Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Caldera

Security Experts Doubt SCO's Claims of DoS 510

devilkin writes "As a recent Slashdot story indicates, SCO claims their website was the target of a DoS (Denial of Service) attack. Was it really? The people at Groklaw think otherwise..."
This discussion has been archived. No new comments can be posted.

Security Experts Doubt SCO's Claims of DoS

Comments Filter:
  • by Anonymous Coward on Thursday December 11, 2003 @01:13PM (#7691484)
    It wouldn't be an over-exaggeration to say that a bulk of SCO-related talks happen here on Slashdot. Even NY Times and other mainstream media frequently refer to Slashdot, when they need a quote from "open-source community", "Linux users" and other group that is mentioned in the article. Thus any DDOS attack organization wouldn't probably go unnoticed on this site.

    So here's a question - have you or any friends of yours taken part in SCO DDOS attack? If the overwhelming answer on Slashdot is no, then I guess we know the value of SCO's claims.
  • Press release? (Score:5, Insightful)

    by grub ( 11606 ) <slashdot@grub.net> on Thursday December 11, 2003 @01:13PM (#7691487) Homepage Journal

    If it's true that SCO is lying or too inept to know what's happening then somehow this has to make it to the mainstream press. That would do more damage to their stock value than any DDoS.
    • by Blahbbs ( 587167 ) on Thursday December 11, 2003 @01:21PM (#7691598)
      SCO probably submitted this story to Slashdot in order to DDoS GrokLaw's web site.... It's working, isn't it?
      • by blunte ( 183182 ) on Thursday December 11, 2003 @02:08PM (#7692073)
        Groklaw has seemed to do fine in the past against /., so the current problems surprise me.

        On a different note, perhaps we should all (all /. readers) visit the SCO [sco.com] site each day, maybe even multiple times a day, to make sure we don't miss out on some important information.

        And remember, you'll want to disable your cache to do this. Oh, and if you have a browser that allows you to set it to auto refresh, that would be a good idea too. It would really be a shame to miss an important press release just because you forgot to hit Refresh often enough...

        Unfortunately, SCO's unknown (linux) [netcraft.com] server is having some difficulty right now.

        What (obviously) amuses me is that this frequent refreshing of their news page would be justified, given their proclivity for using press releases to disseminate important information.

        • Good idea, but just to make sure you get it all, you should mirror the contents. "wget -m" should do the trick, and when the site does get hosed, you'll already have a mirror to share with /. readers!
    • This would hardly be likely to impact their stock. Currently anyone doing any research into SCOX would know their IP claims are BS. The stock pumping is based on the hope of finding stupid greedy people, not rational people.
    • Re:Press release? (Score:5, Interesting)

      by Unfallen ( 114859 ) on Thursday December 11, 2003 @01:25PM (#7691640) Homepage
      Interestingly, and somewhat depressingly, the first thing I knew about it was about 3 e-mails from Google News Alert, each telling me of about 3 different news sites reporting the story. Some of the sites weren't even that techie (CXO Today [cxotoday.com] seems a good example of the people SCO were intending to reach with their statement). The fact that SCO got their press release out so far, and so quickly might not say anything about the true nature of their server(s) downtime, but it does indicate where their operational motives lie.

      Steve Ballmer seems almost impressive with his shouts of "Developers! Developers! Developers!". I like to think of Darl giving a rousing meeting, stomping around the stage yelling "Marketeers! Marketeers! Marketeers! Lawyers! Lawyers! Lawyers!"
    • The Press Sucks! (Score:5, Insightful)

      by big-giant-head ( 148077 ) on Thursday December 11, 2003 @01:56PM (#7691942)
      Most members of the press are as interested in the truth as Darl McBride is, and they are equally compentent in technology matters.

      Face it a bunch of angry hackers attacking SCO makes a better story than the truth. Especailly using the 10 word headline format that is so prevelant in the US.
    • Before the DDoS announcement the Yahoo Message Board was talking about Bankrupt Before the Trial Starts [yahoo.com].

      Now they're talking about the state of the SCO website and how Groklaw is slashdotted.

      If you were running a stock scam, which type of story would you prefer?

  • Soon... (Score:5, Funny)

    by Anonymous Coward on Thursday December 11, 2003 @01:15PM (#7691496)
    SCO will sue Groklaw for illegal use of the term "DDoS", which of course SCO lays claim to.
  • by BigDork1001 ( 683341 ) on Thursday December 11, 2003 @01:15PM (#7691507) Homepage
    Oh, I'm so shocked. SCO might have lied about something. Is nothing held sacred anymore? Oh what is this world coming to???

  • by Space cowboy ( 13680 ) on Thursday December 11, 2003 @01:15PM (#7691508) Journal
    or at least, not necessarily, so the fact that the FTP server is up is not necessarily a pointer to the fact that SCO are lying through their teeth. (They may still be, but ...)

    The thing that's odd is that they think it disrupted their intranet - who in their right mind merges the public internet server and internal intranet server ???

