technically sound attack on their own systems.
  • by hookedup (630460) on Wednesday December 10, 2003 @11:44PM (#7686742)
    Unless downloading and using a simple program counts as hacking

    It's not like you can just download a program and have control over a pile of zombie machines. You do have to do a little bit of work. Scanning subnets, logging into machines, uploading tools, etc.. to make an 'effective' ddos net. Not just download, run, click, dead server.
  • Re:And groklaw... (Score:5, Informative)

    by SkArcher (676201) on Wednesday December 10, 2003 @11:46PM (#7686755) Journal
    I submitted a version of this story with links to Groklaw and various technical resources and got rejected. Wish the /. editors team would pick decent story writers.

    Anyhow folks, the consensus at Groklaw is that either SCO are lying through their teeth and this is all FUD, or their network admin staff are a bunch of incompetents.

    There are no prizes for guessing what the /. theory will be.

    In specific, the outage at www.sco.com started before the reported time by several hours, was already under analysis by Groklaw before the claimed time, the pattern of the servers shutoff is NOT consistent with a SYN DDOS (the claimed attack), but it is consistent with either a planned shutdown, or a network cable being unplugged.

    There was no slowdown of service - see netcraft for the stats. SCO claim e-mail and other services were compromised which do not use the TCP SYN/ACK and are not therefore vulnerable to this attack (when on different servers (which they are, see groklaw for a list). ftp.sco.com remained up, despite being on the same subnet, and smtp.sco.com would respond throughout the duration of the supposed 'attack'.

    The above is a synopsis of Work presented for analysis at Groklaw, any mistakes are my own, any credit is due to the authors on Groklaw and to PJ.
  • by weston (16146) <{westonsd} {at} {canncentral.org}> on Wednesday December 10, 2003 @11:47PM (#7686764) Homepage
    I work in the Canopy Group office buildings at another (non-evil) company. We're all serviced by Center7 [center7.com] and the last time there was the confirmed/acknowledged DDOS attack we felt it hard. Getting to hosts outside of the building was very difficult all day.

    No hiccups today. Center7 did promise last time that they could and would isolate everyone else from SCO, so there is another explanation, but...
  • Re:Come on guys... (Score:3, Informative)

    by croddy (659025) on Wednesday December 10, 2003 @11:48PM (#7686773)
    ain't no synflood at *.sco.com ... click me [sco.com].
  • Bogus (Score:1, Informative)

    by StupaflyD (729788) on Thursday December 11, 2003 @12:11AM (#7686902) Journal
    If you check:
    http://www.sco.com/
    is down, whereas the investor site:
    http://ir.sco.com/
    is still available. If this is not a foolish attempt to prop up their stock price - I am not sure what is.
  • Re:Come on guys... (Score:5, Informative)

    by Frater 219 (1455) on Thursday December 11, 2003 @12:14AM (#7686916) Journal
    Some data:

    ftp.sco.com is 216.250.128.13. www.sco.com is 216.250.128.12. They are on the same network segment. However, the first is completely and normally responsive, while the second is entirely unresponsive. This is not in any way characteristic of any sort of modern flood-type denial-of-service attack -- that is, a DDoS aimed at flooding the network itself. Whatever is disturbing SCO, it is not a DoS of the sort they evidently believe it to be.

    Unfortunately, SCO has taken the "cargo cult security" measure of blocking pings, so it is not possible to gather any information about their disturbance in that fashion. I suspect that the best method to gather information about SCO's disturbance is, in fact, for SCO to fully and legally respond to IBM's discovery requirements.

    ("SYN flood" is obviously wrong. Although some firewalls and IDS still report TCP-based DoS floods as "SYN floods", the condition that used to be associated with SYN floods has been fixed in current operating systems. Unless they are running a system old enough to be called grossly negligent, they aren't susceptible to TCB starvation. The current unavailability of www.sco.com looks more like someone tripped over the Ethernet cable.)

  • Re:Bogus (Score:2, Informative)

    by Anonymous Coward on Thursday December 11, 2003 @12:44AM (#7687085)
    ir.sco.com = 170.224.5.43

    www.sco.com = 216.250.128.12

    Your posting is NOT very informative, go back to MCSE school please.
  • I expect the blatient misuse of hacker as a synonym for computer criminal in the mainstream press, but I woulda hoped that Slashdot would do better.

