Security Experts Doubt SCO's Claims of DoS 510
devilkin writes "As a recent Slashdot story indicates, SCO claims their website was the target of a DoS (Denial of Service) attack. Was it really? The people at Groklaw think otherwise..."
This discussion has been archived.
No new comments can be posted.
Security Experts Doubt SCO's Claims of DoS
Related Links Top of the: day, week, month.
Lots of folks confuse bad management with destiny. -- Frank Hubbard
Let's do a Slashdot insta-poll (Score:5, Funny)
So here's a question - have you or any friends of yours taken part in SCO DDOS attack? If the overwhelming answer on Slashdot is no, then I guess we know the value of SCO's claims.
Re:Let's do a Slashdot insta-poll (Score:5, Funny)
Poll already up. (Score:5, Interesting)
There's a poll here [newsforge.com].
Re:Poll already up. (Score:3, Funny)
It's missing the CowboyNeal option!
Re:Let's do a Slashdot insta-poll (Score:5, Informative)
have you or any friends of yours taken part in SCO DDOS attack? If the overwhelming answer on Slashdot is no, then I guess we know the value of SCO's claims.
That's specious logic.
A single machine on cable or DSL can SYN flood a machine. The attacker sends a stream of SYN packets with forged source addresses, the victim machine replies back to the bogus IP and waits.. and waits.. and waits.. It takes negligible bandwidth to do this.
Re:Let's do a Slashdot insta-poll (Score:5, Funny)
I'm intrigued by your ideas, and would like to subscribe to your newsletter.
Re:Let's do a Slashdot insta-poll (Score:5, Interesting)
Re:Let's do a Slashdot insta-poll (Score:3, Interesting)
Re:Let's do a Slashdot insta-poll (Score:4, Insightful)
How come the press never similarly reports that "the Windows community unleashed a virus today..."?
A single machine on cable or DSL? (Score:3, Insightful)
You don't NEED to distribute the attack, per se, it'd be done that way to completely cover their tracks...
Re:Let's do a Slashdot insta-poll (Score:5, Funny)
Anyway, my point was that it's not fair to assume they're lying just because a smart person could circumvent the attack. It's equally probable that they're stupid and telling the truth.
Re:Let's do a Slashdot insta-poll (Score:5, Funny)
Well I tried to view their website after this was mentioned on Slashdot. Does that count?
Disclaimer : many of the others participating in the Slashdotting are not my friends
Re:Let's do a Slashdot insta-poll (Score:5, Funny)
Nice try, Darl.
Press release? (Score:5, Insightful)
If it's true that SCO is lying or too inept to know what's happening then somehow this has to make it to the mainstream press. That would do more damage to their stock value than any DDoS.
Re:Press release? (Score:5, Funny)
Groklaw; sco.com (Score:5, Funny)
On a different note, perhaps we should all (all /. readers) visit the SCO [sco.com] site each day, maybe even multiple times a day, to make sure we don't miss out on some important information.
And remember, you'll want to disable your cache to do this. Oh, and if you have a browser that allows you to set it to auto refresh, that would be a good idea too. It would really be a shame to miss an important press release just because you forgot to hit Refresh often enough...
Unfortunately, SCO's unknown (linux) [netcraft.com] server is having some difficulty right now.
What (obviously) amuses me is that this frequent refreshing of their news page would be justified, given their proclivity for using press releases to disseminate important information.
sco.com - visit often! (Score:3, Funny)
Re:Press release? (Score:3, Insightful)
Re:Press release? (Score:5, Interesting)
Steve Ballmer seems almost impressive with his shouts of "Developers! Developers! Developers!". I like to think of Darl giving a rousing meeting, stomping around the stage yelling "Marketeers! Marketeers! Marketeers! Lawyers! Lawyers! Lawyers!"
The Press Sucks! (Score:5, Insightful)
Face it a bunch of angry hackers attacking SCO makes a better story than the truth. Especailly using the 10 word headline format that is so prevelant in the US.
It's better for SCO than bankruptcy speculation (Score:3, Interesting)
Now they're talking about the state of the SCO website and how Groklaw is slashdotted.
If you were running a stock scam, which type of story would you prefer?
Soon... (Score:5, Funny)
Re:Soon... (Score:5, Funny)
Clearly, the letters "D", "o", and "S" are part of SCO IP.