    Simon
  • by Anonymous Coward on Thursday December 11, 2003 @01:15PM (#7691510)
    Wednesday, December 10 2003 @ 04:37 PM EST

    SCO has reported that they are experiencing an attack on their servers. Groklaw has been flooded with information that indicates their story doesn't add up.

    The consensus of what I am hearing is: That it is probably not an attack. That their description of the "attack" makes no sense. And that if what they are saying were true, SCO would be admitting to gross negligence.

    First, I'm being told that Linux has a very simple preventative built in. Linux comes with the ability to block ALL SYN attacks. End of story. All major firewalls can do so also. They run their web site on Linux. CISCO routers can protect against SYN attacks too, I have been told, if properly enabled. Why does SCO persist in having such problems?

    I knew one of Groklaw's readers is a security professional in Australia, so I wrote to him and asked if he'd take a look and give me his opinion.

    Steve McInerney describes himself like this: "I worked for six years as the Technical Security member of the IT Security team for Australia's Department of Defense. Also I did IT Security policy writing/advice. More recently I was one of the senior designers/firewall/security experts at a company that manages Australia's largest federal government-certified Internet gateway." He just sent me his opinion:

    "SCO has released a press release stating that their web site www.sco.com has come under a Distributed Denial of Service Attack (DDoS), specifically a SYN flood.

    "Before we show how silly this statement is, let's explain SCO's position. A 'SYN Flood' attack is an attack that attempts to stop a server from accepting new connections. It's quite an old attack now, and has been relegated to the 'That was interesting' basket of attacks.

    'A very simple analogy of a SYN attack: You have two hands, you are thus able to shake hands with at most two people at any one time. A third person who wants to shake your hand has to wait. Either you or one of the first two people can stop shaking hands so as to be able to accept the third person's handshake.

    "In this instance SCO are claiming that 'thousands' are doing something similar to their web server. This is, in and of itself, plausible. Unfortunately if we look closer there are a few problems with this claim of SCO's.

    "As stated above, the attack is quite an old one. Patches to all Operating Systems that I'm aware of, do exist to stop this sort of attack. For instance, a CISCO document: http://www.cisco.com/warp/public/707/4.html describes the attack and provides ways to stop it. Note the lines: 'Employ vendor software patches to detect and circumvent the problem (if available).' This means, quite simply, that patches exist to mitigate this attack.

    Why hasn't SCO applied them?

    Further SCO States:

    "'The flood of traffic by these illegitimate requests caused the company's ISP's Internet bandwidth to be consumed so the Web site was inaccessible to any other legitimate Web user.'

    "Interesting. If their bandwidth is consumed, then any servers nearby will also be inaccessible. That is www.sco.com has the IP address of 216.250.128.12 and ftp.sco.com has the IP address of 216.250.128.13 so the two servers are side by side, probably even on the same physical network hub/switch. Note that there is no room for a broadcast, etc., address - these servers are on the same subnet - i.e., on the same network device (hub/switch).

    "Unfortunately for SCO, from Australia, ftp.sco.com is highly responsive. No bandwidth problems there that I can see - even though www.sco.com is still unavailable.

    "The evidence then, is that their bandwidth is fine.

    "So what about just the SYN flood? Well, even with patches, to successfully conduct a SYN flood you would tend to chew up available bandwidth anyway, which we aren't seeing. So I have quite strong doubts about the accuracy of this information.

    "I feel quite
    • I'm being told that Linux has a very simple preventative built in. Linux comes with the ability to block ALL SYN attacks.

      all forms of LINUX too bad they are using UNIX
    • by CAIMLAS ( 41445 ) on Thursday December 11, 2003 @01:53PM (#7691918) Homepage
      It makes sense to me that they would claim it's a "SYN flood" simply because SYN has a similar sound to "sin" - it sounds evil! A "ping" flood sounds about as threatening to the average person as a pair of daffy duck children's socks.
    • Dear Mr. BS: . . .

      Calling Blake Stowell "Mr. BS" just seems fitting somehow.
    • Lets say, for arguments sake, they really were attacked. Here [grc.com] is an account of a small company being attacked, and how even being a small fish to their ISP, was able to detect, solve, and prevent further attacks. Admitedly, the attack is a UDP flood, but applying a filter to an upstream router cannot be much less time consuming than applying a patch. With the army that SCO employs, this should have been no more than a day of downtime and quitely filed away.
    • by bpd1069 ( 57573 ) on Thursday December 11, 2003 @02:32PM (#7692333) Homepage
      There will be more information to come, I have no doubt. But this is enough to raise questions in any reasonable person's mind. If there is an attack, where is the proof? Did SCO SYN attack itself? A single attacker can mount a SYN flood, I'm told. They are claiming the attack affected their intranet. I am hearing that is unlikely in the extreme. Here is how Jason Fordham explained it to me:

      "An Intranet should be designed so that all traffic on that net can get to anywhere on that net. It's open; it's inside the citadel. You can look out, and pull data in from outside, but you don't let anyone straight in. Anything outside comes through another server - email to a mail server, or submitted to a webpage, like a GROKLAW post. These act as control points - outside the citadel.