    And once again it must be pointed out that the original sense of Hacker included the breaking into of computer systems. It was only in the late 80s and early 90s that certain people (like ESR, who unilaterally "deprecated" the original meaning in the Jargon File) decided to change the definition, and tried to introduce the ridiculous "cracker" word.

    For once, the mainstream press has it right, and most younger engineers with no sense of history have it wrong.

    One of the meanings of hacking is cracking security. Get over it.

  • by Trepalium (109107) on Thursday December 11, 2003 @01:07AM (#7687208)
    Actually SCO said this was a syn flood, which means it IS as simple and download and run. However, I don't believe them because asking your ISP to filter your webserver's IP over a SYN flood is pointless and stupid. You either implement anti-syn-flood measures (syncookies or some firewall based option), or you wait it out. When the flood stops, your server works again. Asking your ISP to filter just prolongs the outage.
  • Re:Come on guys... (Score:3, Informative)

    by eraser.cpp (711313) * on Thursday December 11, 2003 @01:39AM (#7687365) Homepage
    Just because a system administrator has taken steps (SYN Cookies, kernel tweaking, etc.) to severely limit the SYN flood's access to a network service doesn't mean the box is impervious to this type of attack. The traffic alone when coming from many different hosts, likely including hundreds of university/cable drones, can overpower their bandwidth capabilities. Also lets not forget that they are trying to keep http open to legitimate connecting clients.
  • Re:Come on guys... (Score:2, Informative)

    by mkettler (6309) on Thursday December 11, 2003 @02:11AM (#7687510)
    The DNS blacklists hosted at Osirusoft and monkeys.com were both shut down this year by DDoS attacks. Osirusoft was the most widely reported and probably the one you are thinking of.

    There may be other shutdowns I'm unaware of. Many other DNSBLs are being subject to attacks, but several are handling them very well.
  • lies (Score:5, Informative)

    by Permission Denied (551645) on Thursday December 11, 2003 @02:16AM (#7687536) Journal
    www.sco.com is on 216.250.128.12

    The following machines are running currently-reachable FTP servers:

    216.250.128.7
    216.250.128.13
    216.250.128.14
    216.250.128.15
    216.250.128.16
    216.250.128.17

    I was able to download /pub/ls-lR from ftp.sco.com (216.250.128.13) 74.91 KB/s (600 Kb/s). My broadband is rated at 640 Kb/s, so the bottleneck was likely at my end. These machines are almost certainly on the same subnet and are likely connected to the same gear (SCO's subnetting is their choice, but if ftp.sco.com and www.sco.com are on different subnets, their subnet masks are 255.255.255.254 and they must have only two IPs per subnet - I don't believe this is even possible as you need a network and a broadcast IP for each subnet).

    The fact that all of these machines are reachable and that at least one of them can saturate a broadband link indicates that SCO is not having any bandwidth problems. I also performed some ICMP tests and the machine is not sending out port-unreachables, timestamp-replies or netmask-replies - these seem blocked upstream. I'm getting a little nervous sending out these funny packets as I don't want anyone to accuse me of anything, but everything indicates that the machine is completely offline. If they allowed some ICMP replies through upstream, receiving a reply would show that the machine is actually online, but somehow cannot handle TCP requests (and the problem is not bandwidth as shown, so it would have to be something wrong with the host, such as a firewall rule); if they allowed through ICMP replies and the machine did not respond whereas others on the subnet did respond, it would show that the machine is almost definitely offline unless it has a more restrictive firewall than the other machines (very unlikely given that this, as-claimed, could have been prevented with syncookies). As it stands, one can only say that the machine is very likely offline (unplugged or turned off).

    SCO's incoming mail server seems to be working fine. They only have one MX record for sco.com and it resolves to 216.250.130.2 for me at the moment. I only connected to it and saw a banner, but easy way to test this further is to send a message to an invalid address @sco.com and see if a bounce gets back. I don't want to give them an email address.

    All of this is current as of 2003-12-10 21:57, Mountain time (SCO is in Utah). Further investigation lead nowhere; thus the delay in the post.

