|
SCO Is Back Online |
|
Friday, December 12 2003 @ 05:19 PM EST
|
The very first Linux distro I ever tried was Red Hat. This was some years ago, and I was clueless. It took about a month before I realized my box was 0wned. I don't know when it happened, maybe immediately. But any way you look at it, it was fast.
So I completely reinstalled. It took about 2 weeks before I saw it had happened again. This time, I saw games on my computer I specifically had not installed and weird notes from people inside otherwise normal files.
I completely reinstalled again. It took one day before I was 0wned again. At this point, I knew it was time to figure out the real problem, which wasn't Red Hat. The problem was me. It took me months and months of reading and asking and learning to realize I needed to fix the configuration and set up a firewall and things like that I just didn't know about before.
I couldn't figure that part out fast enough, so I bought Mandrake, because it had a firewall built in with a GUI to make it configurable by newbies, which back then Red Hat didn't have. After that, my life got better.
Why were people cracking into my computer? I don't know and I hated it and them for doing it. It was, I knew, nothing personal. I was, after all, nobody and had no enemies. It just happens. And it happens to everybody. In the office, my firewall constantly noted serious efforts to get in to the Windows box, mostly from places like Korea, where I don't know a soul. So it wasn't that anyone was furious with me or trying to get back at me. It's life on the internet, sadly.
If you go on the internet, you have to be responsible for being there. I felt that responsibility, and so I took the trouble to try to learn, not that I'm an expert. But I wanted to at least be competent. People interact on the internet, so we each have a responsibility not to contribute to problems. Sometimes individuals lack the knowledge to do that well, but surely companies can and should take the time and spend the money to hold up their end. Tom Ridge of Homeland Security gave a speech recently in which he basically told companies to get their computers secured or the government would likely step in and make them take security seriously.
Now, what if I had an agenda? Let's imagine one. What if I was married and my husband and I were arguing over whether or not it's safe to be on the internet for banking and shopping. Let's imagine he says it is safe and I insist it isn't. We each dig our heels in and want to prove the other wrong. What might I do the next time I see my computer was broken into? Would I hide the problem from him and fix it quick? Or, would I more likely let it get even worse so as to demonstrate my point in a way he can't refute and win the argument? Well, in real life, I wouldn't do either, but we are just imagining something to make a point.
SCO, I am happy to say, reports it is back online again. Here is the Techweb report. CAIDA, a highly respected group of researchers, with far greater resources at their disposal than most, is reporting backscatter that would indicate there was some kind of attack in their view. You can read about backscatter here.
I have no known reason not to accept their conclusion. It doesn't indicate who did it, of course, not that SCO felt constrained from saying who they think it was, namely somebody in the Linux community. It is clear, with this further information that something did happen to SCO, so I asked Steve McInerney, the Australian security expert who was quoted in Groklaw's original report, to comment on the new evidence and he provided this statement: "SCO did suffer a Distributed Denial of Service (DDoS) attack, consisting of two attacks against both their webserver and ftp server. The new, missing, evidence which has so dramatically changed my conclusion was brought to light by CAIDA. This is a most regrettable incident, and I personally condemn the attack. There is no justification for such vandalism. Given that setting up alternate paths for their staff to continue to work and send/receive emails is trivial to both pre-consider and
utilize, it is somewhat surprising that SCO did not seem to have done so in order to mitigate. The DDoS is true; I was wrong there. The charge of incompetence still stands."
May I just ask you this question: is there any other company in the world that could announce they were being attacked and have a large section of the world, including security professionals, refuse to believe it until a third party verifies?
I put the CAIDA information at the end of our original story yesterday. And I am highlighting it again today, to be honest and fair and to provide all the facts, not just those that I wish were so. Groklaw is about telling the truth, no matter what. It isn't possible for imperfect humans to be right 100% of the time, and a news site has to report as a story unfolds, and all the facts are not always immediatley known, particularly in a complex story, but we can surely make sure that as new information comes to light we report it all and keep the record accurate that way.
The fact that no one in the community could believe this allegation is proof that we don't know anyone who would do such a thing. At least, I know for a fact I don't. I deplore and detest such behavior. I am very sorry this happened to SCO and I condemn it, whoever did it. If SCO is short-staffed and need a helping hand, I am confident the real Linux community, the one that I know, would be glad to help them. The battle in the court room is quite separate, and just as two attorneys can argue fiercely before a judge and then politely shake hands, I feel the same way. I might add that I haven't seen on Groklaw a single comment yet that said anything justifying or approving such an attack. That is as it should be. There are still unanswered questions. We will report further details on this story down the road as they become known.
This can't keep happening to SCO. Groklaw's experts pointed out that there are steps a company can take to prevent and cope with attacks. One of the authors of the CAIDA report said the same: "'There are definitely things out there that they can buy, or services that solve this problem,' said David Moore, assistant director and researcher at the Cooperative Association for Internet Data Analysis (CAIDA) and an expert on denial-of-service attacks. 'It is just a question of how important your Web site is to you and how much you are willing to spend.'" This is what Groklaw reported. It's really up to SCO now. If they want to fix their problem, surely they ought to be able to do so. If they don't want to solve the problem, and such events continue to occur, followed by headlines accusing the Linux community before anyone knows who did it, then the question really has to be, why? What's going on? UPDATE:Here is a snip from an article on InternetWeek regarding our initial report:
"We asked several Linux and security experts to look over Groklaw's analysis of the attacks. These included: contributing editor Don MacVittie, who is currently an IT project manager for a major midwestern utility company, and has an extensive Linux and IT background; Neil Schneider, president of the Kernel-Panic Linux User Group; and Matt Brown, CEO of LAMP Host, a Linux-based Internet hosting company. While they did not have firsthand knowledge of the SCO situation, they agreed that Groklaw's analysis of the situation is credible and knowledgeable."
|
|
Authored by: stanmuffin on Friday, December 12 2003 @ 06:22 PM EST |
CAIDA's report indicates both www.sco.com AND ftk.sco.com were targeted in the
SYN flood attack. But the FTP server, as many report, was up and running the
whole time.
Maybe they had tcp_syncookies enabled on ftp, but not on www? If so, then I
don't have a lot of sympathy--not that I condone the attack at all, but their
FTP server weathered it just fine, and their WWW server probably could have as
well, had they configured it properly. You'd think they'd take the time to do
so, considering how this has reportedly happened several times before. [ Reply to This | # ]
|
- FTP attacked too? - Authored by: p0ssum on Friday, December 12 2003 @ 06:32 PM EST
- FTP attacked too? - Authored by: Beyonder on Friday, December 12 2003 @ 06:49 PM EST
- FTP attacked too? - Authored by: Anonymous on Friday, December 12 2003 @ 06:57 PM EST
- FTP attacked too? - Authored by: Anonymous on Friday, December 12 2003 @ 07:31 PM EST
- Enough Bandwidth - Authored by: Anonymous on Saturday, December 13 2003 @ 12:07 AM EST
- Enough Bandwidth - Authored by: Anonymous on Saturday, December 13 2003 @ 12:09 AM EST
- FTP attacked too? - Authored by: Anonymous on Friday, December 12 2003 @ 07:47 PM EST
- FTP attacked too? - Authored by: Anonymous on Saturday, December 13 2003 @ 12:12 AM EST
- Server Offline = no backscatter? - Authored by: Anonymous on Friday, December 12 2003 @ 08:03 PM EST
- While it might have been reachable - Authored by: Waterman on Saturday, December 13 2003 @ 06:25 AM EST
- Grim Reaper - Authored by: dmomara on Sunday, December 14 2003 @ 07:55 AM EST
|
Authored by: JimM on Friday, December 12 2003 @ 06:23 PM EST |
PJ,
It is very admirable, and right, of you to post the truth, whatever it may be.
This is what sets you and GrokLaw.com apart from any other place that reports on
this SCO saga. Maybe SCO management can learn a lesson from this about telling
the truth, even if it hurts...
[ Reply to This | # ]
|
|
Authored by: jmccorm on Friday, December 12 2003 @ 06:24 PM EST |
I think we can all believe that an attack happened on SCO's webservers. The
quote above, which I would echo, is this:
<I>"May I just ask you this question: is there any other company in
the world that could announce they were being attacked and have a large section
of the world, including security professionals, refuse to believe it until a
third party verifies?"</I><P>
Perhaps this should give SCO some idea of the difference it has been credibility
and newsworthyness. Compare/contrast: <B>The Raelians</B>.[ Reply to This | # ]
|
|
Authored by: p0ssum on Friday, December 12 2003 @ 06:25 PM EST |
Well said, all the way aroud, much like an IBM lawyer;-).
Anyhow, I will take this opportunity to say, that I too was incorrect. I'm sure
it won't be the last time. The final piece of the puzzle fit when they said
they immediately shut down the machines. That would explain the NetCraft info.
Thanks PJ for everything you do, above all else integrity.
---
Never argue with an idiot.
They drag you to their level and then beat you with experience.[ Reply to This | # ]
|
|
Authored by: jkondis on Friday, December 12 2003 @ 06:25 PM EST |
"What if I was married and my husband and I..."
Do I have to
say more?
Sorry for the OT cheap shot. ;) In any event, I mostly agree,
that illegal behavior should not be condoned. Oh, and I agree that SCO is
incompetent. And that nobody believes SCO because they have shown themselves to
be a bunch of liars.
...J [ Reply to This | # ]
|
|
Authored by: blhseawa on Friday, December 12 2003 @ 06:28 PM EST |
TSG may be back online ... but I found several things that don't added up so
I've written a little http spyder program the gets TSG home once each day and
does a diff on the page to determine what has changed.
It has been running every morning since I first reported on this.
I can report that before, during and after TSG home page has changed, and we are
not talking spelling errors here either.
The TSG home page uses a mix of Javascript and VBscript depending on which
brower is detected, most to do with flash support of their web site. The main
page menu bar is build using Javascript. Nothing out of the ordinary here in
this.
That said, by compare the the TSG homepage to previous day's homepage, changes
in the layout or organization of the web site can be checked.
Prior to coming up this morning, the web used html based (coded) pages, and the
menubar Javascript was radically alterred when compare to before, during and
after the attack.
There are a number of valid reasons why this might have occurred, as has already
been pointed out by Groklaw readers.
However, this morning there was a new wrinkle. The TSG www.sco.com web site is
now coding its pages to the XHTML standard. This wasn't there before.
I just find it interesting that something like changing from HTML to XHTML not
something that is done causally.
Anyway, having had web sites that were the target of DoS attacks. I've never
seen the web site change so aspects of technology like that.
I will continue to montior the home page, and report any significatant changes.
[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 12 2003 @ 06:29 PM EST |
Seriously uncool. There are much more effective ways of dealing with SCO than
attacking their infrastructure.
I'm glad to see so many people here at Groklaw who are exploring those more
effective ways to their fullest extent. :-)[ Reply to This | # ]
|
- ddos. - Authored by: jwoolley on Friday, December 12 2003 @ 06:31 PM EST
|
Authored by: sef on Friday, December 12 2003 @ 06:35 PM EST |
Told you :).
Well, more of a :(, 'cause it's a bad, bad, bad thing. Mainly 'cause it lets
SCO stay in the news as the victim they want to portray themselves to be.
[ Reply to This | # ]
|
|
Authored by: shoden on Friday, December 12 2003 @ 06:38 PM EST |
Interesting that they were able to get a press release out blaming the Open
Source community when there was such a loss of productivity over the last few
days. You'd think it would be all hands on deck working to find the
"universe" that Kevin McB kept talking about
Also, why do they keep screaming, "We're vulnerable!" It just
doesn't make sense to me.
---
S.K.
MR. MCBRIDE: Your Honor, I have a smaller, obviously --[ Reply to This | # ]
|
|
Authored by: blhseawa on Friday, December 12 2003 @ 06:48 PM EST |
I'm not sure which web site archives might have these.
On the machine I've been running this on, I have copies of the page for each
day, both before, during, and after.
I can publish the results of the compares, I'm not sure I can publish the pages
themseleves.
The script I have running uses the fact the mozilla and firebird both save
archives of pages that have been got, (HTTP protocol GET command), and so I have
firebird get the page, then I just copy the page from the cache to another
directory and change the filename adding date time stamp. Then I can run diff
on the current page against the previous days page. That's how the script
works that wrote.
But for the command-line I can diff any pair of pages.
I was just curious after reports from the last TSG report of DoS several Groklaw
readers reported changes in the www.sco.web site. So, I thought I'd just keep
an eye on it.
If someone knows of public archives of the website home page, I'll modify my
scripts and publish them here.
Anyway, that's what I've done. Most of the changes aren't worth reporting,
but I thought the HTML ---> XHTML was worth noting. The page layout and
indenting is a lot nicer to read now too!