      Ok, now I am not making excuses for SCO, god no, but I like puzzles, and making pieces fit...

      Is it possible that there really was an attack, but the attack originated from inside the SCO LAN? If so could this explain the internal problems that are being reported as well as the lack of bandwidth problems outside the router? Again, I am no expert at all in this regard, but just putting out a theory, that perhaps someone has attacked SCO from the inside....
    • You are incorrect. (Score:5, Insightful)

      by mindstrm ( 20013 ) on Thursday December 11, 2003 @03:00PM (#7692620)
      I've dealt with huge synflood attacks, in the wild.
      Most of the things you say you think you know here are simply not true, I'm sorry.

      Tools to mitigate synfloods only help to a marginal degree if the attack is done correctly.

      First, bandwidth is an issue. Determined hackers can bring GIGABITS of syn requests in... NO, I'm not exaggerating in the least. if you aren't colo'd somewhere with massive bandwidth in the first place, all the "mitigation tools" you want won't help you, as you will be out of bandwidth. Completely. The days of 1Kbps synflood shutting you down may be gone.. but nowadays when attackers want to hit you, they hit you with tens of megabits, to start with.. so not only is it a syn flood, it's just plain a FLOOD.

      Provided you DO have enough bandwidth, you need a way to differentiate between valid syns and attacker syns.. which is a fundamental problem. If the attacker has enough hosts he can do full source address spoofing from, you are just plain screwed.. your attack prevention device won't do anything at all, as there is NO way to differentiate between good and bad traffic, fundamentally.

      Syncookies increase the rate at which you can deal with syns, but they are by no means a solution to the synflood problem, the problem still exists with or without syn cookies. Let me say that again.. syncookies do NOT solve the synflood problem.. they just lighten the load on the machine, and let it deal with more requests at once.

      Putting a box out front that can sink LOTS of syn requests, and only pass valid, established connections through to the real servers HELPS.... but only to a point. only as long as it can keep up with the flood.. which when we are takling about gigabit speeds, is tough.

      IN short, if your servers are colo'd at a really, really fast network, and you have really, really good equipment, and people who know how to deal with it, you can deal with this kind of attack, most of the time. You can absolutely build a system or setup that is basically immune to this.... but tha'ts far more engineering and resources than many even very large companies throw at their stuff.

      It's nowhere near as trivial as you are making it out to be, and considering the number of attacks I've seen in the last six months, in person, I have no trouble at all believing sco is getting trashed. well, except that everything they say is generally bullshit, but that's a different matter entirely.

      Second, when PR people start talking about "can't access the intranet, etc" they may mean "can't access it from outside" or something like that.. give it a rest. Intranet has different meanings to different places..

      And you should know, how things SHOULD be designed is rarely how they ARE designed, even by people who should and do know better.

      • by Silvers ( 196372 ) on Thursday December 11, 2003 @03:30PM (#7692962)
        In the article it states ftp.sco.com was responsive.

        That would mean that *if* a firewall was in front of the subnet that the ftp and www server was on, it was most assuredly not bogged down with syn's. Also, it means that the bandwidth wasn't an issue.

        What options does that leave? An unprotected www server being syn attacked without exceeding the bandwidth of the link, or just an IT snafu. Either way its just poor network engineering.
  • by Anonymous Coward on Thursday December 11, 2003 @01:16PM (#7691515)
    But I sure know that groklaw is DOS'd.

    Connection refused.
  • by Anonymous Coward on Thursday December 11, 2003 @01:16PM (#7691517)
    That just causes more problems for their servers.
  • DDOS..... (Score:5, Funny)

    by Vengie ( 533896 ) on Thursday December 11, 2003 @01:16PM (#7691518)
    Blake Stowell was quoted as saying, "From preliminary research, we appear to be under some form of 'Slashdot Effect' -- involving both duplicate stories and annoying links."
    • Blake Stowell was quoted as saying, "From preliminary research, we appear to be under some form of 'Slashdot Effect' -- involving both duplicate stories and annoying links."

      Slightly off topic but it's gotta be said, who else finds it appropriate that this mans initials are BS :-D.
  • by RobertTaylor ( 444958 ) <roberttaylor1234 AT gmail DOT com> on Thursday December 11, 2003 @01:16PM (#7691520) Homepage Journal
    "SCO claims their website was the target of a DoS (Denial of Service) attack. Was it really?"

    Groklaw certainly has just been ;)

    Cheers,
    rob.
  • by Anonymous Coward on Thursday December 11, 2003 @01:16PM (#7691525)
    stolen from: http://www.newsforge.com/business/03/12/11/1315246 .shtml?tid=85

    Very strange is this; reported BEFORE it happened?
    by Anonymous Reader on 2003.12.11 12:54 (#81456)
    I see they have been playing this DDos Attack in the press. In fact, as near as I can tell, the stories about this ddos attack started appearing very early on. Most companies take some time to discover they have a ddos attack, and then to take the time to report it; the press also has lead time for a story to actually make it out the door and into print/web site/whatever.

    The early and timely appearing of their "press" about it even while this attack was "underway", and through so many sources, leads me to ask this question; is it possible they contacted any press BEFORE this alledged attack even took place?!
  • by cryptor3 ( 572787 ) on Thursday December 11, 2003 @01:16PM (#7691532) Journal
    I thought Groklaw was more of an expert in law.
  • by Lord_Dweomer ( 648696 ) on Thursday December 11, 2003 @01:17PM (#7691549) Homepage
    Security experts eh?

    Security Expert: "Oh, so um, you claim malicious linux users who you wanted to sue are DDoSing your servers Mr. McBride? Well, let me get out my laptop and check it out."

    *boots up linux distro of choice*

    "Nope, doesn't look like it was that at all, sorry!"

    *evil snicker*

  • by sulli ( 195030 ) * on Thursday December 11, 2003 @01:18PM (#7691554) Journal
    First they claim they own Linux, and now DOS! What's next, CP/M?
  • ftp.sco.com (Score:5, Interesting)

    by Hug Life ( 643998 ) on Thursday December 11, 2003 @01:18PM (#7691555)
    What's even weirder is, that before the groklaw post, www.sco.com was down, but ftp.sco.com (next IP address) was just fine, which invalidated SCO's claims of a DDoS attack.
    But about 2 hours after the groklaw post, ftp.sco.com mysteriously went down too.
    Just more ham handed FUD from Darl and friends.
    • Re:ftp.sco.com (Score:5, Informative)

      by delta407 ( 518868 ) <slashdotNO@SPAMlerfjhax.com> on Thursday December 11, 2003 @02:00PM (#7691985) Homepage
      What's even weirder is, that before the groklaw post, www.sco.com was down, but ftp.sco.com (next IP address) was just fine, which invalidated SCO's claims of a DDoS attack.
      Right now, www.sco.com (216.250.128.12) and ftp.sco.com (216.250.128.13) -- both mentioned in the Groklaw post -- are down. I can second your observation that ftp.sco.com was up prior to this hitting the press, implying that something fishy is happening.

      Even more fishy: ftp.dev.caldera.com (216.250.128.14) was not mentioned in the post, but is on the same subnet as www and ftp.sco.com. Guess what? It's quite responsive at refusing anonymous logins. Plus, ftp.beta.caldera.com (.15), ftp.iso.caldera.com (.16) work just fine:
      $ time wget ftp://ftp.iso.caldera.com/MIRRORS -O /dev/null
      --12:58:08-- ftp://ftp.iso.caldera.com/MIRRORS
      => `/dev/null'
      Resolving ftp.iso.caldera.com... done.
      Connecting to ftp.iso.caldera.com[216.250.128.16]:21... connected.
      Logging in as anonymous ... Logged in!
      [lameness filter]
      ==> PORT ... done. ==> RETR MIRRORS ... done.
      Length: 792 (unauthoritative)

      12:58:09 (773.44 KB/s) - `/dev/null' saved [792]

      real 0m0.893s
      user 0m0.005s
      sys 0m0.006s
      That's a 0.9-second FTP session. Guess what else? Despite .15 and .16 being up, ftp2.sco.com (.17) is down, presumably from the same DDoS.

      Something doesn't add up.
  • Read through the groklaw page earlier, and it was really based heavily upon lots of speculation and in some cases, as was pointed out by other posters, misinformation and lack of technical knowledge.(Stuff like: I can ping the ftp server, but not the www server, and their IP addresses are only off by 1 number, that means it is fake!)

    Now, it may or may not be true, but it is total and absolute speculation at this point and some people seem to have already accepted it as fact.
    • by Valar ( 167606 ) on Thursday December 11, 2003 @01:26PM (#7691651)
      It doesn't actually have much to do with the IPs being one off. It has to do with them being on the same subnet. Behind the same router. If www.sco.com was being DDOSed, then there would have at least been a) a hiccup, DDOSed servers don't go straight offline b) effects on hosts on the same subnet. Of course, SCO also claimed it hit their corporate intranet. I wonder how that happened?
    • No. (Score:4, Interesting)

      by schon ( 31600 ) on Thursday December 11, 2003 @01:49PM (#7691881)
      lack of technical knowledge.

      If you have read the article, and still believe this, then it is you that suffers from a lack of technical knowledge.

      it is total and absolute speculation at this point

      No, it most certainly is not.

      It is a logical conclusion, drawn from deductive reasoning.

      From the evidence (machines on the same network, accessible through the same router and switch, are unaffected), we can deduct that at least some of SCO's claims (such as the bandwidth usage) are false.

      This does not preclude the possiblity of a synflood attack, however the fact that a synflood would be prevented by a properly configured network means that SCO is either lying, or incompetant.
    • by Trepalium ( 109107 ) on Thursday December 11, 2003 @02:04PM (#7692026)
      Well how about this, someone DoS's you, and your Intranet and support desk goes down? That's pretty damn peculiar. I see three options. Either they're lying, they're incompetent, or it's an inside job. Their ISP is treating the attack like a standard DDoS attack, by blocking it far upstream, and BS comes to the press and tries to be technical and call it a "SYN attack". SCO claims their mail system was knocked down, but their webserver doesn't even act as a mail server (it's mail.ut.caldera.com [216.250.130.2], not www.sco.com [216.250.128.12]). They dont' even have a secondary MX in this case.

