decoration decoration

When you want to know more...
For layout only
Site Map
About Groklaw
Legal Research
ApplevSamsung p.2
Cast: Lawyers
Comes v. MS
Gordon v MS
IV v. Google
Legal Docs
MS Litigations
News Picks
Novell v. MS
Novell-MS Deal
OOXML Appeals
Quote Database
Red Hat v SCO
Salus Book
SCEA v Hotz
SCO Appeals
SCO Bankruptcy
SCO Financials
SCO Overview
SCO v Novell
Sean Daly
Software Patents
Switch to Linux
Unix Books
Your contributions keep Groklaw going.
To donate to Groklaw 2.0:

Groklaw Gear

Click here to send an email to the editor of this weblog.

Contact PJ

Click here to email PJ. You won't find me on Facebook Donate Paypal

User Functions



Don't have an account yet? Sign up as a New User

No Legal Advice

The information on Groklaw is not intended to constitute legal advice. While Mark is a lawyer and he has asked other lawyers and law students to contribute articles, all of these articles are offered to help educate, not to provide specific legal advice. They are not your lawyers.

Here's Groklaw's comments policy.

What's New

No new stories

COMMENTS last 48 hrs
No new comments


hosted by ibiblio

On servers donated to ibiblio by AMD.

SCO Is Back Online
Friday, December 12 2003 @ 05:19 PM EST

The very first Linux distro I ever tried was Red Hat. This was some years ago, and I was clueless. It took about a month before I realized my box was 0wned. I don't know when it happened, maybe immediately. But any way you look at it, it was fast.

So I completely reinstalled. It took about 2 weeks before I saw it had happened again. This time, I saw games on my computer I specifically had not installed and weird notes from people inside otherwise normal files.

I completely reinstalled again. It took one day before I was 0wned again. At this point, I knew it was time to figure out the real problem, which wasn't Red Hat. The problem was me. It took me months and months of reading and asking and learning to realize I needed to fix the configuration and set up a firewall and things like that I just didn't know about before.

I couldn't figure that part out fast enough, so I bought Mandrake, because it had a firewall built in with a GUI to make it configurable by newbies, which back then Red Hat didn't have. After that, my life got better.

Why were people cracking into my computer? I don't know and I hated it and them for doing it. It was, I knew, nothing personal. I was, after all, nobody and had no enemies. It just happens. And it happens to everybody. In the office, my firewall constantly noted serious efforts to get in to the Windows box, mostly from places like Korea, where I don't know a soul. So it wasn't that anyone was furious with me or trying to get back at me. It's life on the internet, sadly.

If you go on the internet, you have to be responsible for being there. I felt that responsibility, and so I took the trouble to try to learn, not that I'm an expert. But I wanted to at least be competent. People interact on the internet, so we each have a responsibility not to contribute to problems. Sometimes individuals lack the knowledge to do that well, but surely companies can and should take the time and spend the money to hold up their end. Tom Ridge of Homeland Security gave a speech recently in which he basically told companies to get their computers secured or the government would likely step in and make them take security seriously.

Now, what if I had an agenda? Let's imagine one. What if I was married and my husband and I were arguing over whether or not it's safe to be on the internet for banking and shopping. Let's imagine he says it is safe and I insist it isn't. We each dig our heels in and want to prove the other wrong. What might I do the next time I see my computer was broken into? Would I hide the problem from him and fix it quick? Or, would I more likely let it get even worse so as to demonstrate my point in a way he can't refute and win the argument? Well, in real life, I wouldn't do either, but we are just imagining something to make a point.

SCO, I am happy to say, reports it is back online again. Here is the Techweb report. CAIDA, a highly respected group of researchers, with far greater resources at their disposal than most, is reporting backscatter that would indicate there was some kind of attack in their view. You can read about backscatter here. I have no known reason not to accept their conclusion. It doesn't indicate who did it, of course, not that SCO felt constrained from saying who they think it was, namely somebody in the Linux community.

It is clear, with this further information that something did happen to SCO, so I asked Steve McInerney, the Australian security expert who was quoted in Groklaw's original report, to comment on the new evidence and he provided this statement:

"SCO did suffer a Distributed Denial of Service (DDoS) attack, consisting of two attacks against both their webserver and ftp server. The new, missing, evidence which has so dramatically changed my conclusion was brought to light by CAIDA. This is a most regrettable incident, and I personally condemn the attack. There is no justification for such vandalism. Given that setting up alternate paths for their staff to continue to work and send/receive emails is trivial to both pre-consider and utilize, it is somewhat surprising that SCO did not seem to have done so in order to mitigate. The DDoS is true; I was wrong there. The charge of incompetence still stands."

May I just ask you this question: is there any other company in the world that could announce they were being attacked and have a large section of the world, including security professionals, refuse to believe it until a third party verifies? I put the CAIDA information at the end of our original story yesterday. And I am highlighting it again today, to be honest and fair and to provide all the facts, not just those that I wish were so. Groklaw is about telling the truth, no matter what. It isn't possible for imperfect humans to be right 100% of the time, and a news site has to report as a story unfolds, and all the facts are not always immediatley known, particularly in a complex story, but we can surely make sure that as new information comes to light we report it all and keep the record accurate that way.

