SCO Not Lying About DoS Attack 615
Licensed2Hack writes "The Cooperative Association for Internet Data Analysis (CAIDA), part of the San Diego Supercomputer Center at the University of California, San Diego has an analysis of the recent DDOS on SCO.com. Netcraft also has more information in their article and analysis graphs. Seems SCO was hit with a 50,000 packet-per-second SYN flood peak, which yields approximately 20 Mb/s each way, or about the capacity of a DS3 line."
awwww... (Score:5, Funny)
Oh come on (Score:5, Funny)
Shoes (Score:5, Insightful)
Re:Shoes (Score:5, Insightful)
I am as anti-sco pro-linux anti-ms as anyother
This should be modded up to at least neutrel.
Re:Shoes (Score:4, Insightful)
Re:Shoes (Score:5, Interesting)
They can't complain too much (Score:5, Insightful)
The damage they have caused companies involved in Linux far outweight a bit of network outage, unless they suffer a major loss since statistics say 80% of businesses that suffer a major outage go out of business within two years. We can always hope
Link to 80% statistic [zdnetindia.com]
SCO MIRROR (Score:5, Funny)
Oh never fear I have a mirror up [scumgroup.com] whats the big deal
This is more bullshit from SCO (Score:5, Interesting)
After 24 hours the main argument that SCO was faking this was that their ftp server was up. It was very common knowledge and you can be absolutlely certain the hacker was reading the news about the hack. What happened then? Suddenly the attack slowed to the main server and it started up with double intensity to the ftp server! Look at the damn graph and see what other conclusion you can think of.
Any Leet SCO-hating fanatic would have doubled the attacks on the main server, or perhaps attacked every machine *except* the ftp site. That would have been the most clear "I hate you SCO and I'm going to mess with you as much as possible" attack. If they hated SCO they would want their attack to match the insults being directed at SCO as much as possible.
Instead the attack suddenly switched to be as exactly as possible a refutation of the publicity about the attack.
There is no question what the motives of the "attacker" are. And it is absolutly disgusting that SCO can get positive publicity for this nasty little stunt.
Re:Oh come on (Score:4, Funny)
Re:Oh come on (Score:5, Funny)
That doesn't mean you need Windows Media Player to watch it. I just watched it on MPlayer. It's pretty funny in some spots. I like when McBride says "We can look forward to a world that is not free." I think they should make that there company slogan
just another PR trick (Score:5, Funny)
Re:just another PR trick (Score:5, Funny)
Re:just another PR trick (Score:5, Insightful)
Re:just another PR trick (Score:4, Funny)
Correct, execept for the fact that the "R t" bit is superfluous. Apart from that, you've got Darl to a tee, my son...
Re:just another PR trick (Score:5, Interesting)
Re:just another PR trick (Score:5, Insightful)
How anyone could see PR value in this is beyond me.
The opinions that matter to SCO are those of the people who control the purse strings at companies who use Linux heavily. They are not about to jack in Linux/pay up because some script kiddies were playing games.
It just doesn't make sense that a company would fake a DDoS attack.
Re:just another PR trick (Score:5, Insightful)
I have no evidence that Groklaw is missing tricks due to bias. It's just a worry of mine. The "SCO must be lying" bias at Groklaw and here is unmistakeable, however.
Re:just another PR trick (Score:5, Insightful)
All this happens, and then SCO suddenly becomes 'victimized by all these EVIL Open Source people', virtually guaranteeing the press won't report on SCO's other misfortune because it's 'unimportant' compared to this. Morover, they get to make Open Source people look like terrorists and bad people, and try to make it look like people should not be using software developed by these 'evil people'.
Re:just another PR trick (Score:5, Insightful)
I know there are "Open Source people" who could and/or would stoop so low as to mount a DDoS attack on SCO. However, the fact that SCO's site isn't getting DDoSed all the time is a fairly good indicator that this 'undesirable element' is in the minority. There's a few of these kinds of jackasses in any crowd, and I wouldn't be surprised if SCO unknowningly had one or two in their midst.
Re:just another PR trick (Score:4, Insightful)
If they know all of this.... (Score:5, Insightful)
Jaysyn
Re:If they know all of this.... (Score:5, Informative)
Actually, it goes deeper than that (Score:5, Informative)
So you can use even a secure (but not 100% properly configured) server to launch an attack with... Intersting stuff.
Re:Actually, it goes deeper than that (Score:5, Informative)
They spoof the destination IP and change it to the IP of the target to be attacked and all those webservers (usually ~40,000) respond at once to the host, essentially knocking it offline.
That wouldn't really be a SYN attack, as the response packets would have SYN and ACK set. It would also be much easier to protect against, as these bogus SYN/ACK packets could be dropped. But most importantly, there wouldn't be any backscatter, and certainly not the backscatter that CAIDA was seeing.
So you can use even a secure (but not 100% properly configured) server to launch an attack with...
Improperly configured so as to be able to launch an attack isn't secure. But, I'm really not sure how you could configure a machine not to respond to HTTP requests, anyway. Fortunately, as I mentioned above, this type of attack is much easier to ignore than a true SYN attack.
Re:If they know all of this.... (Score:4, Informative)
Maybe nowhere. The analysis methodology used could be spoofed by SCO by them running a program on their respective servers that sends out SYN-ACK and SYN-RST to random IP addresses.
CAIDA would just assume it's a real DDOS attack. Remember "backscatter analysis" analyzes the response from the "target" site. They don't see and cannot prove the existance of the actual SYN flood.
Nelson said it best. (Score:5, Funny)
SCO Not Lying? (Score:5, Funny)
Re:SCO Not Lying? (Score:5, Funny)
It leaves one to wonder... (Score:3, Interesting)
Bandwidth (Score:5, Interesting)
And how, exactly, would you prepare for this? Ignoring syn-floods is very simple when it comes to keeping your server alive, but how do you deal with the bandwidth saturation?
The "each way" would indicate the syns were being replied to (dumb), but they still would have clogged the pipe.
My question is how this is possible without killing the bandwidth other servers on the subnet, namely ftp.sco.com and others? That was the original reason for the conclusion that SCO was lying, and I've yet to see something that refutes it
The other question, of course, if it was a DDOS, who did it? A group, or one person slaving many connections? Maybe somebody with a DS3 or two available to spare?
With the last two, one would think that the outgoing results of such an attack would be noticed?
Also, again with the main arguement that the ftp was online whilst the www was offline... why does the article say the FTP was down (and first to be attacked)??
Re:Bandwidth (Score:5, Interesting)
What bothers me avout the whole incident is that we just have one confirmation that there was a 32 hour attack on SCO.
Just where are all the zombies? What OS where they running? What vulnerability on the zombies was exploited? Where are the rest of the confirmations that this was a DDOS?
Answers to the above questions were flying all over the 'net when Microsoft was DDOSed, where are they now? I know more people hate Microsoft than SCO, but the people with the tools to detect the DDoS attacks are vendor neutral.
An interesting quote from CAIDA:
"Around 2:50 AM PST Thursday morning, December 11, the attacker(s) began to attack SCO's ftp (file transfer protocol) servers in addition to continuing the web server attack. Together www.sco.com and ftp.sco.com experienced a SYN flood of over 50,000 packet-per-second early Thursday morning. By mid-morning Thursday (9 AM PST), the attack rate had reduced considerably to around 3,700 packets per second. Throughout Thursday morning, the ftp server received the brunt of the attack, although the high-intensity attack on the ftp server lasted for a considerably shorter duration than the web server attack. At 10:40 AM PST, SCO removed their web servers from the Internet and stopped responding to the incoming attack traffic. Their Internet Service Provider (ISP) appears to have filtered all traffic destined for the web and ftp servers until they came back online at 5 PM PST."
So not only did the ISP filter the traffic for the ftp servers, it seems to have mirrored the ftp server, since I was able to explore the ftp site and also download download an ISO: SCOX Dev CD [sco.com]
So the Bandwidth to the DDoSed ftp server either was not saturated, or the ftp server was not DDoSed, or maybe, just maybe, it was an inside job!
Backscatter from where? (Score:5, Interesting)
Also, I thought most zombie machines were compromised MS boxes. Are there networks of thousands of 0wned linux boxes out there that script kiddies are nuking each other with?
Wating for enlightnement...