      SCO's victim story doesn't add up, and it doesn't make sense.

    • Read many of the posts here and you'll see that a) groklaw article appears showing ftp.sco.com down b) ftp.sco.com suddenly disappears hours aftwerwards.

      It's pretty obvious that SCO's claim is shady at best.
  • by Virtex ( 2914 ) on Thursday December 11, 2003 @01:21PM (#7691592) Homepage
    SCO's web site was only designed to handle one person at a time. Until recently, it worked well enough, but recently two people tried to access the web site simultaneoulsy. This, of course, brought down their server. And since the two people were located at different locations, it was distributed; hence, we have a distributed denial of service (DDoS) attack.

    And now you know the real story.
  • by Ridgelift ( 228977 ) on Thursday December 11, 2003 @01:21PM (#7691595)
    If their bandwidth is consumed, then any servers nearby will also be inaccessible. That is www.sco.com has the IP address of 216.250.128.12 and ftp.sco.com has the IP address of 216.250.128.13 so the two servers are side by side, probably even on the same physical network hub/switch.

    The ftp server seems inaccessible now. Maybe someone at SCO clued in "Joe! You forgot to unplug the FTP server! Quick, grab that cable..."

    Maybe Valerie from The Princess Bride sais it best: "Liar! Liar! Liiiiaaaaaar!"
  • by cybrthng ( 22291 ) on Thursday December 11, 2003 @01:24PM (#7691627) Journal
    Like others have stated, this would be a twist of fate pushing for the end of SCO. If they have to lie that the community or linux community as they put it is DDoS'ing there network then this could very well be the most damning story against SCO yet. It would be amazing to prove the lack and misunderstanding of IT, Linux and Intellectual property SCO has by getting a headline on national news "SCO lies about networking attacks".

    A Simple title like that would take the competency out of any IP lawsuite around simply on the grounds you couldn't tell what the company was telling the truth on or not. (Well, to geeks its easy to say they're lying, but this brings it to the forefront that any CTO/CIO or CEO would understand for that matter).

    Has anyone been able to get any further comments from upstream providers or ISP's around them?

    I wonder if i will ever see the code to smurf.c as "a special F**K you to SCO".. I always laughed when i saw the code and recognized old Fnet admins being the brunt, would be funny to see sco action (although, i'm with RMS - don't do anything illegal.. just keep on emailing them and expressing your opinions!)
  • by mabu ( 178417 ) * on Thursday December 11, 2003 @01:25PM (#7691638)
    In the Internet industry, all sorts of companies use DOS/DDOS or claims that worm-related traffic is to blame for a plethora of problems that are often internal blunders. This shouldn't come as a surprise to anyone who has ever managed a server online.
  • by randall_burns ( 108052 ) <randall_burns AT hotmail DOT com> on Thursday December 11, 2003 @01:28PM (#7691674)
    I suspect that SCO is going to get about as much sypathy from the technical community as someone that wanders into Harlem at 2AM and runs down the street shouting racial insults at the residents. Sure there are some folks that would think such a misguided individual deserves the protection of the law-but there ability to actually provide them protection is limited. There are quite simply limits to what a major corporation can do and get away with it.


    The emergence of Linux has helped the careers/livelyhood of a lot of people here. I don't see SCO making any kind of similar contribution-which limits the degree to which they can expect the good Samaritan type behavior which enforcement of the law realistically requires.

  • by RamsÚs Morales ( 13327 ) on Thursday December 11, 2003 @01:29PM (#7691689)
    I don't doubt their claims, they are clearly lying. Instead of discussing the obvious, that they are not under a DDoS attack, we should be asking ourselves why they are faking an attack.

    Some people have pointed out that they are doing it to remove self incriminating evidence from their website. Very likely.

    Another plausible speculation is that they are going to use this fake attack as an excuse to delay showing the evidence the judge demanded. I wouldn't be surprised if they go as far as saying that some "evil free software hugger" performed the attack to erase the evidence from all their computers, and use that as an excuse to insist that IBM should show their code first.

    And no, these are not conspiracy theories, because the evidence is enough to prove they are faking the attack. They are doing it for a very good reason.
    • Newspurge (Score:5, Insightful)

      by eddy ( 18759 ) on Thursday December 11, 2003 @01:50PM (#7691891) Homepage Journal

      The absolutely best hypothesis is that they're doing it to purge the bad news off the newssites. There was news about the motion to compell hearing (which wasn't SCO's finest hour. Read the transcript here [tuxrocks.com]. Check p55 if you're in a hurry) and about the SCO - Boies - Investor-relationship which also was very bad news for SCO, because they want people to belive Boies is on a continguency (apparently that implies 'faith in the lawsuit').

      Where is that now? Gone.