"S" is the first letter in their company name. "D", being the letter after "C" is obviously a derivitave work of the second letter. "o" is simply an attempt to hide the misuse of the third letter "O".
Unquestionably, SCO owns DDoS.
Re:Soon... (Score:5, Funny)
Re:Soon... (Score:3, Funny)
In Soviet Russsia, SCO 0wnZ DDoS!
Bwaahahahahaaah!
Re:Soon... (Score:5, Funny)
Clearly, the letters "D", "o", and "S" are part of SCO IP.
Actually, I thought the letters were "P", "o", and "S".
I'm shocked... (Score:5, Funny)
SYN attacks are not bandwidth hogs (Score:5, Insightful)
The thing that's odd is that they think it disrupted their intranet - who in their right mind merges the public internet server and internal intranet server ???
Simon
Re:SYN attacks are not bandwidth hogs (Score:5, Funny)
who in their right mind sues IBM???
Full text: in case of slashdotting (Score:5, Informative)
SCO has reported that they are experiencing an attack on their servers. Groklaw has been flooded with information that indicates their story doesn't add up.
The consensus of what I am hearing is: That it is probably not an attack. That their description of the "attack" makes no sense. And that if what they are saying were true, SCO would be admitting to gross negligence.
First, I'm being told that Linux has a very simple preventative built in. Linux comes with the ability to block ALL SYN attacks. End of story. All major firewalls can do so also. They run their web site on Linux. CISCO routers can protect against SYN attacks too, I have been told, if properly enabled. Why does SCO persist in having such problems?
I knew one of Groklaw's readers is a security professional in Australia, so I wrote to him and asked if he'd take a look and give me his opinion.
Steve McInerney describes himself like this: "I worked for six years as the Technical Security member of the IT Security team for Australia's Department of Defense. Also I did IT Security policy writing/advice. More recently I was one of the senior designers/firewall/security experts at a company that manages Australia's largest federal government-certified Internet gateway." He just sent me his opinion:
"SCO has released a press release stating that their web site www.sco.com has come under a Distributed Denial of Service Attack (DDoS), specifically a SYN flood.
"Before we show how silly this statement is, let's explain SCO's position. A 'SYN Flood' attack is an attack that attempts to stop a server from accepting new connections. It's quite an old attack now, and has been relegated to the 'That was interesting' basket of attacks.
'A very simple analogy of a SYN attack: You have two hands, you are thus able to shake hands with at most two people at any one time. A third person who wants to shake your hand has to wait. Either you or one of the first two people can stop shaking hands so as to be able to accept the third person's handshake.
"In this instance SCO are claiming that 'thousands' are doing something similar to their web server. This is, in and of itself, plausible. Unfortunately if we look closer there are a few problems with this claim of SCO's.
"As stated above, the attack is quite an old one. Patches to all Operating Systems that I'm aware of, do exist to stop this sort of attack. For instance, a CISCO document: http://www.cisco.com/warp/public/707/4.html describes the attack and provides ways to stop it. Note the lines: 'Employ vendor software patches to detect and circumvent the problem (if available).' This means, quite simply, that patches exist to mitigate this attack.
Why hasn't SCO applied them?
Further SCO States:
"'The flood of traffic by these illegitimate requests caused the company's ISP's Internet bandwidth to be consumed so the Web site was inaccessible to any other legitimate Web user.'
"Interesting. If their bandwidth is consumed, then any servers nearby will also be inaccessible. That is www.sco.com has the IP address of 216.250.128.12 and ftp.sco.com has the IP address of 216.250.128.13 so the two servers are side by side, probably even on the same physical network hub/switch. Note that there is no room for a broadcast, etc., address - these servers are on the same subnet - i.e., on the same network device (hub/switch).
"Unfortunately for SCO, from Australia, ftp.sco.com is highly responsive. No bandwidth problems there that I can see - even though www.sco.com is still unavailable.
"The evidence then, is that their bandwidth is fine.
"So what about just the SYN flood? Well, even with patches, to successfully conduct a SYN flood you would tend to chew up available bandwidth anyway, which we aren't seeing. So I have quite strong doubts about the accuracy of this information.
"I feel quite
Re:Full text: in case of slashdotting (Score:3, Funny)
all forms of LINUX too bad they are using UNIX
Re:Full text: in case of slashdotting (Score:3, Funny)
Coming up in 2006 release of openserver: SYN flood protection...
What's that, a pair of SCO branded scissors to cut the CAT5?
Re:netcraft (Score:5, Insightful)
The most probable explanation - they recompiled apache so it doesn't reveal the host OS, made all the other changes, and fubar'd the update. rather than admit it, they claimed a DoS attach.
Re:netcraft (Score:5, Informative)
You don't have to recompile Apache to make it not reveal OS. ServerTokens (AFAIR) Directive is for setting this. Rather you need to recompile kernels to spoof TCP/IP fingerprints that are used to reveal OS running on host.
Re:Full text: in case of slashdotting (Score:5, Funny)
Re:Full text: in case of slashdotting (Score:3, Funny)
Calling Blake Stowell "Mr. BS" just seems fitting somehow.
Re:Full text: in case of slashdotting (Score:3, Funny)
Re:Full text: in case of slashdotting (Score:3, Interesting)
Re:Full text: in case of slashdotting (Score:5, Interesting)
"An Intranet should be designed so that all traffic on that net can get to anywhere on that net. It's open; it's inside the citadel. You can look out, and pull data in from outside, but you don't let anyone straight in. Anything outside comes through another server - email to a mail server, or submitted to a webpage, like a GROKLAW post. These act as control points - outside the citadel.
Ok, now I am not making excuses for SCO, god no, but I like puzzles, and making pieces fit...
Is it possible that there really was an attack, but the attack originated from inside the SCO LAN? If so could this explain the internal problems that are being reported as well as the lack of bandwidth problems outside the router? Again, I am no expert at all in this regard, but just putting out a theory, that perhaps someone has attacked SCO from the inside....
You are incorrect. (Score:5, Insightful)
Most of the things you say you think you know here are simply not true, I'm sorry.
Tools to mitigate synfloods only help to a marginal degree if the attack is done correctly.
First, bandwidth is an issue. Determined hackers can bring GIGABITS of syn requests in... NO, I'm not exaggerating in the least. if you aren't colo'd somewhere with massive bandwidth in the first place, all the "mitigation tools" you want won't help you, as you will be out of bandwidth. Completely. The days of 1Kbps synflood shutting you down may be gone.. but nowadays when attackers want to hit you, they hit you with tens of megabits, to start with.. so not only is it a syn flood, it's just plain a FLOOD.
Provided you DO have enough bandwidth, you need a way to differentiate between valid syns and attacker syns.. which is a fundamental problem. If the attacker has enough hosts he can do full source address spoofing from, you are just plain screwed.. your attack prevention device won't do anything at all, as there is NO way to differentiate between good and bad traffic, fundamentally.
Syncookies increase the rate at which you can deal with syns, but they are by no means a solution to the synflood problem, the problem still exists with or without syn cookies. Let me say that again.. syncookies do NOT solve the synflood problem.. they just lighten the load on the machine, and let it deal with more requests at once.
Putting a box out front that can sink LOTS of syn requests, and only pass valid, established connections through to the real servers HELPS.... but only to a point. only as long as it can keep up with the flood.. which when we are takling about gigabit speeds, is tough.
IN short, if your servers are colo'd at a really, really fast network, and you have really, really good equipment, and people who know how to deal with it, you can deal with this kind of attack, most of the time. You can absolutely build a system or setup that is basically immune to this.... but tha'ts far more engineering and resources than many even very large companies throw at their stuff.
It's nowhere near as trivial as you are making it out to be, and considering the number of attacks I've seen in the last six months, in person, I have no trouble at all believing sco is getting trashed. well, except that everything they say is generally bullshit, but that's a different matter entirely.
Second, when PR people start talking about "can't access the intranet, etc" they may mean "can't access it from outside" or something like that.. give it a rest. Intranet has different meanings to different places..
And you should know, how things SHOULD be designed is rarely how they ARE designed, even by people who should and do know better.
Re:You are incorrect. (Score:5, Interesting)
That would mean that *if* a firewall was in front of the subnet that the ftp and www server was on, it was most assuredly not bogged down with syn's. Also, it means that the bandwidth wasn't an issue.