  • by iocat (572367) on Thursday December 11, 2003 @02:22AM (#7687551) Homepage Journal
    Bullshit. Read HACKERS by Steven Levy, or OUT OF THE INNER CIRCLE by Bill Landrith, and you'll see that "hacker" only developed its criminal connotations in the mid-1980s, prior to that it was a word that meant only "someone who worked obsessively on systems" -- not necessarily even computers. The term "cracker" has been around since the early 1980s as well (again, see OUT OF THE INNER CIRCLE).
  • by hsoom (680862) on Thursday December 11, 2003 @03:15AM (#7687717)
    The Sydney Morning Herald is also reporting the same story [smh.com.au]. What I found most interesting though was this comment by a person attached to the story at the Groklaw site:
    "Now, about 2 hours ago they were just copy stories of the others, mentioning that sco was hit by a denial of service attack - no link to SCO, and no hint that SCO may not be entirely above board. I emailed the reporter at the link, and very soon after the story had the extra info added."
    I think this is significant because The Age and The Sydney Morning Herald are probably the two biggest news sites in Australia. It also just goes to show that if you provide these news sources with extra information it can get through and make a difference.
  • Is it real? (Score:3, Informative)

    by aug24 (38229) on Thursday December 11, 2003 @05:53AM (#7688226) Homepage
    Check out the report on Groklaw [groklaw.net] - this could be PR fakery...

    Justin.

  • by Zocalo (252965) on Thursday December 11, 2003 @06:05AM (#7688267) Homepage
    The FTP server being up proves nothing. SCO is claiming that they are under a SYN attack, which has a relatively low bandwidth costs, and if targetted purely at their webserver and not exceeding the total bandwidth will leave the FTP site up. Basically, for those that don't know, a SYN attack works by flooding a server with requests for a new session, usually with a spoofed source IP. The server *has* to allocate some resources to this request, respond with a SYN-ACK and wait for the ACK (which never arrives). Enough SYNs (the packets are only a few dozen bytes) and the server will fall over.

    So, on those grounds, I'd be prepared to accept that SCO is telling the truth and they are indeed under a DDoS SYN attack against their webserver. However, as normal for SCO, they then go and overcook the situation and claim that their internal network and Intranet has been hit as well. The only possible way this could be the case is if they are using the same server(s) for their public web as their Intranet which is one of the dumbest possible things you could do.

    That leaves us with three possibilities:

    1. SCO is simply lying and there is no DDoS at all.
    2. They are telling the truth about the DDoS, but have exaggerated the effects in a sympathy ploy, making themselves *look* clueless.
    3. They are telling the truth about the DDoS and the Intranet, meaning they *are* clueless.
    Take your pick!
  • by decoder (628982) on Thursday December 11, 2003 @08:19AM (#7688658)

    iptables -A OUTPUT -p tcp -d www.sco.com -j DROP
    iptables -A OUTPUT -p udp -d www.sco.com -j DROP

    OR

    ipfw add 1 deny ip from me to www.sco.com

  • Re:Come on guys... (Score:3, Informative)

    by arivanov (12034) on Thursday December 11, 2003 @10:04AM (#7689168) Homepage
    The analysis is written by yet another clueless fuck claiming to be a security or a network professional.

    You get .12 and .13 adjacent on cheap low end bozo hosting.

    In real life they may be in different corners of the globe, because in real high end network installations people use loopback addresses and you never ever see the actual physicals. They may even be on martian networks (and usually are) that are uplinks to a firewall or load balancer which quite often does forwarding with no increment of TTL so that people do not know that it is there.

    So the fact that ftp.sco.com is accessible while www is not does not mean a thing.

    Same goes for SYN cookies and SYN floods. The part of the attack that brings the target machine down is now well mitigated and most systems are not vulnerable to it. This still leaves the service part. The bad thing about SYN floods is that in order not to go down the target site has to discard SYNs. This is usually done by rate limiting them. Once SYNs have been rate limited, a sufficiently thick flood of SYNs from random addresses will render the site unresponsive and inaccessible, no matter what patches have been applied, because for every legit SYN you will have up to hundreds of non-legit ones.

    Note that I am not defending SCO.

    I am simply sick of "security" and "network reliability" cretinoids that continue to make claims based solely on IP addressing. This claims are invalid, void and outright stupid.

"Love is an ideal thing, marriage a real thing; a confusion of the real with the ideal never goes unpunished." -- Goethe

Working...