      Instead we have stories about poor, poor SCO being attacked by those evil linux users.

      How many companies release Press Releases about being under attack?! On the same day, no less!

  • Letter to Netcraft (Score:5, Interesting)

    by TWX ( 665546 ) on Thursday December 11, 2003 @01:31PM (#7691710)
    Netcraft [netcraft.com] had a posting about the supposed attack, but didn't doubt the actual situation. I've sent them the following letter:

    To: webmaster@netcraft.com
    Subject: News on your front page

    You have a news article about SCO's network downtime posted on your front page, claiming that SCO is the target of a DDoS attack. Due to availability of services on other machines on the same netblock, like the FTP protocol on ftp.sco.com (one IP address higher than www.sco.com), I question the veracity of your news article, and I felt that I should call this into question.

    groklaw.net has information posted that you might find interesting, potentially leading to a revision of your news article. The page can be found at:

    http://www.groklaw.net/article.php?story=200312101 63721614 [groklaw.net]

    Much of the information that I have read about this is available from them, as are some theories as to what is actually happening.

    Thank you for your time,
    TWX


    Basically, if you doubt the truth of the "news" about SCO/Caldera's troubles, call it into question with those reporting it, especially those who are supposed to be some kind of authority to listen to.
  • by SpaceRook ( 630389 ) on Thursday December 11, 2003 @01:34PM (#7691737)
    Hey guys, the trailer for the next Star Wars movie is RIGHT HERE!!!! [sco.com].
  • by PB8 ( 84009 ) on Thursday December 11, 2003 @01:35PM (#7691749)
    So, this was not the real truth?


    SCO Experiences Distributed Denial of Service Attack [sco.com]


    It was suggested on the Yahoo BBS that perhaps this was a DNS IP transition that wasn't properly planned by the BOFH admin. Could that mean this website has been up and running all along on this new IP address?


    SCO Grows Your Business [216.250.128.20] http.://216.250.128.20 vs the old address of 216.250.128.13?


    Inquiring minds want to know! News editors are breathless waiting! Investors are fretting! BSD users dread being blamed next! The SLTPD and FBI need your assistance in tracking down the real SCO-flaws

  • Step 1 (Score:5, Funny)

    by gspeare ( 470147 ) <{geoff} {at} {shalott.com}> on Thursday December 11, 2003 @01:36PM (#7691763) Journal
    I'm sure this is just an overture to...

    Step 2: "Hackers" infiltrate SCO and maliciously make off with all of the supporting evidence for their suits against IBM. Sorry judge!
  • by IshanCaspian ( 625325 ) on Thursday December 11, 2003 @01:36PM (#7691764) Homepage
    Why don't we SYN flood their FTP server? If their claims are correct, it should go offline, right?
  • by CAIMLAS ( 41445 ) on Thursday December 11, 2003 @01:38PM (#7691785) Homepage
    -SCO sold all their servers to increase revenue.

    -They took everything down to install MS Windows Advanced Server 2004

    - The guy that took over for the sysadmin, after they fired him, tripped and spilled coffee all over the cisco rack. They're waiting for replacements, shipped Express.

    - Daryl opened an attachment
  • by ufpdom ( 556704 ) <ncc1701p@hot m a i l . com> on Thursday December 11, 2003 @01:42PM (#7691818)
    bye.edu was down, uvsc.edu was down.. iomega was down.. What do they all have in common.. They are in the Salt Lake City valley area. I was bored and decided to visit sco and it was down.. traceroutes to all locations revealed that a OC-12 connection between level3.net and x0.net was down somewhere in chicago.. thus causing me not to get into the SLC area.
  • How conventient (Score:5, Interesting)

    by Dunark ( 621237 ) on Thursday December 11, 2003 @01:43PM (#7691834)
    SCO was taking a publicity beating on several fronts:
    - They got an unfavorable ruling WRT discovery on Friday
    - The world discovers Boies isn't so confident of SCO's case that he's willing to take the case on contingency. Boies is billing by the hour, he just stands to get a big bonus under certain conditions.
    - Baystar/RBC isn't happy about the Boies deal, so they demand and get the power to veto certain courses of action.
    - SCO has to delay their earning announcement by two weeks to screw around with the numbers.

    Needless to say, SCOX stock price dives, and the lo and behold, an attack on SCO's website suddenly becomes the to SCO new item and buries all the other bad news. How fortunate!
  • This past week the university that I work for has been the victim of an internal denial of service attack that may be related. From what I can gather, our sysadmins have traced the problem to some sort of irc virus/worm that is using student's computers to participate in a DDOS attack. The compromised computers were spoofing random ip adresses and (from what I heard) trying to hit SCO. These have all been stopped by our firewall, but they had been causing trouble with said firewall all week.

    I don't have conformation that they were trying to hit SCO, but this headline jibes.
  • by Animats ( 122034 ) on Thursday December 11, 2003 @01:51PM (#7691898) Homepage
    SCO issued three press releases [yahoo.com] about their "denial of service attack", perhaps in hope that this news story, "SCO Group Hit by Double Whammy" [thestreet.com] will scroll off.
    • Shares of SCO Group, the company challenging the popular Linux movement, fell sharply Monday after the company lost a court motion Friday and postponed its earnings report.