What options does that leave? An unprotected www server being syn attacked without exceeding the bandwidth of the link, or just an IT snafu. Either way its just poor network engineering.
I dont know if SCO was DOS'd (Score:3, Funny)
Connection refused.
Remember, do not go to www.sco.com/216.250.128.12 (Score:3, Funny)
DDOS..... (Score:5, Funny)
Re:DDOS..... (Score:3, Funny)
slashdotted already. (Score:5, Funny)
Groklaw certainly has just been
Cheers,
rob.
Fund Groklaw (Score:5, Insightful)
They (that guy?) does a lot for the good of the world (fighting evil (sco) is not just good for linux, it's good for "right").
So, I'll donate $5 to his paypal, and I highly recommend that everyone else do the same. $5 isn't much, but * slashdot it's a lot. Surely we've spent a lot of their money on bandwidth, not to mention the free research time they've spent.
Re:Fund Groklaw (Score:5, Informative)
Groklaw is run by a chixx0r.
Re:Fund Groklaw (Score:4, Interesting)
Very strange is this; reported BEFORE it happened? (Score:5, Interesting)
Very strange is this; reported BEFORE it happened?
by Anonymous Reader on 2003.12.11 12:54 (#81456)
I see they have been playing this DDos Attack in the press. In fact, as near as I can tell, the stories about this ddos attack started appearing very early on. Most companies take some time to discover they have a ddos attack, and then to take the time to report it; the press also has lead time for a story to actually make it out the door and into print/web site/whatever.
The early and timely appearing of their "press" about it even while this attack was "underway", and through so many sources, leads me to ask this question; is it possible they contacted any press BEFORE this alledged attack even took place?!
Re:Very strange is this; reported BEFORE it happen (Score:5, Funny)
Groklaw, security expert? (Score:4, Insightful)
Re:Groklaw, security expert? (Score:5, Informative)
Silly grasshopper.
Security experts? (Score:4, Funny)
Security Expert: "Oh, so um, you claim malicious linux users who you wanted to sue are DDoSing your servers Mr. McBride? Well, let me get out my laptop and check it out."
*boots up linux distro of choice*
"Nope, doesn't look like it was that at all, sorry!"
*evil snicker*
SCO just doesn't quit (Score:5, Funny)
Re:SCO just doesn't quit (Score:4, Informative)
http://www.winntmag.com/Articles/Index.cfm?Articl
Re:SCO just doesn't quit (Score:3, Funny)
Next (Score:3, Funny)
Everyone looks at him,
Darl
ftp.sco.com (Score:5, Interesting)
But about 2 hours after the groklaw post, ftp.sco.com mysteriously went down too.
Just more ham handed FUD from Darl and friends.
Re:ftp.sco.com (Score:5, Informative)
Even more fishy: ftp.dev.caldera.com (216.250.128.14) was not mentioned in the post, but is on the same subnet as www and ftp.sco.com. Guess what? It's quite responsive at refusing anonymous logins. Plus, ftp.beta.caldera.com (.15), ftp.iso.caldera.com (.16) work just fine:That's a 0.9-second FTP session. Guess what else? Despite
Something doesn't add up.
You fail it. (Score:4, Interesting)
It is quite common for large or critical subnets to have multiple gateways for reliability or load distribution. Combine those gateways with Hot Standby Routing Protocol(HSRP) or Virtual Redundant Routing Protocol(VRRP) and you have very reliable gateways indeed.
Speculation for Nerds. Hardly matters. (Score:5, Insightful)
Now, it may or may not be true, but it is total and absolute speculation at this point and some people seem to have already accepted it as fact.
Re:Speculation for Nerds. Hardly matters. (Score:5, Informative)
No. (Score:4, Interesting)
If you have read the article, and still believe this, then it is you that suffers from a lack of technical knowledge.
it is total and absolute speculation at this point
No, it most certainly is not.
It is a logical conclusion, drawn from deductive reasoning.
From the evidence (machines on the same network, accessible through the same router and switch, are unaffected), we can deduct that at least some of SCO's claims (such as the bandwidth usage) are false.
This does not preclude the possiblity of a synflood attack, however the fact that a synflood would be prevented by a properly configured network means that SCO is either lying, or incompetant.