Re:Bandwidth (Score:5, Informative)
Wastes bandwidth sending the replies back, and wastes resources on the host making and sending the replies. Once you've determined a DoS is underway, drop the offending packets and be done with them.
The whole point of a DDOS is that you can't recognize which packets are the offending ones. Sure, at some point a human is going to look at the situation and say, OK, we're going to shut down this machine until the DDOS has subsided, but it would be stupid to shut down a machine automatically whenever you're getting attacked.
Wasting bandwidth is irrelevant if you're going to shut down the machine anyway.
Re:Bandwidth (Score:4, Funny)
Given the amount of crack they must go through on a daily basis, I'm sure they have a huge collection of pipes.
Oops. (Score:3, Funny)
bad for open source (Score:3, Insightful)
Re:bad for open source (Score:5, Insightful)
You don't win arguments by silencing your opponent (which is what DDoS is), you win them by being right. All evidence so far is the OSS community is right.
Whoever launched these attacks has made everybody look bad. Annoying SCO isn't going to make them say "Hey! Let's be nice now!". Their business model is now suing people. It's not as if their software was selling much.
If you're reading this DDoS dude, don't do it again, mmkay?
Re:bad for open source (Score:5, Insightful)
Are you making an assumption that an open source developer is responsible for the DOS attack against SCO? Should the open source community be viewed as guilty until proven innocent?
Hopefully no one in the open source community is involved in the most recent DOS attack against SCO or any other attacks against SCO's network infrastructure. Let's think of the open source community as innocent until proven guilty beyond a resonable doubt.
Re:bad for open source (Score:3, Insightful)
Did OS developers launch it? Possibly, but my guess is no.
Maybe IBM zealots did. Maybe a bunch of l33t kiddi3z who are following the SCO proceeding thought it would be k3wl to do it. Maybe a Fortune 500 company who doesn't want to pay the licensing fees did it.
Maybe they are just inept enough to leave themselves open to this, so anyone could've done it.
Why? (Score:5, Insightful)
I have little doubt that they were attacked. What seems strange to me though is that they were entirely giddy over the affair. They even went as far as issuing press releases about it. I haven't heard of any company that jumps to release PR about DDOS attacks so quickly. When forced to explain reports of DDOS attacks, a company may release a statement that clears the issues. But the first reports of these attacks came from SCO themselves. This is what raised suspicion, justifiably.
But people shouldn't jump to conspiracy theories so quickly. Doubt of their veracity, sure? Conviction that they are lying--not justified.
Who cares? (Score:5, Insightful)
Re:Who cares? (Score:5, Funny)
Why Nothing Should be Done... (Score:5, Interesting)
Of course, I am of the paranoid type who assumes that SCO would stage a DDoS against themselves just for the publicity, so what the hell do I know?
Comment removed (Score:4, Insightful)
It's funny, laugh. (Score:5, Funny)
It's tough out there ya know (Score:5, Interesting)
Re:It's tough out there ya know (Score:5, Interesting)
For proof, look around /., they aren't that hard to find.
Responsible FOSS people are not responsible because they support FOSS, that was very likely a pre-existing condition.
And FOSS does have allure to children, or the child-like. The underdog, oppressed group, challenging traditional and accepted practice.
If they are not sophisticated enough to understand the reasons behind FOSS, why should we be surprised if they are unsophisicated enough to engage in irresponsible behaviour.
Too often the FOSS movement seems to highlight those aspects of itself which attract this element. We too rarely emphasize the responsibility inherent in FOSS. The responsibility to contribute, the responsibility to report bugs, the responsibility to respect other's choices as we wish them to respect ours.
Do we really want these people identifying themslves with our movement? I suspect not, but until we stop accentuating the us against big corporations et. al., and start accentuating some of the more mature aspects of what we stand for (which are at least as compelling as the other reasons...) we will continue to attract these people, and they will continue to make us look like children.
I don't know any more about this specific incident than any of you, and I hope none of you reading this know any more than I do... There is no reason to believe that some FOSS advocate perpetrated this, but it is apparent from some of the sentiments expressed that people are considering the possibility and lamenting it, if it turns out to be true. If it does, we need to consider what we can do to make our movement less appealing to the irresponsible.
So they're just incompetent then? (Score:5, Insightful)
Or to put it another way, they weren't lying, they're just stupid?
Re:So they're just incompetent then? (Score:3, Informative)
In other news... (Score:5, Informative)
SCO What.. (Score:5, Insightful)
With SCO there is just no telling if this was a PR stunt, if they set this up or if they really got attacked.
At this juncter, i don't think it really matters because of the simple fact we don't know what SCO is up to and with everything going on we have lost faith in SCO.
Attack or No attack is a trivial question compared to what we really know about SCO and there business practices.
SCO freaking what!
"SCO Not Lying " (Score:5, Funny)
That really says something... (Score:4, Funny)
Correct URL (Score:5, Informative)
still doesn't explain everything. (Score:5, Insightful)
Re:still doesn't explain everything. (Score:3, Interesting)
Maybe there wasn't actually any syn packets... how hard would it be to make 700 Million ACKs with random destinations and sequence numbers? Doing so would only claim half their bandwidth, leaving them still up but able to cry loudly about being knocked offline by a SYN flood.
Re:still doesn't explain everything. (Score:3, Insightful)
The actual number of packets they were receiving could have been much higher.
Pierre
If they are actually telling the truth, ... (Score:5, Insightful)
The cause that fits much better with their general operating pattern is that they purposely left themselves open to this attack to present themselves as the poor, innocent victims of the evil, Constitution-burning, enemy combatant, Open Source villans.
I'd buy that one.
ftp? (Score:3, Informative)
there's some pipe sizes i wouldn't mind having explained. nice diagram of how one side filled up and the other didn't? completely separate, and people are just dolts?
it's an honest question, i swear.
Re:ftp? (Score:5, Interesting)
Even with a SYN flood, there should have been a ramp up period of increasing latency, not an "on/off" situation.
Re:ftp? (Score:4, Informative)
Let us assume that the resolution of netcrafts measurements has a resolution of 1 minute, hell, make it 10 seconds. How long do you think it takes for an average zombie machine to start churning out syn packets at full speed? I'd say after maybe a second or two, and I'm being generous. There's a >90% chance the zombies are all recieving commands through IRC or a similar set-up, this adds maybe 2 to 3 seconds to the response time. All in all it's fair to assume that within 5 seconds of the attackers push of the button all zombies will be spewing syn packets at their maximum rate.
So in conclusion; Any attacker with a sufficient amount of zombies can push an amount of traffic into any network enough to saturate its bandwidth contraints within a mere *5* seconds. There is no reason *at all* why an attack like this should always look like a slow (1 - 10 minute) degradation of network performance, it can be done close to instantanious.
Of course depending on your relation with your backbone provider you can always try to block it higher-up. Although, don't be surprised when some attackers actually saturate gigabit links...
-- Witty saying #52; 404: file not found
Yes but one fact remains (Score:5, Interesting)
If their servers died from a synflood attack, there are 3 possible reasons:
- The IT guy is a monkey (likely, but still, he would have to be a really daft monkey)
- The IT guy has time-travelled from the mid-nineties and didn't know about synfloods
- The IT guy was told to compile a kernel without the synflood protection, so that Caldera/SCO would look like the poor company hit by naughty hackers.
Also, I might add, there are another aspect to consider : whoever hit SCO with a synflood attack has either:
- the brain of a monkey
- time-travelled from the end of the nineties and attacked SCO with what he thought was a really cool unbeatable DoS
- been told to attack SCO so that SCO looks like the poor company hit by naughty hackers.
Conclusion: The cause of this DoS was either:
- 2 particularly stupid monkeys
- 2 time-travellers
- 2 suckers paid by SCO
Dunno for you, but I know where my money would go if I had to bet
Re:Yes but one fact remains (Score:4, Funny)
Re:Yes but one fact remains (Score:4, Insightful)
I would personally go with 1 particularly stupid monkey and 1 sucker paid by SCO.
Re:Yes but one fact remains (Score:5, Funny)
Then again, it's not nice to always blame Darl.
Dogg
Re:Yes but one fact remains (Score:5, Funny)
-the it guys had left the building few months ago.
---
Re:Yes but one fact remains (Score:5, Interesting)
Anyway, this is my analysis. When only the WWW server was targetted, the flow was not enough to saturate the link, but there was no syn protection in front of the www server. (or poorly configured, or something along those lines) Mainly because the FTP site was still up and running on the same subnet. But from the report, later on the FTP server was also attacked, bringing up total bandwidth up even higher, possibly killing the link.
So quite obviously the www server was not protected from syn's nor was the link fully eaten up by these packets. Since the ftp server was responsive until it became a target, as well as the fact that these reports mention that the amount of traffic significantly increased when the ftp attack was launched.
There's very little to be done about a DDoS if it can saturate your link, but in this case it wasn't completely utilized (atleast until the ftp attack started), and the www server just wasn't getting adequate protection (many firewalls have syn attack thresholds where they will age out syn connections extremely fast and only pass on ones that complete to the server)
Anyway, just the analysis of a college kid.
Re:Yes but one fact remains (Score:5, Interesting)
What no one else has mentioned, however, is how SCO came up with those fake signs when the protesters came--you know, the ones assosciating Linux and communism, which you can find photos of on Groklaw--I mean, I have no proof of anything, nor do I accuse them without proof, but I cannot put self-sabotage beyond them any more. It's not like they haven't done things of this nature before.
Their willingness to use it as PR is also troubling. How ironic, though, that we'd criticize someone for coming clean about an attack when so many who study security wish that companies were more forthcoming about them. On the other hand, this is a DoS attack--no confidential information is at stake--so this is just the sort of attack they probably need not mention...
My guess is that they plan to use this to (attempt) to discredit IBM in the courtroom. First, presume that someone in the OS community did it (proof not required?), associate IBM and OS, then claim that IBM is part of a conspiracy against them (they already have, actually, in their breifs--I could be mistaken, but I thought that it was one IBM moved to strike since they didn't even state it with particularity [e.g. didn't say who IBM had conspired with])
Even so, I'm reasonably sure that SCO cannot prevail in the courtroom, especially given how McBride claimed to be expecting the outcome of the last hearing over discovery. So we're pretty sure that SCO won't prevail in the lawsuit--indeed, the counterclaims from IBM may well be the end of them--and we can be pretty sure that IBM won't just buy them out (bad precident). It could be a Pump & Dump--I've seen others who think that someone is painting the tape (trying to keep SCOX share prices up)--but the SEC, at least so far, doesn't appear to think so.
I just wonder if there's some other "win" scenario wherein SCO doesn't actually win the lawsuit or much of anything else.
Here's a thought--albeit one terrible, completely, utterly and totally speculative unsupported by any solid evidence--what if SCO's entire purpose here is to discredit Open Source? In that scenario, they don't have to "win" anything--just make sure that we suffer as much as possible while they go down...
Oh well, I'm not sure how much Darl can hold on. They postponed the earnings report, which the Motley Fool lists as a textbook showing of internal strife. The lawyers and the banks are jockeying for position over the remains of SCO should it lose, according to their agreements which you can find on Groklaw. The court has gone soundly against them thus far in the discovery hearing. It's practically game over if the share price drops low enough, for any reason, according to more agreements with RBC.
I wonder if Darl can keep it together long enough that SCO even exists for the remainder of the lawsuit, given that it'll take some time?
Only time will tell.
DS3 Line stats (Score:5, Informative)
DS3 Line = 44.736Mbps for those of you who need a definition
Then please explain (Score:3, Interesting)
Re:Then please explain (Score:5, Informative)
Provided that the bandwidth to the load balancer did not get saturated in the DDoS, and the attack was targetted at a specific IP then it is perfectly possible for adjacent IPs to be fine. I and several others pointed this out as a possibility out in the original story and either got modded to oblivion or called idiots for it. C'est la vie.
Still doesn't make sense ? (Score:5, Interesting)
Re:Still doesn't make sense ? (Score:4, Interesting)
But to give you a more specific reply, rather than the general one. Assume that SCO has two load balancers, one on 216.250.128.12 and the other on 216.250.128.12. Behind one IP is a cluster of web servers on 10.1.0.x and behind the other a second cluster on 10.1.1.x. Each cluster is in a different data center for resiliance. This is a fairly typical setup (my employer uses this on its Intranet, only we have three sites). Now someone launches a DDoS SYN attack against 216.250.128.12, but while the total traffic does not flood the network connection, the amount of SYNs arriving is either enough to down the load balancer, or takes out the webservers behind. You will see precisely the effects we got with SCO; adjacent IPs up, the web server down and SCO screaming blue murder.
Of course, as I said before, that's just supposition based on what's being said and how things can work. It's still entirely possible a significant part of SCOs claims are not exactly what happened of course.
Silver Lining? (Score:5, Interesting)
Again, even when SCO shows a shred of the truth, it only reveals they're either incompetent or unethical.
"SCO Not Lying" (Score:5, Funny)
denial is the most predictable of human emotions (Score:5, Informative)
Yes, SCO are pretty low on the karma totem, however the 'experts' quoted on groklaw, as well as the far more numerous 'experts' who replied that yes they must be faking it .... were drawing their speculations on very little data.
If you cared to measure you sure didn't need to be CAIDA, many snort, pf and netfilter logs are showing the backscatter of this attack.
And to all the experts who've been holding that a large synflood is easy to fix by blocking the attacker IPs: get a fscking clue.
Both syn and bandwidth attacks use forged addresses children (which is why there is backscatter), each incoming syn is from a random IP, the ack goes to the forged addr, not the originator.
The best way I've seen to handle this involves sensors at enough upstream locations to measure the packet count ratio skewing which results. This isn't generally deployed
Now technically SCO could probably manage to forge that kind of data (just send out all the expected response traffic) but again there are enough sensor platforms out there now that such a deception would certainly be unmasked eventually.
20MBit/sec is not a DS3 line (Score:5, Informative)
(so 20 is about 44% utilized)
Cry Wolf (Score:5, Interesting)
That [groklaw.net] is [slashdot.org] what [theregister.co.uk] one [cbronline.com] gets [forbes.com] when [groklaw.net] one [groklaw.net] keeps [groklaw.net] crying [groklaw.net] wolf [sco.com]!
Unfortunately, the number of words in that sentence did not exhaust the immense volume of even the big lies told by SCO.
I hope the wolf is IBM.
Preventing SYN attacks using a Cisco router (Score:5, Informative)
Configuring a Cisco perimeter router to prevent SYN flood attack against web server:
(config)#access-list 151 permit tcp any host
(config)#ip tcp intercept list 151
(config)#ip tcp intercept mode intercept
With Intercept mode enabled, all incoming SYN are held by router which proxy-answers w/syn-ack. Won't forward to server if Ack not recieved.
http://www.cisco.com/en/US/products/sw/secursw/
A tribute to the integrity of both /. and Groklaw (Score:5, Informative)
Worse, many other sites would have tried to cover up the truth, rather than risk suffering a little "egg on the face."
To the credit of both Groklaw and Slashdot, both have said "Oops, we were wrong," and handled things in a very mature fashion.
Good job, guys.
Are you sure? (Score:5, Funny)
and Daryl wouldn't lie either.
follow the ant trail (Score:5, Insightful)
In nearly every scenario, you can trace the cause of something to its origin by determining who benefits the most from it. In this case,
Does linux benefit from this DDoS? No.
Does IBM's case benefit? No.
Does the linux community? No.
Do 1337 kiddies? No. (They don't get the credit - "linux hippies" get the "credit")
Does SCO? Yes. They'll likely try to get an extension on their court order, just as earlier predicted here on slashdot.
If I were in the FBI and looking into this scenario, I'd first look at SCO's accounting very, very carefully. My guess is that there's a debit of several dozen (hundred?) thousand for something like "Consulting Services" made within the last couple weeks.
These attacks may have nothing to do with Linux... (Score:5, Interesting)
The fact is that improperly maintained or administered sites *will* be hacked or DoS attacked by evil-hackers simply to prove that they can do it. SCO is simply a convenient target for some adolescent idiots like so many other sites.
There is no evidence that these attacks are in any way connected to the recent Linux spat and are not some independent idiot who doesn't care one way or the other.
Also, as a community we should discouraget this kind of behavior, but it is also a mistake for any individual, company or judge to believe that the actions of a few wayward individuals reflects the sentiment of the entire community.
I mean, just because someone uses Windows and hacks Linux sites, does this mean that *all* Windows users hate Linux?? No, I know some people who use both and they love Linux, but use Windows for work and they like it too. Contrary to popular belief Windows users are as rabid and often are *more* rabid and fanatical than Linux users. I personally have spoken to people who believe that Microsoft deserves to overcharge the workd for everthing because, in his mind, they have "won" and that is thier "reward".
So you see... I believe that, while it's unfortunate the SCO is being attacked, it's not necessarily connected with Linux.
Perhaps SCO should secure thier site better.
GJC
maybe? (Score:5, Funny)
Re:DOS attacks... (Score:3, Insightful)
Re:DOS attacks... (Score:5, Funny)
Did you just call SCO a legitimate business? *Backs away very slowly*
Re:T1? (Score:5, Informative)
DSx is the digital version with the same capacity. The analog infrastructure is mostly gone now, so the terms are used interchangably in most conversations.
Re:T1? (Score:4, Informative)
T1 was originally supplied on two pairs of copper wire (transmit and recieve pairs), but is often delivered via multiplexed fiber optic cables. A T1 can be multiplexed into 24 64Kbps channels for telephone trunking (compatible with the analog phone system), but are still digital signals between the PBX and the ILEC/CLEC's phone switch.
The E1 is a standard in Europe (and UK) which is capable of 2.048Mbps and can be channelized into 32 64Kbps channels for phone trunking.
**most of this is paraphrased from Newton's Telecom Dictionary 16th Ed.
Re:T1? (Score:5, Informative)
DS1 is the circuit either a T1 or E1 rides on. E1's are the european equivelent to at T1. DS1 is the raw circuit.
Re:T1? (Score:4, Informative)
20mbit up + 20mbit down = 40mbit
Or 20mbit x 2 = 40mbit
20mbit comes into to SCO web server a second
20mbit goes out of SCO web server a second
Now, how much traffic was there in that second?
I'm not sure I can make it any clearer.
Re:T1? (Score:4, Informative)
Re:SCO Paid Someone...! (Score:5, Funny)
Re:SCO Paid Someone...! (Score:5, Insightful)
They tracked SCO was sending OUT X million responses to DoS attack. They should track packages that go IN too. Or,... they were originating from inside and faking outside which is not hard to do???
Please somebody start a site with HOWTO - SYN PROTECTION FOR SCO or HOWTO MAKE A SIMPLE FIREWALL
Re:SCO Not lying... (Score:5, Interesting)
This statement is false.
What a nice place to say that, isn't it?
The CAIDA article states: "The current attack successfully blocked access to SCO web and ftp servers"
I find that difficult to believe. The Groklaw article mentioned successful access to the FTP server for a few HOURS while the WWW server was not available.
Then, suddenly, the FTP server was also down, which was after the Groklaw article appeared.
So basically there two things which makes me wonder about this whole situation:
If the main reason for the service being denied was actually the traffic generated by this attack, which is basically what the CAIDA article seems to claim, then there is no indeed no distinction to be drawn between the two servers, and so should have gone down simultaneously.
Re:SCO Not lying... (Score:5, Informative)
Re:Childish OS Hackers (Score:4, Insightful)
My ass they will. If I can prove with out a shadow of a doubt that Microsoft has included my patented and copyrighted code in Office 2003, and I start suing end users (you) directly for it, do you honestly believe that Microsoft is going to come defend you?
The only thing Microsoft will defend is themselves and their revenue stream.
Re:Proving my point... (Score:3, Informative)
Re:Something is missing... (Score:3, Informative)
either way, who cares? 20Mbps isn't all that much bandwidth. There's just about no reason that they couldn't have their routers just drop the offending packets.
i can't believe they didn't have some sort of load balancer or a cluser for their website. I am sure it gets slammed with people after each press release.
Re:Still doesn't add up (Score:4, Insightful)
If they say that their entire DS3 was saturated why was it that I could reach ftp.sco.com during the attack?
First of all, they didn't say their entire DS3 was saturated. They said the bandwidth of the attack was enough to saturate a DS3.
Secondly, why not? When you're downloading 100 different files at the same time you can still use the internet, right? Packets will get dropped, but the internet can handle packets getting dropped. See, there's this thing called TCP which is a protocol on top of the IP layer and handles connections when packets are being dropped.