The fact that no one in the community could believe this allegation is proof that we don't know anyone who would do such a thing. At least, I know for a fact I don't. I deplore and detest such behavior. I am very sorry this happened to SCO and I condemn it, whoever did it. If SCO is short-staffed and need a helping hand, I am confident the real Linux community, the one that I know, would be glad to help them. The battle in the court room is quite separate, and just as two attorneys can argue fiercely before a judge and then politely shake hands, I feel the same way. I might add that I haven't seen on Groklaw a single comment yet that said anything justifying or approving such an attack. That is as it should be. There are still unanswered questions. We will report further details on this story down the road as they become known.

This can't keep happening to SCO. Groklaw's experts pointed out that there are steps a company can take to prevent and cope with attacks. One of the authors of the CAIDA report said the same:

"'There are definitely things out there that they can buy, or services that solve this problem,' said David Moore, assistant director and researcher at the Cooperative Association for Internet Data Analysis (CAIDA) and an expert on denial-of-service attacks. 'It is just a question of how important your Web site is to you and how much you are willing to spend.'"

This is what Groklaw reported. It's really up to SCO now. If they want to fix their problem, surely they ought to be able to do so. If they don't want to solve the problem, and such events continue to occur, followed by headlines accusing the Linux community before anyone knows who did it, then the question really has to be, why? What's going on?

UPDATE:Here is a snip from an article on InternetWeek regarding our initial report:

"We asked several Linux and security experts to look over Groklaw's analysis of the attacks. These included: contributing editor Don MacVittie, who is currently an IT project manager for a major midwestern utility company, and has an extensive Linux and IT background; Neil Schneider, president of the Kernel-Panic Linux User Group; and Matt Brown, CEO of LAMP Host, a Linux-based Internet hosting company. While they did not have firsthand knowledge of the SCO situation, they agreed that Groklaw's analysis of the situation is credible and knowledgeable."


SCO Is Back Online | 193 comments | Create New Account
Comments belong to whoever posts them. Please notify us of inappropriate comments.
FTP attacked too?
Authored by: stanmuffin on Friday, December 12 2003 @ 06:22 PM EST
CAIDA's report indicates both AND were targeted in the
SYN flood attack. But the FTP server, as many report, was up and running the
whole time.

Maybe they had tcp_syncookies enabled on ftp, but not on www? If so, then I
don't have a lot of sympathy--not that I condone the attack at all, but their
FTP server weathered it just fine, and their WWW server probably could have as
well, had they configured it properly. You'd think they'd take the time to do
so, considering how this has reportedly happened several times before.

[ Reply to This | # ]

SCO Is Back Online
Authored by: JimM on Friday, December 12 2003 @ 06:23 PM EST

It is very admirable, and right, of you to post the truth, whatever it may be.
This is what sets you and apart from any other place that reports on
this SCO saga. Maybe SCO management can learn a lesson from this about telling
the truth, even if it hurts...

[ Reply to This | # ]

Yup. SCO attack is now believable.
Authored by: jmccorm on Friday, December 12 2003 @ 06:24 PM EST
I think we can all believe that an attack happened on SCO's webservers. The
quote above, which I would echo, is this:
<I>"May I just ask you this question: is there any other company in
the world that could announce they were being attacked and have a large section
of the world, including security professionals, refuse to believe it until a
third party verifies?"</I><P>

Perhaps this should give SCO some idea of the difference it has been credibility
and newsworthyness. Compare/contrast: <B>The Raelians</B>.

[ Reply to This | # ]

PJ Goddess of Grok
Authored by: p0ssum on Friday, December 12 2003 @ 06:25 PM EST
Well said, all the way aroud, much like an IBM lawyer;-).

Anyhow, I will take this opportunity to say, that I too was incorrect. I'm sure
it won't be the last time. The final piece of the puzzle fit when they said
they immediately shut down the machines. That would explain the NetCraft info.

Thanks PJ for everything you do, above all else integrity.

Never argue with an idiot.

They drag you to their level and then beat you with experience.

[ Reply to This | # ]

BOYS you are in LUCK!
Authored by: jkondis on Friday, December 12 2003 @ 06:25 PM EST
"What if I was married and my husband and I..."

Do I have to say more?

Sorry for the OT cheap shot. ;) In any event, I mostly agree, that illegal behavior should not be condoned. Oh, and I agree that SCO is incompetent. And that nobody believes SCO because they have shown themselves to be a bunch of liars.


[ Reply to This | # ]

Yeah, but ....?
Authored by: blhseawa on Friday, December 12 2003 @ 06:28 PM EST
TSG may be back online ... but I found several things that don't added up so
I've written a little http spyder program the gets TSG home once each day and
does a diff on the page to determine what has changed.

It has been running every morning since I first reported on this.

I can report that before, during and after TSG home page has changed, and we are
not talking spelling errors here either.

The TSG home page uses a mix of Javascript and VBscript depending on which
brower is detected, most to do with flash support of their web site. The main
page menu bar is build using Javascript. Nothing out of the ordinary here in

That said, by compare the the TSG homepage to previous day's homepage, changes
in the layout or organization of the web site can be checked.

Prior to coming up this morning, the web used html based (coded) pages, and the
menubar Javascript was radically alterred when compare to before, during and
after the attack.

There are a number of valid reasons why this might have occurred, as has already
been pointed out by Groklaw readers.

However, this morning there was a new wrinkle. The TSG web site is
now coding its pages to the XHTML standard. This wasn't there before.

I just find it interesting that something like changing from HTML to XHTML not
something that is done causally.

Anyway, having had web sites that were the target of DoS attacks. I've never
seen the web site change so aspects of technology like that.

I will continue to montior the home page, and report any significatant changes.

[ Reply to This | # ]

Authored by: Anonymous on Friday, December 12 2003 @ 06:29 PM EST
Seriously uncool. There are much more effective ways of dealing with SCO than
attacking their infrastructure.

I'm glad to see so many people here at Groklaw who are exploring those more
effective ways to their fullest extent. :-)

[ Reply to This | # ]

  • ddos. - Authored by: jwoolley on Friday, December 12 2003 @ 06:31 PM EST
SCO Is Back Online
Authored by: sef on Friday, December 12 2003 @ 06:35 PM EST
Told you :).

Well, more of a :(, 'cause it's a bad, bad, bad thing. Mainly 'cause it lets

SCO stay in the news as the victim they want to portray themselves to be.

[ Reply to This | # ]

Loss of Productivity?
Authored by: shoden on Friday, December 12 2003 @ 06:38 PM EST
Interesting that they were able to get a press release out blaming the Open
Source community when there was such a loss of productivity over the last few
days. You'd think it would be all hands on deck working to find the
"universe" that Kevin McB kept talking about

Also, why do they keep screaming, "We're vulnerable!" It just
doesn't make sense to me.


MR. MCBRIDE: Your Honor, I have a smaller, obviously --

[ Reply to This | # ]

SCO Is Back Online
Authored by: blhseawa on Friday, December 12 2003 @ 06:48 PM EST
I'm not sure which web site archives might have these.

On the machine I've been running this on, I have copies of the page for each
day, both before, during, and after.

I can publish the results of the compares, I'm not sure I can publish the pages

The script I have running uses the fact the mozilla and firebird both save
archives of pages that have been got, (HTTP protocol GET command), and so I have
firebird get the page, then I just copy the page from the cache to another
directory and change the filename adding date time stamp. Then I can run diff
on the current page against the previous days page. That's how the script
works that wrote.

But for the command-line I can diff any pair of pages.

I was just curious after reports from the last TSG report of DoS several Groklaw
readers reported changes in the www.sco.web site. So, I thought I'd just keep
an eye on it.

If someone knows of public archives of the website home page, I'll modify my
scripts and publish them here.

Anyway, that's what I've done. Most of the changes aren't worth reporting,
but I thought the HTML ---> XHTML was worth noting. The page layout and
indenting is a lot nicer to read now too!

For those that care, to see the source code that the browser renders on the
screen, in Firebird just click view and then Page Source, and the browser brings
up a windows the source code view of the rendered page. Awhile back I noticed,
that the style wasn't consistent and neither were the changes so I've just
been watching it.

[ Reply to This | # ]

still not convinced
Authored by: phrostie on Friday, December 12 2003 @ 06:49 PM EST
does anyone know the names of the agents that are handling it?
has anyone confirmed that they are talking to the secret service?
the timing was too good for them so that everyone would forget that they got
their butts kick in court.
forgive me if i keep one eye open.

if they have told the truth, it must have been an accident.

Oh I have slipped the surly bonds of DOS
and danced the skies on Linux silvered wings.

[ Reply to This | # ]

SCO Is Back Online
Authored by: mdchaney on Friday, December 12 2003 @ 06:51 PM EST
They could have walked down the hall and enabled syn cookies at the console and
been back in business in 5 minutes. They have no excuse, about 50 different
people posted explicit instructions on Groklaw about how to do that. Given that
their web site underwent even more revisions while down, plus the fact that
they're claiming this attack knocked out their intranet and mail server, this
whole little incident still smells really fishy.

[ Reply to This | # ]

Authored by: brice on Friday, December 12 2003 @ 06:53 PM EST
PJ, You are a true leader. I think you just set a new highwater mark for
respectability in the online SCO debate.

I think everyone who has taken a side in this SCO litigation - and who hasn't -
should look to your example. Both sides, all sides, everyone.

Thank You from the Bottom of My Heart,

[ Reply to This | # ]

SCO Is Back Online
Authored by: rjamestaylor on Friday, December 12 2003 @ 06:59 PM EST
Thank you for the introductory context about life on the Internet. I remember
when I used to connect directly to the Internet without a firewall...those were
the good ol' days. I also remember playing with my little brother when we were
young in the front yard of our major-street facing house. Do I let my children
GO to the front yard today? No way! And would the police sympathize with me if I
let them play in the front without supervision and something ontoward happened?
Not on your life -- I'd at least be treated as a negligent parent that I was.
Times change; people adapt.

That's the problem with SCO in this case. It's not that any attack is
justified -- it is not justifiable to attack other's computers (Not even if
Congress thinks it is, but that's another story). But it is also not acceptible
to be negligent and not take ordinary measures to protect oneself from attack.

In fact Linux developers and system admins would gladly assist SCO to solve
their vulnerability to attack. We want on-line. Some of the best
refutation to their claims against Linux, the Linux community, etc., is found on It helps expose the FUD that SCO execs spew to have up, running
and able to quickly serve pages.

But how would it look for a Linux distributor, a founding member of UnitedLinux,
a provider of security patches and consulting services for Linux to need to
bring in outside experts to solve their inability to mitigate against easily
mitigated attacks? Silly? Yeah. But it's starting to look staged, or, at least,

That press release sure hit the wires fast, huh?

SCO delenda est! Salt their fields!

[ Reply to This | # ]

HOW TO defeat SYN Flood... by SCO
Authored by: shoden on Friday, December 12 2003 @ 07:04 PM EST
Interesting FAQ on the SCO Resources Security page. I guess its too bad they are not using UnixWare 7.1.0 or they'd know how to defeat SYN flood attacks.


MR. MCBRIDE: Your Honor, I have a smaller, obviously --

[ Reply to This | # ]

Boy Who Cried Wolf
Authored by: Rhys Weatherley on Friday, December 12 2003 @ 07:06 PM EST
SCO is like the boy who cried wolf. They've misrepresented the facts so many times in the past that it is simply no longer possible to take them seriously even if they tell the truth.

Even if they were attacked, jumping to the conclusion that it must be "those open source people" is a bit much. It could simply be some misguided uni student. They make it sound like there is some grand conspiracy by nefarious parties to get them.

Free clue for Darl, et al: there *is* a grand conspiracy to get you. Not via nefarious means, but via Groklaw-style finding of the facts and slapping you with them. You know, the facts that you yourself refuse to provide.

[ Reply to This | # ]

SCO Is Back Online
Authored by: Anonymous on Friday, December 12 2003 @ 07:10 PM EST
Don't know if anyone has thought of this yet, but shouldn't this be sent to
the editors that the comments about serious doubt about the attack were sent

You know, just to show SCO how to make corrections to statemetns that make, and
that everyone here is really levelheaded, and not the type to duck for cover
when they make a mistake.

[ Reply to This | # ]

Backscatter analysis not 100% reliable
Authored by: Anonymous on Friday, December 12 2003 @ 07:14 PM EST
If you read the report on backscatter analysis you will see that the authors
acknowledge that backscatter itself can be spoofed. They talk about spoofing as
a way to bias the CADIA sampling of all current DoS attacks and conclude that it
would be difficult to do (would probably require the same level of resources as
a real DoS), and do not mention spoofing the existance of a single DoS attack.

From my reading, it seems like spoofing a DoS attack against yourself would be
relatively trivial - simply run one of the automated DoS attack programs on
another machine on the local network segment. Your local bandwidth will be
enough to allow plenty of backscatter so as to look like a real DoS. You also
don't have to worry about anyone doing ingress filtering on your attack packets
since it is all on your own local network.

Depending on the specific DoS attack, there may or may not be enough state
information (sequence numbers keyed from the attacking machine) in the
backscatter to indicate the attacks all came from the same single, or small
number of boxes. I haven't looked closely at the specifics of the various DoS
responses to say for sure yet, but if that info is there then one could
conceivably identify such a spoofing from that.

So, some obvious questions are:
1) Would SCO DoS themselves for publicity?
Given the speed at which they were able to put out a press release, yes.

2) Would SCO be smart enough to know about backscatter and so take this
"provable" route on purpose?
No. But, it could just be serendipty - they just wanted to fake a DoS and it
was convenient to run the tool on their local network, the backscatter results
were just an unexpected benefit.

3) Is an anonymous poster credible?
No, but you can go read the backscatter paper yourself and if you aren't a
network guy, ask your favorite one and see if they agree.

[ Reply to This | # ]

Grammar correction
Authored by: Anonymous on Friday, December 12 2003 @ 07:28 PM EST
You repeatedly spell Internet with a lowercase "i". It's a proper
noun and should be capitalized. Not a big deal of course.

[ Reply to This | # ]

SCO Is Back Online
Authored by: tyche on Friday, December 12 2003 @ 07:39 PM EST
PJ et al:

I am not a sys-admin, though I do know one. I am also not a programmer. In fact, there are a great many things that I am not. However. . .

I have had ocassion to need to supply information to people that I really didn't like. I've done it, and as pleasantly as I could, simply because that was the way I was brought up. I've taught people AutoCAD even after they've REALLY irritated me, and the only ones that I haven't taught were those who wouldn't learn.

PJ, your attitude toward SCOG is commendable and I echo it. Had I the knowledge and were they to ASK for help I would do my best to provide that help. Why? Because of my OWN self respect. I cannot be the person that I am without helping to the best of my ability when asked.

That's just the way I am.



"The greatest enemy of knowledge is not ignorance, it is the illusion of knowledge."
Stephen Hawking

[ Reply to This | # ]

Agents Smith, Smith & Smith
Authored by: Tim Ransom on Friday, December 12 2003 @ 07:49 PM EST
From this article:
'SCO CEO Darl McBride told recently that the threats to SCO are not only of a digital nature. McBride said some executives have received death threats, angry late-night phone calls and challenges to fistfights. "The vast majority of these [threats] have been of the crank-call variety," McBride said. "We have hired the best personal security team. They have worked through these threats and determined that some have come from people with records who have done time in the big house. We take these very seriously."'