      After trading as low as $15.10 intraday Monday, SCO shares closed down $1.32, or 8%, at $15.27.

      Two events from Friday were feeding the selloff. First, SCO lost a motion asking IBM for source code. The court also ruled SCO must provide the code relevant to the case to IBM within the next 30 days. SCO shares closed down $1.32, or 8%, at $15.27. ...

      Secondly, SCO on Friday postponed its fourth-quarter earnings report, initially scheduled for Monday ...

    It worked, too. See SCO's chart. [yahoo.com] The stock dropped about 10-15% in moderately heavy Tuesday and Wednesday trading, but has since bounced back by about half that much.

  • Up And Down Again? (Score:3, Informative)

    by leonscape ( 692944 ) on Thursday December 11, 2003 @01:52PM (#7691909)
    The interesting thing here is that it came back up for what looked like an house according to netcraft. Look at the New York graph it was even responding normally, how strange.

    http://uptime.netcraft.com/perf/graph?site=www.sco .com
  • by AndroidCat ( 229562 ) on Thursday December 11, 2003 @01:54PM (#7691928) Homepage
    It was all their remaining technical people sending out floods of job applications.
  • Ha ha! (Score:3, Insightful)

    by macdaddy ( 38372 ) on Thursday December 11, 2003 @01:56PM (#7691945) Homepage Journal
    That's like a teenager lieing to their parents about what *really* happened to their parents car they borrowed last night. Did I forget to mention the father was a mechanic? Ha!

    Honest Dad, I didn't forget to put oil in it (as the father drains the pristinely-clean golden-colored oil from the locked up engine)...

    Honest Dad, I had a blow-out (as the father examines the tire with a 4 inch puncture would that shows the core pushed inside the tire)...

    Can you say busted?

  • by LuxFX ( 220822 ) on Thursday December 11, 2003 @02:00PM (#7691981) Homepage Journal
    Dear Mr. Judge,

    I am sorry but we are unable to provide the source code examples you have requested. These examples were stored on our web server and were lost in a recent DDoS attack on these servers.

    By my reckoning, that means we win. Tell IBM to pay up.

    -D. McBride
    CEO, SCO Group
  • by rritterson ( 588983 ) * on Thursday December 11, 2003 @02:02PM (#7692003)
    Near the top of the article, a security expert from Australia says:

    "So what about just the SYN flood? Well, even with patches, to successfully conduct a SYN flood you would tend to chew up available bandwidth anyway, which we aren't seeing. So I have quite strong doubts about the accuracy of this information.
    He also claims that ftp.sco.com should be unavailable if the DoS attack were real.

    However, near the bottom of the article, another user writes in:

    "There are many types of DoS and DDoS attacks, each type targeting a different resource. Blake Stowell is confusing a SYN flood (an attack against the TCP port resource on a host) with a brute-force DDoS against a bandwidth resource. This simply demonstrates that BS is not a techie and that the difference has not been explained to him.

    "Dear Mr. BS: . . . A SYN-flood attack probably consumes 1 Kbps or less. Everybody else in the known universe can communicate with all of your externally-visible machines except www.sco.com. If the (alleged) attack on www.sco.com has affected any other machines, your network is very poorly administered. I suggest you avail yourself of the vast array of of volunteer expertise that is ready to help any user of a Linux system.


    This suggest to me that SCO didn't explain correctly the type of attack it's under, especially in saying 'all bandwidth was consumed' when perhaps they meant 'all server resources were consumed'

    However, I make no statements whether the DoS attack is real or fabricated- I see either as likely.
  • by kroyd ( 29866 ) on Thursday December 11, 2003 @02:04PM (#7692024)
    1: The day before the alleged attack it was revealed that the "contigency agreement" with Boies (a very high profile lawyer) isn't really a contigency agreement at all, but a bonus on top of already very expensive fees.

    The claims of Boies taking the case on contigency is one of the major reasjons for the SCOX market capitalizion to incerease by 20x since he was hired. (SCO is extremely dependent on their inflated stock price for survival)

    2: SCO actually paid a PR firm to distribute their press release about the alleged attack - this might be a first by any company.

    Now put 1 and 2 together and you get both a motive (get attention away from the Boies deal), and a method (fake a ddos attack, pay for a press release to be distributed).
  • by steveit_is ( 650459 ) on Thursday December 11, 2003 @02:07PM (#7692053) Homepage
    Did anyone else see this article [technewsworld.com] linked from SCO's main page? It starts off saying 'I have a hard time seeing the Linux Zealots as any different from terrorists because of the nature of their threats.'. I knew Darl and Co. were a bunch of asshats, but this is ridiculous.
  • Perhaps (Score:4, Funny)

    by hackhound ( 599190 ) on Thursday December 11, 2003 @02:09PM (#7692079) Homepage Journal
    They forgot to buy a liscense from themselves, and were forced to shut their server down to keep from getting sued by themselves?
  • by hydertech ( 122031 ) on Thursday December 11, 2003 @02:25PM (#7692270) Homepage
    If you want to see what boxes SCO neglected to unplug in the 216.250.128.xxx subnet here's a list. HINT: QUITE A FEW ARE ONLINE!