For those that care, to see the source code that the browser renders on the
screen, in Firebird just click view and then Page Source, and the browser brings
up a windows the source code view of the rendered page. Awhile back I noticed,
that the style wasn't consistent and neither were the changes so I've just
been watching it. [ Reply to This | # ]
|
|
Authored by: phrostie on Friday, December 12 2003 @ 06:49 PM EST |
does anyone know the names of the agents that are handling it?
has anyone confirmed that they are talking to the secret service?
the timing was too good for them so that everyone would forget that they got
their butts kick in court.
forgive me if i keep one eye open.
if they have told the truth, it must have been an accident.
---
=====
phrostie
Oh I have slipped the surly bonds of DOS
and danced the skies on Linux silvered wings.
http://www.freelists.org/webpage/cad-linux[ Reply to This | # ]
|
|
Authored by: mdchaney on Friday, December 12 2003 @ 06:51 PM EST |
They could have walked down the hall and enabled syn cookies at the console and
been back in business in 5 minutes. They have no excuse, about 50 different
people posted explicit instructions on Groklaw about how to do that. Given that
their web site underwent even more revisions while down, plus the fact that
they're claiming this attack knocked out their intranet and mail server, this
whole little incident still smells really fishy.[ Reply to This | # ]
|
|
Authored by: brice on Friday, December 12 2003 @ 06:53 PM EST |
PJ, You are a true leader. I think you just set a new highwater mark for
respectability in the online SCO debate.
I think everyone who has taken a side in this SCO litigation - and who hasn't -
should look to your example. Both sides, all sides, everyone.
Thank You from the Bottom of My Heart,
-brice[ Reply to This | # ]
|
|
Authored by: rjamestaylor on Friday, December 12 2003 @ 06:59 PM EST |
Thank you for the introductory context about life on the Internet. I remember
when I used to connect directly to the Internet without a firewall...those were
the good ol' days. I also remember playing with my little brother when we were
young in the front yard of our major-street facing house. Do I let my children
GO to the front yard today? No way! And would the police sympathize with me if I
let them play in the front without supervision and something ontoward happened?
Not on your life -- I'd at least be treated as a negligent parent that I was.
Times change; people adapt.
That's the problem with SCO in this case. It's not that any attack is
justified -- it is not justifiable to attack other's computers (Not even if
Congress thinks it is, but that's another story). But it is also not acceptible
to be negligent and not take ordinary measures to protect oneself from attack.
In fact Linux developers and system admins would gladly assist SCO to solve
their vulnerability to attack. We want SCO.com on-line. Some of the best
refutation to their claims against Linux, the Linux community, etc., is found on
SCO.com. It helps expose the FUD that SCO execs spew to have sco.com up, running
and able to quickly serve pages.
But how would it look for a Linux distributor, a founding member of UnitedLinux,
a provider of security patches and consulting services for Linux to need to
bring in outside experts to solve their inability to mitigate against easily
mitigated attacks? Silly? Yeah. But it's starting to look staged, or, at least,
welcomed.
That press release sure hit the wires fast, huh?
---
SCO delenda est! Salt their fields![ Reply to This | # ]
|
|
Authored by: shoden on Friday, December 12 2003 @ 07:04 PM EST |
Interesting
FAQ on the SCO Resources Security page.
I guess its too bad they are not
using UnixWare 7.1.0 or they'd know how to defeat SYN flood
attacks.
--- S.K.
MR. MCBRIDE: Your Honor, I have a
smaller, obviously -- [ Reply to This | # ]
|
|
Authored by: Rhys Weatherley on Friday, December 12 2003 @ 07:06 PM EST |
SCO is like the boy who cried wolf. They've misrepresented
the facts so many
times in the past that it is simply no
longer possible to take them seriously
even if they tell the
truth.
Even if they were attacked, jumping to the
conclusion that
it must be "those open source people" is a bit much. It
could
simply be some misguided uni student. They make it
sound like there is some
grand conspiracy by nefarious
parties to get them.
Free clue for Darl, et
al: there *is* a grand conspiracy
to get you. Not via nefarious means, but via
Groklaw-style finding of the facts and slapping you with them. You know,
the
facts that you yourself refuse to provide. [ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 12 2003 @ 07:10 PM EST |
Don't know if anyone has thought of this yet, but shouldn't this be sent to
the editors that the comments about serious doubt about the attack were sent
to?
You know, just to show SCO how to make corrections to statemetns that make, and
that everyone here is really levelheaded, and not the type to duck for cover
when they make a mistake.
[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 12 2003 @ 07:14 PM EST |
If you read the report on backscatter analysis you will see that the authors
acknowledge that backscatter itself can be spoofed. They talk about spoofing as
a way to bias the CADIA sampling of all current DoS attacks and conclude that it
would be difficult to do (would probably require the same level of resources as
a real DoS), and do not mention spoofing the existance of a single DoS attack.
From my reading, it seems like spoofing a DoS attack against yourself would be
relatively trivial - simply run one of the automated DoS attack programs on
another machine on the local network segment. Your local bandwidth will be
enough to allow plenty of backscatter so as to look like a real DoS. You also
don't have to worry about anyone doing ingress filtering on your attack packets
since it is all on your own local network.
Depending on the specific DoS attack, there may or may not be enough state
information (sequence numbers keyed from the attacking machine) in the
backscatter to indicate the attacks all came from the same single, or small
number of boxes. I haven't looked closely at the specifics of the various DoS
responses to say for sure yet, but if that info is there then one could
conceivably identify such a spoofing from that.
So, some obvious questions are:
1) Would SCO DoS themselves for publicity?
Given the speed at which they were able to put out a press release, yes.
2) Would SCO be smart enough to know about backscatter and so take this
"provable" route on purpose?
No. But, it could just be serendipty - they just wanted to fake a DoS and it
was convenient to run the tool on their local network, the backscatter results
were just an unexpected benefit.
3) Is an anonymous poster credible?
No, but you can go read the backscatter paper yourself and if you aren't a
network guy, ask your favorite one and see if they agree.[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 12 2003 @ 07:28 PM EST |
You repeatedly spell Internet with a lowercase "i". It's a proper
noun and should be capitalized. Not a big deal of course.[ Reply to This | # ]
|
|
Authored by: tyche on Friday, December 12 2003 @ 07:39 PM EST |
PJ et al:
I am not a sys-admin, though I do know one. I am also not a
programmer. In fact, there are a great many things that I am not. However. .
.
I have had ocassion to need to supply information to people that I really
didn't like. I've done it, and as pleasantly as I could, simply because that
was the way I was brought up. I've taught people AutoCAD even after they've
REALLY irritated me, and the only ones that I haven't taught were those who
wouldn't learn.
PJ, your attitude toward SCOG is commendable and I echo it.
Had I the knowledge and were they to ASK for help I would do my best to provide
that help. Why? Because of my OWN self respect. I cannot be the person that I
am without helping to the best of my ability when asked.
That's just the way
I am.
Craig
(Tyche) --- "The greatest enemy of knowledge is not
ignorance, it is the illusion of knowledge."
Stephen Hawking [ Reply to This | # ]
|
|
Authored by: Tim Ransom on Friday, December 12 2003 @ 07:49 PM EST |
From this article:
'SCO CEO Darl McBride told
SearchEnterpriseLinux.com recently that the threats to SCO are not only of a
digital nature. McBride said some executives have received death threats, angry
late-night phone calls and challenges to fistfights.
"The vast majority of
these [threats] have been of the crank-call variety," McBride said. "We have
hired the best personal security team. They have worked through these threats
and determined that some have come from people with records who have done time
in the big house. We take these very seriously."'
So SCO has V.I.P.
on the case, and they've identified threats coming from 'people with records who
have done time in the big house'. So are they going to have the Secret Service
arrest them?
I know I have a lot of vinyl LPs, but a one bedroom apartment
probably doesn't qualify as 'the big house'.
Also, I would never threaten
anyone still working for SCO, 'cause carny folk are the only thing that
frightens me!
Thanks again,
[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 12 2003 @ 07:52 PM EST |
I wasn't happy yesterday with the knee-jerk "SCO is lying"
attitude. At Slashdot, folks that suggested there was room for doubt were
called SCO sympathizers. Given that SCO is not liked by so many, it hardly
surprises me that some might find a way to attack them. If this happens again,
give it time before forming an opinion and look at what they say with an open
mind, just as you should with what they purport to be legal evidence. Remember
that it helps them if they can show obvious and unreasonable bias in those who
disagree with them.
Me, I can't stand SCO, but I also can't stand people that jump to condemn them
for something they didn't do.[ Reply to This | # ]
|
|
Authored by: kurt555gs on Friday, December 12 2003 @ 07:53 PM EST |
I was just reading another website that details the next SCO attack
It can be found here:
http://www.bbspot.com/News/2003/12/sco_christmas.html
PS. I hope that I am not causing Groklaw to be slow, but this is
becomming my favorite website.
I never had a PayPal account, really didnt want one. I wish PJ wouldtake
VISA.
To: PJ
You really have started a 'movement' and you deserve every bit of credit,
and more.
Thanks you ever so much.
---
* Kurt *
[ Reply to This | # ]
|
|
Authored by: kbwojo on Friday, December 12 2003 @ 07:58 PM EST |
After all is said and done I really feel sorry for TSG sales people the most. I
can picture what there job is like now.
TSG Sales Rep: Hello, I represent TSG and wanted to know if you are interested
in any of our e-business services.
Potential Customer: I think I just read about your company in the news. Aren’t
you the company that has had its servers taken down by a DDos attacked 3 times
in the last few months?
TSG Sales Rep: (Gulping) Yes that’s our company.
Potential Customer: So let me get this straight, you can’t protect your own site
and keep it up and running yet you want to run ours? No thanks. (click)
Then again when you’re real business is litigation it really doesn’t matter that
you might hurt your secondary business by highlighting your own incompetence in
the news just so you can try to discredit the Linux community.
[ Reply to This | # ]
|
|
Authored by: hbo on Friday, December 12 2003 @ 08:42 PM EST |
I think this DDOS has shown up a couple of your biases, PJ.
Here's what I think
they are:
- SCO lies a lot, so they probably are now.
- The
FOSS community is held together by idealism. Those I know in that community are
definately idealistic.
Therefore, nobody in the FOSS community could do
something like this.
It's hard to avoid the first one under these
circumstances. But it's clear that SCO doesn't always lie. That makes me wonder
about their case, too. They haven't shown their cards yet. One explanation for
this is that they have no cards. Another could be that they are holding back for
tactical reasons. I don't know which is true. Do you? Things will be clearer
after a month from last Wednesday, I hope. The second one is understandable too.
I think the FOSS developer community is a lot less likely to include
jerks responsible for something like this than the Linux user community.
While both have grown enormously over the last several years, the latter is much
larger than the former. It only takes one or two badly disposed, not to say
stupid individuals to cause something like the attack that was mounted on
SCO last week.
Now, I'm not posting this to annoy you. I think you have been
a very valuable resource in digging up information that may well help tip the
scales in the SCO vs IBM case. I'm posting this because I'm concerned that you
may be a less effective resource if you let your biases get in the way of your
research. It's too much to ask, and silly besides, that you start each morning
forgetting everything you know about SCOG. In the same way, it's impossible to
view the world without bias, and harmful to try. The trick is knowing your own
biases, and then using them appropriately.
Forgive me for the lecturing
tone. I'd just like to see you succeed in your endeavor even better than you
have up to now. That would be a good trick, because your success is
unquestionable.
--- "Even if you are on the right track, you'll get
run over if you just sit there" - Will Rogers [ Reply to This | # ]
|
|
Authored by: Beyonder on Friday, December 12 2003 @ 08:45 PM EST |
I love how everyone just instantly jumps on the bandwagon without any regard to
any sort of detailed analysis of the data provided.
CAIDAs info has been shown to be flawed, they claim the FTP was under attack the
first day, when it wasn't affected at all.
Their "logs" are inconclusive, and rather useless.
If someone (even a customer) had sent those logs into any of the ISPs I've ever
worked for stating they were evidence of an attack, they've have been laughed
at. Would more detailed checking had been done? Yes, but, the ISP admins hate to
waste time, it'd go something like this:
Client: "we're under SYN attack, both web, ftp, etc"
admin: "well, your web seems to be down, yes, but your ftp is fine"
client: "sorry its just a regular attack"
admin: "there's no latency on your network"
client: "take a look at this log from CAIDA, we're under attack, see the
RSTs from our ftp site"
admin: "that's real nice, can you give us something useful? As we just
said, your ftp is fine, this is meaningless"
and that's about the size of that...
and without further information (more detailed) or a proper analysis, I don't
accept CAIDAs info as proof of anything. It could easily be (and usually is)
just normal traffic.[ Reply to This | # ]
|
|
Authored by: Tim Ransom on Friday, December 12 2003 @ 09:18 PM EST |
Moore et al's techniques may not be proof.
From this
article:
'Although anecdotal reports about DDoS attacks--which
hackers used to cripple Yahoo, eBay, E-Trade, and Microsoft in the past
year--indicate a serious problem, no one really identified the extent of the
trouble until the UCSD study.
Since this is uncharted territory, the
researchers' methodology and conclusions bear close scrutiny, according to
Martin Fong, a senior software engineer at SRI specializing in Internet
security.
"I think what they've done is establish a methodology, but I
don't know if they've established a baseline," Fong says. "It's a good starting
point, but this [quantitative measurement] relies on a tremendous amount of
cooperative effort."'
Thanks again,[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 12 2003 @ 09:22 PM EST |
several things i'm not happy with on this story:
1. As others have pointed out, if the SCO webserver was attacked in a syn
flood, and was taken offline, then there's NO server to do the syn ack...hence
no outgoing backscatter. So where was the backscatter coming from? Santa claus
and Rudolf delivering Xmas presents early?
2. Was the SCO webserver syn patched? If not, why? Are they going to claim
insurance for damages? I hope not, since they didn't make *every* effort
themselves to ensure security.
Yes it is ensure, not insure - we're talking british english here, not yankee
english - for those that want to argue as per the oxford dictionary of English:
ensure /, / v.tr.
1 (often foll. by that + clause) make certain.
2 (usu. foll. by to, for) secure (a thing for a person etc.).
3 (usu. foll. by against) make safe.
[Middle English via Anglo-French enseürer from Old French aseürer assure]
insure // v.tr.
1 (often foll. by against; also absol.) secure the payment of a sum of money in
the event of loss or damage to (property, life, a person, etc.) by regular
payments or premiums (insured the house for £100,000; we have insured against
flood damage) (cf. assure 3).
2 (of the owner of a property, an insurance company, etc.) secure the payment of
(a sum of money) in this way.
3 (usu. foll. by against) provide for (a possible contingency) (insured
themselves against the rain by taking umbrellas).
4 US = ensure.
insurable adj.
insurability // n.
[Middle English, variant of ensure]
3. How did SCO manage to get a press release out so quick?
4. *most* companies would take down the block of IP addresses pronto in an
attack like this, including ftp. Since ftp doesn't deal with syn acks how was
it attacked? And why did it flood?
5. It doesn't explain items disappearing from the ftp server whilst it was
still online before going down. After the ftp server went down and then came
back up again, things were still missing
6. It doesn't explain intranet or mail servers being compromised (unless SCO
have a very very very bad network topology setup). I'll give an example - I
worked for a large multinational company (much larger than SCO) and they were
hit by code red on a windows platform. It took down their webservers. But it
didn't affect the performance of the intranet. Or the Oracle server. Why?
Network design.
I think the likely thing is that SCO got cracked big time. Someone broke into
their systems and *ucked with the webserver, ftp server and remotely compromised
machines. Then they uploaded a rootkit of some sorts and started ddos the
network/intranet from inside SCO. Hence the backscatter. Hence backscatter
appearing *after* the webserver was taken down.
I'm not network expert, far from it. But could the above be possible - if so
opinions from network experts appreciated.
Dave[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 12 2003 @ 09:34 PM EST |
Doubts Linger About
SCO's Cyber-Attack Claims
[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 12 2003 @ 10:29 PM EST |
I have been wondering ever since I heard of attacks perpetrated by spoofing IP
addresses. Could a security professional explain to me why ISP routers do not
verify valid IP addresses on packets right at the front door? How hard could
it be? Do we need legislation to this effect?[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 12 2003 @ 10:31 PM EST |
Heh. So, the web site is "attacked". Everyone says "WTF? Why
is
the FTP site still up?". Then the FTP site is "attacked"
after
everyone had pointed out that SCO are probably faking.
Hint: If anyone stupid but still considering themselves "on the
Linux side" were responsible for the attack, they would NOT move
to correct inconsistencies in SCO's reporting of the attack by
redirecting the attack. If anything, they'd keep the web site
attack going without touching other servers to keep up the
impression that SCO are lying.
Clearly, while a real ddos might have taken place, it was by
someone more friendly to SCO than to Linux, as the second wave
moved to correct the exact problems with SCO's story previously
pointed out on groklaw - THAT's what the CAIDA graph reveals.
I mean honestly, syn attack? 'cmon! And what sort of company
puts out glossy press releases saying "YEAH! We're under attack!
and we can't handle it!". Not an operating systems company,
that's for sure...
One for the conspiracy theorists: Any MS pc is intrinsically
backdoorable by Microsoft, and you might never know unless
you've got a traffic sniffer on the network segment. If MS
themselves want to launch a DDOS, they have 89% or so of the
internet's computers to help them...
[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 12 2003 @ 10:37 PM EST |
We've successfully defended against DDoS attempts from foreign nationals looking
to extort money... attacks well in excess of 40mbit just in SYNs alone, with
another 15 or 20mbit in random UDP flood.
Any reasonably well appointed
network with a sturdy infrastructure upstream could handle that with minimal
damages. In our case, our peak output bandwidth dropped around 15% (due more to
pipe saturation than anything else) and all our services were
available.
Perhaps SCO can't effective defend against such attacks because
all their respectable administrators have jumped ship? [ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 12 2003 @ 10:51 PM EST |
I don't know. Call me a cynic, but after all the crap SCO's leaders have
spouted since this whole thing began, you'll have to pardon me that I wouldn't
put it past them to initiate a DoS attack on their own bloody servers just so
they could play the victim.
Not possible, you say? How about people that torch their own businesses to get
the insurance money?
I'm not saying they did. I just wouldn't be surprised.[ Reply to This | # ]
|
|
Authored by: p0ssum on Friday, December 12 2003 @ 10:57 PM EST |
http://www.internetwk.com/breakingNews/showArticle.jhtml?articleID=16700474
Quotes:
Bruce Schneier, CTO of Counterpane Internet Security,
agreed that SCO does not appear to have been under a SYN attack. "SCO's
self-diagnosis makes no sense," he said. "But that doesn't mean SCO is
lying."
He added, "We have no idea. We'll never know. Clearly, it's not
a SYN flood, they're wrong about that. The question is, are they lying, or is a
clever hacker doing something to them that looks to a nave observer like a SYN
flood?"
And
We asked several Linux and security experts to
look over Groklaw's analysis of the attacks. These included: contributing editor
Don MacVittie, who is currently an IT project manager for a major midwestern
utility company, and has an extensive Linux and IT background; Neil Schneider,
president of the Kernel-Panic Linux User Group; and Matt Brown, CEO of LAMP
Host, a Linux-based Internet hosting company. While they did not have firsthand
knowledge of the SCO situation, they agreed that Groklaw's analysis of the
situation is credible and knowledgeable.
I think that says it
all. There are still too many unanswered questions. Something definitely
happened according to CAIDA, question is, what was it really.--- There are
10 types of people in this world, those that understand binary and those that do
not. [ Reply to This | # ]
|
|
Authored by: WhiteFang on Friday, December 12 2003 @ 11:05 PM EST |
Over on the Yahoo SCOX Finance Board, we've beend discussing this issue
ourselves. There are a lot of pieces to this puzzle which "don't
fit".
1} After having been attacked this way previously, why were the servers still
running with SYN_COOKIEs off?
2} Why was SYN flood protection not enabled on the CISCO router?
3} Are you aware that CAIDA requires that you pay them money to monitor your IP
addresses?
4} Are your aware that CAIDA can be spoofed?
5} SCOX issued 3 press releases through PRNewswire (I think 3) while SCOX'
network was down. Coincidently enough, PRNewsire submissions are usually done
over the Web.
6} Do you know of any other company that issues press releases to advertise how
incompetently they administer their network?
7} CAIDA essentially reports that bandwidth through their link was saturated.
Yet their link is in XO. Why were the rest of the Canopy companies accessible at
all times?
8} The FBI has the proper charter to investigate these incidents. Yet the Secret
Service is listed as (not yet confirmed) lead investigators. Apparently, the FBI
told SCOX to get bent after the last investigation when 'nothing was found'. I
don't know the truth of this but it is very odd for the Secret Service to get
involved. The only other instances where the Secret Service has gotten involved
in DDoS attacks was a situation of potential large scale credit card fraud. SCOX
certainly doesn't fit _that_ profile.
I consider there to be three possibilities:
A} SCOX deliberately left their network open to attack in the _hope_ that
someone would attack it.
B} SCOX paid off a Black Hat to either attack their site or make it look like
their site was attacked.
C} SCOX simply doesn't have the (extremely simple) expertise to set up SYN
flood protection.
For A}, SCOX could be looking for the opportunity to spew more FUD. Notice the
weasle worded press releases tying the Linux Community and possible
"terrorism" together.
For B}, I see a lot of different incentives for SCOX to have engineered their
own attack. This might be a valid way to allege "The Dog Ate My
Homework" and ask for more delay. Or, they might claim their network was
damaged, get the backup archives from off site and attempt to
"clean" evidence.
For C}, We've seen their incompetence in many areas already. Of course, their
incompetence in securing their own network doesn't say much for their
'enterprise' capabilities. {chortle}
A} seems to be exactly the underhanded kind of stunt that they would try to pull
simply for the FUD factor. It's also in their cranial capability. C} also seems
to be a high probability choice.
B} requires a lot of smarts. But ... many people have expressed the concept of
"something else being up SCOX' sleeve because they can't really be this
stupid." It has occured to me that SCOX is in desparate need of an exit
strategy which will allow them to keep their pump & dump gains. In other
equally dire circumstances, other businesses have committed arson. What if SCOX
really is as smart as people felt they might be. Engineering an attack on their
own network might be a way of committing electronic arson.
You may want to start here:
http://finance.messages.yahoo.com/bbs?.mm=FN&action=m&board=1600684464&a
mp;tid=cald&sid=1600684464&mid=70757
Remember, this is speculative at this point. I am trying to get independent
verification of the CAIDA report. There are other companies and organizations
which monitor the internet. An engineered attack designed to spoof CAIDA would
_not_ show up on other internet monitors.
:-D[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 12 2003 @ 11:35 PM EST |
SCO has filed 5 X Form 4/As
Basically they are saying that 5 different people actually got 15,000 free
options to buy stock at $4.75, and not 10,000 free options at $4.75 (which is
what they filed previously)
The people concerned are:
CAKEBREAD STEVEN
http://www.sec.gov/Archives/edgar/data/1102542/000110254203000077/xslF345X02/edg
ardoc.xml
MOTT DARCY G
http://www.sec.gov/Archives/edgar/data/1102542/000110254203000078/xslF345X02/edg
ardoc.xml
YARRO RALPH J
http://www.sec.gov/Archives/edgar/data/1102542/000110254203000079/xslF345X02/edg
ardoc.xml
IACOBUCCI EDWARD E
http://www.sec.gov/Archives/edgar/data/1102542/000110254203000082/xslF345X02/edg
ardoc.xml
THOMPSON DUFF
http://www.sec.gov/Archives/edgar/data/1102542/000110254203000080/xslF345X02/edg
ardoc.xml[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 12 2003 @ 11:37 PM EST |
What in god's name is going on with SCO's stock? Bid is 0.01, Ask is 9,000.
That can't be right. Anybody a clue?
Last Trade: 16.021
Trade Time: 3:59PM ET
Change: 0.101 (0.63%)
Prev Close: 15.92
Open: 15.51
Bid: 0.01 x 100
Ask: 9,000.00 x 100
1y Target Est: 25.50
Day's Range: 15.51 - 16.45
52wk Range: 1.09 - 22.29
Volume: 139,543
Avg Vol (3m): 323,545
Market Cap: 221.83M
P/E (ttm): 84.32
EPS (ttm): 0.19
Div & Yield: N/A (N/A)[ Reply to This | # ]
|
|
Authored by: RSC on Friday, December 12 2003 @ 11:49 PM EST |
..of me, deep down inside that says "serves your self right SCO".
:)
But what I have read here today makes me very proud that the
"community" I have believed in for a decade now is obviously of
greater metal and concience than any so call "good corporate
citizen".
When the "community" has been shown to be mistaken, they have the
balls to say so. Where most "corporate entities" would either ignore
the mistake and carry on, or, as in SCO case try to twist what they said, or
even deny they said it in the first place.
P.J. I thank you very much for showing the world that there is still integrity
in this mad world of ours.
And to all those who have contributed to this awsome site, well done.
RSC
---
----
An Australian who IS interested.[ Reply to This | # ]
|
|
Authored by: valdis on Saturday, December 13 2003 @ 12:06 AM EST |
OK.. I admit it.. I was skeptical as hell at first. But then, I actually make a
living at worrying about things like "what if a talented hacker attacked
us, and covered his tracks by making a lot of stupid script-kiddie
mistakes?". But then, I also try to be both flexible and gracious when
new information comes along.
So the CAIDA guys say there was in fact a huge DDoS in progress. I'll take
that as a given - I've looked at some of their previous work and it's always
been meticulous and unassailable. Let's just say these guys know more about
measuring packets than Netcraft knows about web servers.
Adding the CAIDA data in makes some things make more sense, and some make less
sense. For instance, CAIDA estimates 50K packets/sec and 20 Mbits/sec, or half
a DS3 (45mbits). This actually explains why the FTP server appeared responsive,
and why XO didn't seem aware of anything - if SCO had a DS3 they'd still have
bandwidth to spare, so the FTP server would have bandwidth and XO wouldn't be
seeing alarms for congested links.
On the other hand, it's quite possible that at 50K packets/sec, that the server
(especially if it was older/slower hardware) was out of steam *even with
syncookies enabled*. It takes a certain amount of CPU to catch the interrupt,
get the packet, identifty it as a SYN, decide we're being synflooded, craft a
syncookie (note that syncookies *do* take out of the random entropy pool, so
there's an upper bound to how fast we can send them), build the syncookie'd
SYN+ACK packet, and send it out the interface (where it eventually ends up as
backscatter in CAIDA's data).
Unfortunately, the peak burst of attack on the web server (according to CAIDA)
only lasted an hour so - their graph shows a much lower level for the next 16
hours or so. Either their lower bound is *way* lower than reality, or the
server shouldn't have been having any issues. (And in fact, I can think of at
least one way to "trick" the CAIDA data gathering, except if it had
been employed, CAIDA would *not* have seen the large initial spike. Unless the
attacker wanted them to see it. Somebody hand me some tinfoil, I need to make a
helmet.. ;)
I'm going to write off the brief 'unknown/Apache' sighting by Netcraft as
somebody trying to bring up a replacement server at a different IP address.
I'll leave off with two thoughts...
1) There's only two ways you can lose your intranet during a DDoS on your
outward-facing servers, after having had 2 DDoS attacks already. The first is
sheer ineptitude on the network management's part. The second is that they did
in fact harden their intranet against *external* attack.
2) The conspiracy minded among you will note that CAIDA was measuring the
SYN+ACK packets coming OUT of SCO. I've not seen actual proof that the SYN
packets went *in*. (It's easy to tell - if the packets came in from outside,
XO would have seen almost perfectly balanced traffic coming and going, if it was
from inside, it would be unbalanced). If the 50K spoofed packets/sec started off
life inside, CAIDA would still see the same backscatter. Of course, there's a
good chance they'd have a meltdown of their intranet as the packets crossed
it.
But no, that's crazy talk. Pass me the tinfoil, will ya?[ Reply to This | # ]
|
|
Authored by: bitserve on Saturday, December 13 2003 @ 12:28 AM EST |
David Moore at least seems to know what he's talking about technically. SYN
Cookies only assist in mitigating a SYN attack, and there is expensive
specialized hardware out there that one can utilize if your site is that
important to you that can do way better than a server with SYN cookies.
While David Conrad still thinks that it's trivial to block a SYN flood, and
that most operating system (vendors?) can easily defeat them.
Like others said, SCO could have attacked themselves. Which to be clear, isn't
"faking an attack". Since that's a real attack, just they'd be
lying about the source. Which I think is a totally preposterous idea, but still
shows that even CAIDA isn't in a place to verify anything. Of course this along
with the bandwidth reports at the router from SCO's ISP... Well, then they
could have attacked themselves from those 1000 remote drones as well. I think
conspirarcy theorists could go on and on blaming SCO.
I tend to believe that there was an attack, but that their press release was not
technically accurate. Same as most of the journalism I've seen regarding the
attack.
Pam, great post. I don't know if this was an intended pun, but I got a kick out
of it.
"mostly from places like Korea, where I don't know a s[e]oul"[ Reply to This | # ]
|
|
Authored by: stdsoft on Saturday, December 13 2003 @ 01:31 AM EST |
PJ said "this can't keep happening to SCO." Couldn't agree more.
I hope whoever did this is caught and prosecuted. Meanwhile, I hope SCO makes a
sincere effort to improve their infrastructure. Apparently, prior attacks
didn't convince them to take some simple counter-measures. Hopefully this one
gets their attention.[ Reply to This | # ]
|
|
Authored by: leeway00 on Saturday, December 13 2003 @ 02:44 AM EST |
Long time lurker here but first post.
This keeps bugging me.
1.) .12 server (WWW) is down - SYN flood attack - CPU/connection related - pipe
not necessarily flooded.
2.) .13 server (ftp) is up - pipe cannot be flooded for .13 to be responsive.
3.) SCO stated in one of their interviews that SMTP & Intranet were down
due pipe being flooded.
If there is a single pipe going into SCO, 2 & 3 are mutually exclusive. If
there more than one pipe, it would seem to be poor planning on their part that
publicly available services (prone to attack) & critical internal systems
are on the same pipe.
Comments? I'm a bit confused as to how to reconcile all 3 above.
Leeway[ Reply to This | # ]
|
|
Authored by: kpl on Saturday, December 13 2003 @ 04:10 AM EST |
PJ: thanks for raising the Linux bar by this article!
One thing which
would solve the question, (not that the
linux community would ever be
allowed to see the results);
a traffic counter at the upstream ISP for the
sco network.
Something like Mrtg (Multi Router Traffic Grapher) is
fairly
trivial to set up to get some basic information.
Along with
a small php script I use it to give me a
daily graph of all my systems'
incoming and outgoing
traffic in a more easily read format.
As I
said earlier, I doubt wether or not we would be
shown the results, but it
would be interesting
--- --------------------
mv sco
/dev/null
-------------------- [ Reply to This | # ]
|
|
Authored by: Anonymous on Saturday, December 13 2003 @ 04:31 AM EST |
1. Get a machine outside of the network to spill ACKs to random addresses.
2. Doing it from inside intranet, but geographically far away (so that it takes
a few hops to get there). Send SYN attack packets to webserver to get your
backscatter packets.
3. .... fill in here .....[ Reply to This | # ]
|
|
Authored by: Anonymous on Saturday, December 13 2003 @ 06:39 AM EST |
SCO appears to be back down and the webserver is showing as 216.250.128.12
Dave[ Reply to This | # ]
|
|
Authored by: Anonymous on Saturday, December 13 2003 @ 06:46 AM EST |
First, let me add my agreement that I detest people who set out to attack others
on the web, whether by spamming, DoS, DDoS, launching viruses/worms/trojans or
any other for of nasty. I don't care who the victim is, the attack damages the
freedom of all to use the wonderful resource that we call "The Web",
the Internet, Cyberspace, whatever.
Second, I would like to also say that I have contempt for those that in theory
should know better but do not take known and readily available measures to
protect their sites from such attacks, they are are much part of the problem in
many ways as the attackers. I know, in a perfect world they (and I, and you)
shouldn't have to, we shouldn't have to lock our doors when we go out but in
the real world it's stupid not to and so we do.
If any of the above applies to SCO I don't know, and I don't know if their
"attack" was real, and if it was whether it was preventable or
something new that they can be excused for being caught with. I do know that the
way they have handled themselves recently (whether or not there is merit in
their case currently before the courts) means that their credibility is at a
very low ebb - any lower and they'd be digging.
What I hate most though is the term "someone in the Linux community"
being used to describe any attacker? They never talk of other attacks as coming
from "the Microsoft community"? I suggest that anyone carrying out
an attack on SCO is an outcaste from any the Linux community at best, a member
of the Criminal community at the least, pond scum and effluent that should be
filtered out and treated.
Again, I hate the attacker for attacking SCO (if one, as it looks may be the
case, did) because it's an attack also on anyone who uses and values the
freedom of the web. I also hate them because it was a couple of days lost when
SCO could not provide more material to be picked over and torn to shreds here on
Groklaw - I've become addicted to watching skilled "web detectives"
researching and pulling to pieces the (mis-)information that otherwise appears
in the press and go unchallenged by the lazy journalists who should verify what
they put into print.
Terry
PS. I would sign up and stop being anonymous if I didn't feel in such awe of
some of the company I'd be keeping...
[ Reply to This | # ]
|
|
Authored by: jsoulejr on Saturday, December 13 2003 @ 08:55 AM EST |
First, even with all our doubts about SCO, we all have to be careful about
jumping to conclusions.
Second, when presented with reasonble doubt, PJ backed off in public. I truly
admire that I wish all parties in this little squabble followed her example.[ Reply to This | # ]
|
|
Authored by: phrostie on Saturday, December 13 2003 @ 09:52 AM EST |
according to netcraft they went down again last night.
the flip side is that the OS went from unknown back to linux.
---
=====
phrostie
Oh I have slipped the surly bonds of DOS
and danced the skies on Linux silvered wings.
http://www.freelists.org/webpage/cad-linux[ Reply to This | # ]
|
|
Authored by: phrostie on Saturday, December 13 2003 @ 09:53 AM EST |
according to netcraft they went down again last night.
the flip side is that the OS went from unknown back to linux.
---
=====
phrostie
Oh I have slipped the surly bonds of DOS
and danced the skies on Linux silvered wings.
http://www.freelists.org/webpage/cad-linux[ Reply to This | # ]
|
|
Authored by: Anonymous on Saturday, December 13 2003 @ 10:57 AM EST |
It seems like www.sco.com, ftp.sco.com and the mail-server does not respond. The
other ones do.
So, if it is some sort of attack it is of a kind which only affect a specific
host not the entire network. In that case the attacker must have decided not to
attack all or he has not capability of attacking more than a few machines at a
time (sounds like a script kiddie).
I saw this trick in a movie... (Matrix)
$ nmap -Ps 216.250.128.0/20
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Host (216.250.128.4) appears to be up.
Host (216.250.128.5) appears to be up.
Host (216.250.128.10) appears to be up.
Host (216.250.128.20) appears to be up.
Host (216.250.128.21) appears to be up.
Host (216.250.128.22) appears to be up.
Host (216.250.128.23) appears to be up.
Host (216.250.128.24) appears to be up.
Host (216.250.128.25) appears to be up.
Host colonet.caldera.com (216.250.128.32) appears to be up.
Host artemis.caldera.com (216.250.128.33) appears to be up.
Host apollo.sco.com (216.250.128.35) appears to be up.
Host stage.caldera.com (216.250.128.37) appears to be up.
Host cologw.caldera.com (216.250.128.46) appears to be up.
Host colobcast.caldera.com (216.250.128.47) appears to be up.
Host jace.canopy.com (216.250.128.193) appears to be up.
Host register.sco.com (216.250.128.197) appears to be up.
Host bosshog.j2.net (216.250.128.210) appears to be up.
Host scoxweb.sco.com (216.250.128.220) appears to be up.
Host zeus.ut.sco.com (216.250.128.225) appears to be up.
Host www.vultus.com (216.250.128.235) appears to be up.
Host bugzilla.vultus.com (216.250.128.237) appears to be up.
Host (216.250.128.238) appears to be up.
Host ps1.ut.sco.com.com (216.250.128.239) appears to be up.
Host linuxupdate.sco.com (216.250.128.241) appears to be up.
Host uw713doc.caldera.com (216.250.128.245) appears to be up.
Host ou800doc.caldera.com (216.250.128.246) appears to be up.
Host docsrv.caldera.com (216.250.128.247) appears to be up.
Host c7-gw.calderasystems.com (216.250.128.254) appears to be up.
Host NFT.Com (216.250.129.2) appears to be up.
Host Canopy.Com (216.250.129.60) appears to be up.
...and a lot more.[ Reply to This | # ]
|
|
Authored by: Steve Martin on Sunday, December 14 2003 @ 09:21 AM EST |
SCO DoS attack: fact
or fiction? [ Reply to This | # ]
|
|
Authored by: wap3 on Sunday, December 21 2003 @ 04:12 PM EST |
So this is a week late and my first post.
Last night I was catching up on the list for the mail server I use at the office
- Mercury32 - and found this posting by the creator of Pegasus Mail and
Mercury32, David Harris.
"As of about midnight last night, I have been under sustained DOS
attack from what appears to be a network of zombie systems.........guessing
that
someone has taken offense to my anti-spam position....."
Full posting at:
http://bama.ua.edu/cgi-bin/wa?A2=ind0312b&L=mercury&T=0&F=&S=&am
p;P=36206
If SCO things they are the _ONLY_ ones to suffer from random acts by clueless
people the do not deserve to be on the internet anyway.
Just my $0.175us
Trey Pattillo
[ Reply to This | # ]
|
|
|
|
|