So SCO has V.I.P. on the case, and they've identified threats coming from 'people with records who have done time in the big house'. So are they going to have the Secret Service arrest them?
I know I have a lot of vinyl LPs, but a one bedroom apartment probably doesn't qualify as 'the big house'.
Also, I would never threaten anyone still working for SCO, 'cause carny folk are the only thing that frightens me!
Thanks again,

[ Reply to This | # ]

SCO Is Back Online
Authored by: Anonymous on Friday, December 12 2003 @ 07:52 PM EST
I wasn't happy yesterday with the knee-jerk "SCO is lying"
attitude. At Slashdot, folks that suggested there was room for doubt were
called SCO sympathizers. Given that SCO is not liked by so many, it hardly
surprises me that some might find a way to attack them. If this happens again,
give it time before forming an opinion and look at what they say with an open
mind, just as you should with what they purport to be legal evidence. Remember
that it helps them if they can show obvious and unreasonable bias in those who
disagree with them.

Me, I can't stand SCO, but I also can't stand people that jump to condemn them
for something they didn't do.

[ Reply to This | # ]

Oh no, SCO has another scam
Authored by: kurt555gs on Friday, December 12 2003 @ 07:53 PM EST
I was just reading another website that details the next SCO attack

It can be found here:

PS. I hope that I am not causing Groklaw to be slow, but this is
becomming my favorite website.

I never had a PayPal account, really didnt want one. I wish PJ wouldtake

To: PJ

You really have started a 'movement' and you deserve every bit of credit,
and more.

Thanks you ever so much.


* Kurt *

[ Reply to This | # ]

SCO Is Back Online
Authored by: kbwojo on Friday, December 12 2003 @ 07:58 PM EST
After all is said and done I really feel sorry for TSG sales people the most. I
can picture what there job is like now.

TSG Sales Rep: Hello, I represent TSG and wanted to know if you are interested
in any of our e-business services.

Potential Customer: I think I just read about your company in the news. Arenít
you the company that has had its servers taken down by a DDos attacked 3 times
in the last few months?

TSG Sales Rep: (Gulping) Yes thatís our company.

Potential Customer: So let me get this straight, you canít protect your own site
and keep it up and running yet you want to run ours? No thanks. (click)

Then again when youíre real business is litigation it really doesnít matter that
you might hurt your secondary business by highlighting your own incompetence in
the news just so you can try to discredit the Linux community.

[ Reply to This | # ]

PJ, Your Bias is Showing
Authored by: hbo on Friday, December 12 2003 @ 08:42 PM EST
I think this DDOS has shown up a couple of your biases, PJ. Here's what I think they are:
  • SCO lies a lot, so they probably are now.
  • The FOSS community is held together by idealism. Those I know in that community are definately idealistic.
    Therefore, nobody in the FOSS community could do something like this.
It's hard to avoid the first one under these circumstances. But it's clear that SCO doesn't always lie. That makes me wonder about their case, too. They haven't shown their cards yet. One explanation for this is that they have no cards. Another could be that they are holding back for tactical reasons. I don't know which is true. Do you? Things will be clearer after a month from last Wednesday, I hope. The second one is understandable too. I think the FOSS developer community is a lot less likely to include jerks responsible for something like this than the Linux user community. While both have grown enormously over the last several years, the latter is much larger than the former. It only takes one or two badly disposed, not to say stupid individuals to cause something like the attack that was mounted on SCO last week.

Now, I'm not posting this to annoy you. I think you have been a very valuable resource in digging up information that may well help tip the scales in the SCO vs IBM case. I'm posting this because I'm concerned that you may be a less effective resource if you let your biases get in the way of your research. It's too much to ask, and silly besides, that you start each morning forgetting everything you know about SCOG. In the same way, it's impossible to view the world without bias, and harmful to try. The trick is knowing your own biases, and then using them appropriately.

Forgive me for the lecturing tone. I'd just like to see you succeed in your endeavor even better than you have up to now. That would be a good trick, because your success is unquestionable.

"Even if you are on the right track, you'll get run over if you just sit there" - Will Rogers

[ Reply to This | # ]

Groklaw (we) were not wrong actually
Authored by: Beyonder on Friday, December 12 2003 @ 08:45 PM EST
I love how everyone just instantly jumps on the bandwagon without any regard to
any sort of detailed analysis of the data provided.

CAIDAs info has been shown to be flawed, they claim the FTP was under attack the
first day, when it wasn't affected at all.

Their "logs" are inconclusive, and rather useless.
If someone (even a customer) had sent those logs into any of the ISPs I've ever
worked for stating they were evidence of an attack, they've have been laughed
at. Would more detailed checking had been done? Yes, but, the ISP admins hate to
waste time, it'd go something like this:

Client: "we're under SYN attack, both web, ftp, etc"
admin: "well, your web seems to be down, yes, but your ftp is fine"
client: "sorry its just a regular attack"
admin: "there's no latency on your network"
client: "take a look at this log from CAIDA, we're under attack, see the
RSTs from our ftp site"
admin: "that's real nice, can you give us something useful? As we just
said, your ftp is fine, this is meaningless"
and that's about the size of that...

and without further information (more detailed) or a proper analysis, I don't
accept CAIDAs info as proof of anything. It could easily be (and usually is)
just normal traffic.

[ Reply to This | # ]

backscatter discussed
Authored by: Tim Ransom on Friday, December 12 2003 @ 09:18 PM EST
Moore et al's techniques may not be proof.
From this article:
'Although anecdotal reports about DDoS attacks--which hackers used to cripple Yahoo, eBay, E-Trade, and Microsoft in the past year--indicate a serious problem, no one really identified the extent of the trouble until the UCSD study.
Since this is uncharted territory, the researchers' methodology and conclusions bear close scrutiny, according to Martin Fong, a senior software engineer at SRI specializing in Internet security.
"I think what they've done is establish a methodology, but I don't know if they've established a baseline," Fong says. "It's a good starting point, but this [quantitative measurement] relies on a tremendous amount of cooperative effort."'

Thanks again,

[ Reply to This | # ]

SCO Is Back Online
Authored by: Anonymous on Friday, December 12 2003 @ 09:22 PM EST
several things i'm not happy with on this story:

1. As others have pointed out, if the SCO webserver was attacked in a syn
flood, and was taken offline, then there's NO server to do the syn ack...hence
no outgoing backscatter. So where was the backscatter coming from? Santa claus
and Rudolf delivering Xmas presents early?

2. Was the SCO webserver syn patched? If not, why? Are they going to claim
insurance for damages? I hope not, since they didn't make *every* effort
themselves to ensure security.

Yes it is ensure, not insure - we're talking british english here, not yankee
english - for those that want to argue as per the oxford dictionary of English:

ensure /, /
1 (often foll. by that + clause) make certain.
2 (usu. foll. by to, for) secure (a thing for a person etc.).
3 (usu. foll. by against) make safe.
[Middle English via Anglo-French enseŁrer from Old French aseŁrer assure]

insure //
1 (often foll. by against; also absol.) secure the payment of a sum of money in
the event of loss or damage to (property, life, a person, etc.) by regular
payments or premiums (insured the house for £100,000; we have insured against
flood damage) (cf. assure 3).
2 (of the owner of a property, an insurance company, etc.) secure the payment of
(a sum of money) in this way.
3 (usu. foll. by against) provide for (a possible contingency) (insured
themselves against the rain by taking umbrellas).
4 US = ensure.
insurable adj.
insurability // n.
[Middle English, variant of ensure]

3. How did SCO manage to get a press release out so quick?

4. *most* companies would take down the block of IP addresses pronto in an
attack like this, including ftp. Since ftp doesn't deal with syn acks how was
it attacked? And why did it flood?

5. It doesn't explain items disappearing from the ftp server whilst it was
still online before going down. After the ftp server went down and then came
back up again, things were still missing

6. It doesn't explain intranet or mail servers being compromised (unless SCO
have a very very very bad network topology setup). I'll give an example - I
worked for a large multinational company (much larger than SCO) and they were
hit by code red on a windows platform. It took down their webservers. But it
didn't affect the performance of the intranet. Or the Oracle server. Why?
Network design.

I think the likely thing is that SCO got cracked big time. Someone broke into
their systems and *ucked with the webserver, ftp server and remotely compromised
machines. Then they uploaded a rootkit of some sorts and started ddos the
network/intranet from inside SCO. Hence the backscatter. Hence backscatter
appearing *after* the webserver was taken down.

I'm not network expert, far from it. But could the above be possible - if so
opinions from network experts appreciated.


[ Reply to This | # ]

SCO Is Back Online
Authored by: Anonymous on Friday, December 12 2003 @ 09:34 PM EST
Doubts Linger About SCO's Cyber-Attack Claims

[ Reply to This | # ]

OT question
Authored by: Anonymous on Friday, December 12 2003 @ 10:29 PM EST
I have been wondering ever since I heard of attacks perpetrated by spoofing IP
addresses. Could a security professional explain to me why ISP routers do not
verify valid IP addresses on packets right at the front door? How hard could
it be? Do we need legislation to this effect?

[ Reply to This | # ]

SCO "attack" even if real, not done by OSS people
Authored by: Anonymous on Friday, December 12 2003 @ 10:31 PM EST
Heh. So, the web site is "attacked". Everyone says "WTF? Why
the FTP site still up?". Then the FTP site is "attacked"
everyone had pointed out that SCO are probably faking.

Hint: If anyone stupid but still considering themselves "on the
Linux side" were responsible for the attack, they would NOT move
to correct inconsistencies in SCO's reporting of the attack by
redirecting the attack. If anything, they'd keep the web site
attack going without touching other servers to keep up the
impression that SCO are lying.

Clearly, while a real ddos might have taken place, it was by
someone more friendly to SCO than to Linux, as the second wave
moved to correct the exact problems with SCO's story previously
pointed out on groklaw - THAT's what the CAIDA graph reveals.

I mean honestly, syn attack? 'cmon! And what sort of company
puts out glossy press releases saying "YEAH! We're under attack!
and we can't handle it!". Not an operating systems company,
that's for sure...

One for the conspiracy theorists: Any MS pc is intrinsically
backdoorable by Microsoft, and you might never know unless
you've got a traffic sniffer on the network segment. If MS
themselves want to launch a DDOS, they have 89% or so of the
internet's computers to help them...

[ Reply to This | # ]

20 mbit? That's all?
Authored by: Anonymous on Friday, December 12 2003 @ 10:37 PM EST
We've successfully defended against DDoS attempts from foreign nationals looking to extort money... attacks well in excess of 40mbit just in SYNs alone, with another 15 or 20mbit in random UDP flood.

Any reasonably well appointed network with a sturdy infrastructure upstream could handle that with minimal damages. In our case, our peak output bandwidth dropped around 15% (due more to pipe saturation than anything else) and all our services were available.

Perhaps SCO can't effective defend against such attacks because all their respectable administrators have jumped ship?

[ Reply to This | # ]

Always seeing the worst in people...
Authored by: Anonymous on Friday, December 12 2003 @ 10:51 PM EST
I don't know. Call me a cynic, but after all the crap SCO's leaders have
spouted since this whole thing began, you'll have to pardon me that I wouldn't
put it past them to initiate a DoS attack on their own bloody servers just so
they could play the victim.

Not possible, you say? How about people that torch their own businesses to get
the insurance money?

I'm not saying they did. I just wouldn't be surprised.

[ Reply to This | # ]

Check it out....
Authored by: p0ssum on Friday, December 12 2003 @ 10:57 PM EST


Bruce Schneier, CTO of Counterpane Internet Security, agreed that SCO does not appear to have been under a SYN attack. "SCO's self-diagnosis makes no sense," he said. "But that doesn't mean SCO is lying."

He added, "We have no idea. We'll never know. Clearly, it's not a SYN flood, they're wrong about that. The question is, are they lying, or is a clever hacker doing something to them that looks to a nave observer like a SYN flood?"


We asked several Linux and security experts to look over Groklaw's analysis of the attacks. These included: contributing editor Don MacVittie, who is currently an IT project manager for a major midwestern utility company, and has an extensive Linux and IT background; Neil Schneider, president of the Kernel-Panic Linux User Group; and Matt Brown, CEO of LAMP Host, a Linux-based Internet hosting company. While they did not have firsthand knowledge of the SCO situation, they agreed that Groklaw's analysis of the situation is credible and knowledgeable.

I think that says it all. There are still too many unanswered questions. Something definitely happened according to CAIDA, question is, what was it really.

There are 10 types of people in this world, those that understand binary and those that do not.

[ Reply to This | # ]

Did SCO attack themselves?
Authored by: WhiteFang on Friday, December 12 2003 @ 11:05 PM EST
Over on the Yahoo SCOX Finance Board, we've beend discussing this issue
ourselves. There are a lot of pieces to this puzzle which "don't

1} After having been attacked this way previously, why were the servers still
running with SYN_COOKIEs off?

2} Why was SYN flood protection not enabled on the CISCO router?

3} Are you aware that CAIDA requires that you pay them money to monitor your IP

4} Are your aware that CAIDA can be spoofed?

5} SCOX issued 3 press releases through PRNewswire (I think 3) while SCOX'
network was down. Coincidently enough, PRNewsire submissions are usually done
over the Web.

6} Do you know of any other company that issues press releases to advertise how
incompetently they administer their network?

7} CAIDA essentially reports that bandwidth through their link was saturated.
Yet their link is in XO. Why were the rest of the Canopy companies accessible at
all times?

8} The FBI has the proper charter to investigate these incidents. Yet the Secret
Service is listed as (not yet confirmed) lead investigators. Apparently, the FBI
told SCOX to get bent after the last investigation when 'nothing was found'. I
don't know the truth of this but it is very odd for the Secret Service to get
involved. The only other instances where the Secret Service has gotten involved
in DDoS attacks was a situation of potential large scale credit card fraud. SCOX
certainly doesn't fit _that_ profile.

I consider there to be three possibilities:

A} SCOX deliberately left their network open to attack in the _hope_ that
someone would attack it.

B} SCOX paid off a Black Hat to either attack their site or make it look like
their site was attacked.

C} SCOX simply doesn't have the (extremely simple) expertise to set up SYN
flood protection.

For A}, SCOX could be looking for the opportunity to spew more FUD. Notice the
weasle worded press releases tying the Linux Community and possible
"terrorism" together.

For B}, I see a lot of different incentives for SCOX to have engineered their
own attack. This might be a valid way to allege "The Dog Ate My
Homework" and ask for more delay. Or, they might claim their network was
damaged, get the backup archives from off site and attempt to
"clean" evidence.

For C}, We've seen their incompetence in many areas already. Of course, their
incompetence in securing their own network doesn't say much for their
'enterprise' capabilities. {chortle}

A} seems to be exactly the underhanded kind of stunt that they would try to pull
simply for the FUD factor. It's also in their cranial capability. C} also seems
to be a high probability choice.

B} requires a lot of smarts. But ... many people have expressed the concept of
"something else being up SCOX' sleeve because they can't really be this
stupid." It has occured to me that SCOX is in desparate need of an exit
strategy which will allow them to keep their pump & dump gains. In other
equally dire circumstances, other businesses have committed arson. What if SCOX
really is as smart as people felt they might be. Engineering an attack on their
own network might be a way of committing electronic arson.

You may want to start here:

Remember, this is speculative at this point. I am trying to get independent
verification of the CAIDA report. There are other companies and organizations
which monitor the internet. An engineered attack designed to spoof CAIDA would
_not_ show up on other internet monitors.