    216.250.128.7 ftp-rsync.sco.com
    216.250.128.9 lists.caldera.com
    216.250.128.12 www.sco.com
    216.250.128.13 ftp.sco.com
    216.250.128.14 ftp.dev.caldera.com
    216.250.128.15 ftp.beta.caldera.com
    216.250.128.16 ftp.iso.caldera.com
    216.250.128.17 ftp2.sco.com
    216.250.128.32 colonet.caldera.com
    216.250.128.33 artemis.caldera.com
    216.250.128.35 apollo.sco.com
    216.250.128.37 stage.caldera.com
    216.250.128.44 colofailover1.caldera.com
    216.250.128.45 colofailover2.caldera.com
    216.250.128.46 cologw.caldera.com
    216.250.128.47 colobcast.caldera.com
    216.250.128.64 vultusnet.ut.sco.com
    216.250.128.65 medusa.ut.sco.com
    216.250.128.66 minotaur.ut.sco.com
    216.250.128.67 sphinx.ut.sco.com
    216.250.128.69 pegasus.ut.sco.com
    216.250.128.70 cyclops.ut.sco.com
    216.250.128.71 griffon.ut.sco.com
    216.250.128.72 chimaera.ut.sco.com
    216.250.128.194 public.sco.com
    216.250.128.197 register.sco.com
    216.250.128.198 authentica.caldera.com
    216.250.128.199 sonic.ut.caldera.com
    216.250.128.200 vupdate.sco.com
    216.250.128.210 bosshog.j2.net
    216.250.128.215 openwbem.caldera.com
    216.250.128.220 scoxweb.sco.com
    216.250.128.221 scoxdb.sco.com
    216.250.128.222 scoxdemo.sco.com
    216.250.128.225 zeus.ut.sco.com
    216.250.128.235 www.vultus.com
    216.250.128.236 data.vultus.com
    216.250.128.237 bugzilla.vultus.com
    216.250.128.238 mardon.ut.sco.com
    216.250.128.241 linuxupdate.sco.com
    216.250.128.245 uw713doc.caldera.com
    216.250.128.246 ou800doc.caldera.com
    216.250.128.247 docsrv.caldera.com
    216.250.128.248 locutus3.calderasystems.com
    216.250.128.251 ntop.ut.caldera.com
    216.250.128.253 fgw.calderasystems.com
    216.250.128.254 c7-gw.calderasystems.com
  • by cant_get_a_good_nick ( 172131 ) on Thursday December 11, 2003 @02:48PM (#7692500)
    ... so shouldn't it be a DR-DOS attack?

    Hello, is this mike on.. hello....
  • Backscatter (Score:5, Informative)

    by Florian Weimer ( 88405 ) <fw@deneb.enyo.de> on Thursday December 11, 2003 @02:51PM (#7692537) Homepage
    It's astonishing that rumors spread like wildfire if the facts are so easy to check.

    If you monitor a few tens of thousands of unused IPv4 addresses, you can observe most DoS attacks involving randomly spoofed addresses. You just listen for backscatter [samsi.info] ((sorry, no better resource appears to be available). These packets are created by the victim server when it tries to answer to requests that have been spoofed from your address space. Some people even keep statistics of that noise.

    And guess what? Yesterday and today, there was plenty of backscatter from 216.250.128.12. Why was ftp.sco.com suddenly offline today? Well, beginning around 2003-12-11 10:49 UTC, you could observe backscatter from 216.250.128.13, too. Unless SCO is deliberately forging backscatter (and if they are, they are doing a pretty good job at it, it looks very much like the real thing), they were under attack, yesterday and today.
  • by Roadkills-R-Us ( 122219 ) on Thursday December 11, 2003 @03:04PM (#7692651) Homepage
    Looks like both to me. Someone at SCO has a cron job running that starts a DDoS (SYN) attack against www.sco.com from their internal network, and sends out a press release at the same time.

    That way Darl doesn't even have to climb out of his lawyers' lap, where he spends the day happily napping and dreaming of Linus as his shoe shine boy.
  • SCO's defense (Score:4, Insightful)

    by Unnngh! ( 731758 ) on Thursday December 11, 2003 @03:15PM (#7692746)
    It is natural for criminals to group together. Why? Because they've committed so many heinous acts that they only feel comforted by others who are just as bad. The other side of this is, criminals figure that because they're crooks, the rest of the world must be, too. So when SCO's servers start acting up, their first reaction, being such criminals as they are, is to assume that someone else is doing exactly what they do--launch an attack, attempting to destroy or deface the competition. And thus, it must be someone in the evil Open Source community who is doing it, or maybe just maybe IBM.

Congratulations! You are the one-millionth user to log into our system. If there's anything special we can do for you, anything at all, don't hesitate to ask!

Working...