Re:Speculation for Nerds. Hardly matters. (Score:5, Interesting)
SCO's victim story doesn't add up, and it doesn't make sense.
Re:Speculation for Nerds. Hardly matters. (Score:3, Interesting)
It's pretty obvious that SCO's claim is shady at best.
Re:Speculation for Nerds. Hardly matters. (Score:3, Informative)
What really happened (Score:5, Funny)
And now you know the real story.
Can't see the FTP server (Score:3, Funny)
The ftp server seems inaccessible now. Maybe someone at SCO clued in "Joe! You forgot to unplug the FTP server! Quick, grab that cable..."
Maybe Valerie from The Princess Bride sais it best: "Liar! Liar! Liiiiaaaaaar!"
A great spin on SCO'isms if true. (Score:3, Insightful)
A Simple title like that would take the competency out of any IP lawsuite around simply on the grounds you couldn't tell what the company was telling the truth on or not. (Well, to geeks its easy to say they're lying, but this brings it to the forefront that any CTO/CIO or CEO would understand for that matter).
Has anyone been able to get any further comments from upstream providers or ISP's around them?
I wonder if i will ever see the code to smurf.c as "a special F**K you to SCO".. I always laughed when i saw the code and recognized old Fnet admins being the brunt, would be funny to see sco action (although, i'm with RMS - don't do anything illegal.. just keep on emailing them and expressing your opinions!)
DOS = easy excuse #1 (Score:3, Insightful)
Does anyone here care about SCO's troubles? (Score:3, Interesting)
The emergence of Linux has helped the careers/livelyhood of a lot of people here. I don't see SCO making any kind of similar contribution-which limits the degree to which they can expect the good Samaritan type behavior which enforcement of the law realistically requires.
Why are they faking a DDoS attack? (Score:5, Insightful)
Some people have pointed out that they are doing it to remove self incriminating evidence from their website. Very likely.
Another plausible speculation is that they are going to use this fake attack as an excuse to delay showing the evidence the judge demanded. I wouldn't be surprised if they go as far as saying that some "evil free software hugger" performed the attack to erase the evidence from all their computers, and use that as an excuse to insist that IBM should show their code first.
And no, these are not conspiracy theories, because the evidence is enough to prove they are faking the attack. They are doing it for a very good reason.
Newspurge (Score:5, Insightful)
The absolutely best hypothesis is that they're doing it to purge the bad news off the newssites. There was news about the motion to compell hearing (which wasn't SCO's finest hour. Read the transcript here [tuxrocks.com]. Check p55 if you're in a hurry) and about the SCO - Boies - Investor-relationship which also was very bad news for SCO, because they want people to belive Boies is on a continguency (apparently that implies 'faith in the lawsuit').
Where is that now? Gone.
Instead we have stories about poor, poor SCO being attacked by those evil linux users.
How many companies release Press Releases about being under attack?! On the same day, no less!
Letter to Netcraft (Score:5, Interesting)
To: webmaster@netcraft.com
Subject: News on your front page
You have a news article about SCO's network downtime posted on your front page, claiming that SCO is the target of a DDoS attack. Due to availability of services on other machines on the same netblock, like the FTP protocol on ftp.sco.com (one IP address higher than www.sco.com), I question the veracity of your news article, and I felt that I should call this into question.
groklaw.net has information posted that you might find interesting, potentially leading to a revision of your news article. The page can be found at:
http://www.groklaw.net/article.php?story=20031210
Much of the information that I have read about this is available from them, as are some theories as to what is actually happening.
Thank you for your time,
TWX
Basically, if you doubt the truth of the "news" about SCO/Caldera's troubles, call it into question with those reporting it, especially those who are supposed to be some kind of authority to listen to.
I know how to DoS SCO.... (Score:3, Funny)
Maybe all just a DNS problem? (Score:5, Informative)
SCO Experiences Distributed Denial of Service Attack [sco.com]
It was suggested on the Yahoo BBS that perhaps this was a DNS IP transition that wasn't properly planned by the BOFH admin. Could that mean this website has been up and running all along on this new IP address?
SCO Grows Your Business [216.250.128.20] http.://216.250.128.20 vs the old address of 216.250.128.13?
Inquiring minds want to know! News editors are breathless waiting! Investors are fretting! BSD users dread being blamed next! The SLTPD and FBI need your assistance in tracking down the real SCO-flaws
Step 1 (Score:5, Funny)
Step 2: "Hackers" infiltrate SCO and maliciously make off with all of the supporting evidence for their suits against IBM. Sorry judge!
Here's how to test their claim (Score:5, Funny)
My theories: (Score:5, Funny)
-They took everything down to install MS Windows Advanced Server 2004
- The guy that took over for the sysadmin, after they fired him, tripped and spilled coffee all over the cisco rack. They're waiting for replacements, shipped Express.
- Daryl opened an attachment
Like I said before.. it wasnt a DOS (Score:3, Informative)
How conventient (Score:5, Interesting)
- They got an unfavorable ruling WRT discovery on Friday
- The world discovers Boies isn't so confident of SCO's case that he's willing to take the case on contingency. Boies is billing by the hour, he just stands to get a big bonus under certain conditions.
- Baystar/RBC isn't happy about the Boies deal, so they demand and get the power to veto certain courses of action.
- SCO has to delay their earning announcement by two weeks to screw around with the numbers.
Needless to say, SCOX stock price dives, and the lo and behold, an attack on SCO's website suddenly becomes the to SCO new item and buries all the other bad news. How fortunate!
There may be some truth. Our network may be a part (Score:5, Informative)
I don't have conformation that they were trying to hit SCO, but this headline jibes.
Re:There may be some truth. Our network may be a p (Score:4, Informative)
From the sysadmin: "Its's gotta be some 15 yo - he also tried going after google and anyone who knows anything knows that that'd be futile"
SCO isn't [completely] lying for once.
SCO tries to divert analysts from their court loss (Score:5, Interesting)
After trading as low as $15.10 intraday Monday, SCO shares closed down $1.32, or 8%, at $15.27.
Two events from Friday were feeding the selloff. First, SCO lost a motion asking IBM for source code. The court also ruled SCO must provide the code relevant to the case to IBM within the next 30 days. SCO shares closed down $1.32, or 8%, at $15.27. ...
Secondly, SCO on Friday postponed its fourth-quarter earnings report, initially scheduled for Monday ...
It worked, too. See SCO's chart. [yahoo.com] The stock dropped about 10-15% in moderately heavy Tuesday and Wednesday trading, but has since bounced back by about half that much.
Up And Down Again? (Score:3, Informative)
http://uptime.netcraft.com/perf/graph?site=www.sc
It wasn't a DDOS (Score:5, Funny)
Ha ha! (Score:3, Insightful)
Honest Dad, I didn't forget to put oil in it (as the father drains the pristinely-clean golden-colored oil from the locked up engine)...
Honest Dad, I had a blow-out (as the father examines the tire with a 4 inch puncture would that shows the core pushed inside the tire)...
Can you say busted?
SCO's next press release: (Score:4, Funny)
I am sorry but we are unable to provide the source code examples you have requested. These examples were stored on our web server and were lost in a recent DDoS attack on these servers.
By my reckoning, that means we win. Tell IBM to pay up.
-D. McBride
CEO, SCO Group
Groklaw contridicts itself (Score:5, Informative)
"So what about just the SYN flood? Well, even with patches, to successfully conduct a SYN flood you would tend to chew up available bandwidth anyway, which we aren't seeing. So I have quite strong doubts about the accuracy of this information.
He also claims that ftp.sco.com should be unavailable if the DoS attack were real.
However, near the bottom of the article, another user writes in:
"There are many types of DoS and DDoS attacks, each type targeting a different resource. Blake Stowell is confusing a SYN flood (an attack against the TCP port resource on a host) with a brute-force DDoS against a bandwidth resource. This simply demonstrates that BS is not a techie and that the difference has not been explained to him.
"Dear Mr. BS: . . . A SYN-flood attack probably consumes 1 Kbps or less. Everybody else in the known universe can communicate with all of your externally-visible machines except www.sco.com. If the (alleged) attack on www.sco.com has affected any other machines, your network is very poorly administered. I suggest you avail yourself of the vast array of of volunteer expertise that is ready to help any user of a Linux system.
This suggest to me that SCO didn't explain correctly the type of attack it's under, especially in saying 'all bandwidth was consumed' when perhaps they meant 'all server resources were consumed'
However, I make no statements whether the DoS attack is real or fabricated- I see either as likely.
A couple of points not covered above (Score:4, Interesting)
The claims of Boies taking the case on contigency is one of the major reasjons for the SCOX market capitalizion to incerease by 20x since he was hired. (SCO is extremely dependent on their inflated stock price for survival)
2: SCO actually paid a PR firm to distribute their press release about the alleged attack - this might be a first by any company.
Now put 1 and 2 together and you get both a motive (get attention away from the Boies deal), and a method (fake a ddos attack, pay for a press release to be distributed).
Linux users are terrorists!!!!WTF! (Score:4, Informative)
Perhaps (Score:4, Funny)
For those with too much time on their hands! (Score:3, Interesting)
216.250.128.7 ftp-rsync.sco.com
216.250.128.9 lists.caldera.com
216.250.128.12 www.sco.com
216.250.128.13 ftp.sco.com
216.250.128.14 ftp.dev.caldera.com
216.250.128.15 ftp.beta.caldera.com
216.250.128.16 ftp.iso.caldera.com
216.250.128.17 ftp2.sco.com
216.250.128.32 colonet.caldera.com
216.250.128.33 artemis.caldera.com
216.250.128.35 apollo.sco.com
216.250.128.37 stage.caldera.com
216.250.128.44 colofailover1.caldera.com
216.250.128.45 colofailover2.caldera.com
216.250.128.46 cologw.caldera.com
216.250.128.47 colobcast.caldera.com
216.250.128.64 vultusnet.ut.sco.com
216.250.128.65 medusa.ut.sco.com
216.250.128.66 minotaur.ut.sco.com
216.250.128.67 sphinx.ut.sco.com
216.250.128.69 pegasus.ut.sco.com
216.250.128.70 cyclops.ut.sco.com
216.250.128.71 griffon.ut.sco.com
216.250.128.72 chimaera.ut.sco.com
216.250.128.194 public.sco.com
216.250.128.197 register.sco.com
216.250.128.198 authentica.caldera.com
216.250.128.199 sonic.ut.caldera.com
216.250.128.200 vupdate.sco.com
216.250.128.210 bosshog.j2.net
216.250.128.215 openwbem.caldera.com
216.250.128.220 scoxweb.sco.com
216.250.128.221 scoxdb.sco.com
216.250.128.222 scoxdemo.sco.com
216.250.128.225 zeus.ut.sco.com
216.250.128.235 www.vultus.com
216.250.128.236 data.vultus.com
216.250.128.237 bugzilla.vultus.com
216.250.128.238 mardon.ut.sco.com
216.250.128.241 linuxupdate.sco.com
216.250.128.245 uw713doc.caldera.com
216.250.128.246 ou800doc.caldera.com
216.250.128.247 docsrv.caldera.com
216.250.128.248 locutus3.calderasystems.com
216.250.128.251 ntop.ut.caldera.com
216.250.128.253 fgw.calderasystems.com
216.250.128.254 c7-gw.calderasystems.com
This is Caldera... (Score:3, Funny)
Hello, is this mike on.. hello....
Backscatter (Score:5, Informative)
If you monitor a few tens of thousands of unused IPv4 addresses, you can observe most DoS attacks involving randomly spoofed addresses. You just listen for backscatter [samsi.info] ((sorry, no better resource appears to be available). These packets are created by the victim server when it tries to answer to requests that have been spoofed from your address space. Some people even keep statistics of that noise.
And guess what? Yesterday and today, there was plenty of backscatter from 216.250.128.12. Why was ftp.sco.com suddenly offline today? Well, beginning around 2003-12-11 10:49 UTC, you could observe backscatter from 216.250.128.13, too. Unless SCO is deliberately forging backscatter (and if they are, they are doing a pretty good job at it, it looks very much like the real thing), they were under attack, yesterday and today.
Con job or cron job? (Score:5, Funny)
That way Darl doesn't even have to climb out of his lawyers' lap, where he spends the day happily napping and dreaming of Linus as his shoe shine boy.
SCO's defense (Score:4, Insightful)
Re:HMMM Verry interesting (Score:3, Insightful)
That, or the Dow [yahoo.com] went down yesterday and is up today though about 1pm.
-t
Re:Did this really need a seperate story? (Score:5, Informative)