[ Reply to This | # ]

SCO corrects SEC filing mistakes
Authored by: Anonymous on Friday, December 12 2003 @ 11:35 PM EST
SCO has filed 5 X Form 4/As

Basically they are saying that 5 different people actually got 15,000 free
options to buy stock at $4.75, and not 10,000 free options at $4.75 (which is
what they filed previously)

The people concerned are:






[ Reply to This | # ]

Whats up with SCOX?
Authored by: Anonymous on Friday, December 12 2003 @ 11:37 PM EST
What in god's name is going on with SCO's stock? Bid is 0.01, Ask is 9,000.
That can't be right. Anybody a clue?

Last Trade: 16.021
Trade Time: 3:59PM ET
Change: 0.101 (0.63%)
Prev Close: 15.92
Open: 15.51
Bid: 0.01 x 100
Ask: 9,000.00 x 100
1y Target Est: 25.50

Day's Range: 15.51 - 16.45
52wk Range: 1.09 - 22.29
Volume: 139,543
Avg Vol (3m): 323,545
Market Cap: 221.83M
P/E (ttm): 84.32
EPS (ttm): 0.19
Div & Yield: N/A (N/A)

[ Reply to This | # ]

There's just a little bit...
Authored by: RSC on Friday, December 12 2003 @ 11:49 PM EST
..of me, deep down inside that says "serves your self right SCO".

But what I have read here today makes me very proud that the
"community" I have believed in for a decade now is obviously of
greater metal and concience than any so call "good corporate

When the "community" has been shown to be mistaken, they have the
balls to say so. Where most "corporate entities" would either ignore
the mistake and carry on, or, as in SCO case try to twist what they said, or
even deny they said it in the first place.

P.J. I thank you very much for showing the world that there is still integrity
in this mad world of ours.

And to all those who have contributed to this awsome site, well done.


An Australian who IS interested.

[ Reply to This | # ]

Mea Culpa, and/or a tinfoil helmet...
Authored by: valdis on Saturday, December 13 2003 @ 12:06 AM EST
OK.. I admit it.. I was skeptical as hell at first. But then, I actually make a
living at worrying about things like "what if a talented hacker attacked
us, and covered his tracks by making a lot of stupid script-kiddie
mistakes?". But then, I also try to be both flexible and gracious when
new information comes along.

So the CAIDA guys say there was in fact a huge DDoS in progress. I'll take
that as a given - I've looked at some of their previous work and it's always
been meticulous and unassailable. Let's just say these guys know more about
measuring packets than Netcraft knows about web servers.

Adding the CAIDA data in makes some things make more sense, and some make less
sense. For instance, CAIDA estimates 50K packets/sec and 20 Mbits/sec, or half
a DS3 (45mbits). This actually explains why the FTP server appeared responsive,
and why XO didn't seem aware of anything - if SCO had a DS3 they'd still have
bandwidth to spare, so the FTP server would have bandwidth and XO wouldn't be
seeing alarms for congested links.

On the other hand, it's quite possible that at 50K packets/sec, that the server
(especially if it was older/slower hardware) was out of steam *even with
syncookies enabled*. It takes a certain amount of CPU to catch the interrupt,
get the packet, identifty it as a SYN, decide we're being synflooded, craft a
syncookie (note that syncookies *do* take out of the random entropy pool, so
there's an upper bound to how fast we can send them), build the syncookie'd
SYN+ACK packet, and send it out the interface (where it eventually ends up as
backscatter in CAIDA's data).

Unfortunately, the peak burst of attack on the web server (according to CAIDA)
only lasted an hour so - their graph shows a much lower level for the next 16
hours or so. Either their lower bound is *way* lower than reality, or the
server shouldn't have been having any issues. (And in fact, I can think of at
least one way to "trick" the CAIDA data gathering, except if it had
been employed, CAIDA would *not* have seen the large initial spike. Unless the
attacker wanted them to see it. Somebody hand me some tinfoil, I need to make a
helmet.. ;)

I'm going to write off the brief 'unknown/Apache' sighting by Netcraft as
somebody trying to bring up a replacement server at a different IP address.

I'll leave off with two thoughts...

1) There's only two ways you can lose your intranet during a DDoS on your
outward-facing servers, after having had 2 DDoS attacks already. The first is
sheer ineptitude on the network management's part. The second is that they did
in fact harden their intranet against *external* attack.

2) The conspiracy minded among you will note that CAIDA was measuring the
SYN+ACK packets coming OUT of SCO. I've not seen actual proof that the SYN
packets went *in*. (It's easy to tell - if the packets came in from outside,
XO would have seen almost perfectly balanced traffic coming and going, if it was
from inside, it would be unbalanced). If the 50K spoofed packets/sec started off
life inside, CAIDA would still see the same backscatter. Of course, there's a
good chance they'd have a meltdown of their intranet as the packets crossed

But no, that's crazy talk. Pass me the tinfoil, will ya?

[ Reply to This | # ]

At least CAIDA seems to know what they're talking about.
Authored by: bitserve on Saturday, December 13 2003 @ 12:28 AM EST
David Moore at least seems to know what he's talking about technically. SYN
Cookies only assist in mitigating a SYN attack, and there is expensive
specialized hardware out there that one can utilize if your site is that
important to you that can do way better than a server with SYN cookies.

While David Conrad still thinks that it's trivial to block a SYN flood, and
that most operating system (vendors?) can easily defeat them.

Like others said, SCO could have attacked themselves. Which to be clear, isn't
"faking an attack". