LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

LWN.net Weekly Edition for February 2, 2012

A tempest in a toybox

LWN.net Weekly Edition for January 26, 2012

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Let's collect this

Let's collect this

Posted Dec 10, 2003 23:30 UTC (Wed) by vblum (guest, #1151)
Parent article: SCO press release on DDOS attack

Let's collect the facts from the thread:

- SCO claims publicly that their website, "intranet", etc were disabled; focuses on "intranet" in subtitle(!) of press release - this is not an afterthought.

- A "syn attack" was seemingly never heard of. Their system (running Linux) should not be vulnerable to a "syn flood attack"

- It is not understandable how a defacement of the company web server should affect the company's intranet. Within five minutes, the attack from the internet should be stopped by pulling the plug.

- Furthermore, the SCO web site does not seem to be hosted by SCO. Unless they run their intranet externally also, there can be no connection.

- Their ftp and mail servers are up and running throughout the claimed attack

- Netcraft shows no problems until (well, allegedly) SCO themselves pulled the plug.

By all this evidence, at least the press release is inaccurate / not technically sound. Some of SCO's claims can be proven wrong.

However, an outage of the intranet, potentially over multiple days, makes it impossible to find out which code from Unix was lifted into Linux (assuming that the missing MIT mathematicians cannot be found, and the diff must be run again). Enough to sign an affidavit, and present to the judge on Jan 23?

If they do that, they're up for criminal charges, I hope.

I cannot resist, but excuse me for now:
Now, aren't we lucky that the attack did not originate from Debian, Gentoo, and Gnu project servers ... one might have thought that the copyright bandits had targeted valiant SCO again, no?


(Log in to post comments)

Let's collect this

Posted Dec 11, 2003 0:15 UTC (Thu) by jhardin (guest, #3297) [Link]

> Furthermore, the SCO web site does not seem to be hosted by SCO.
> Their ftp and mail servers are up and running throughout the claimed attack
> Netcraft shows no problems until (well, allegedly) SCO themselves pulled the plug.

The last time SCO claimed a DoS on their website (the Eric Raymond brouhaha) ISTR someone contacted their ISP and asked whether a DoS was actually underway, and the ISP said No.

Somebody needs to contact SCO's ISP and get them on the record saying whether there was or was not a DDoS underway.

Let's collect this

Posted Dec 11, 2003 0:30 UTC (Thu) by nowster (subscriber, #67) [Link]

According to tcptraceroutes I've done, their ISP is doing the blocking of packets going to www.sco.com at their border routers (the ones which interconnect with other ISPs). This could indicate a DDOS prevention exercise on the part of their ISP (XO Communications).

The reasoning behind doing this is that the ISP will have a bigger pipe to the outside world, and will be able to take the DDOS hit more easily than the DDOS'd customer's pipe could.

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds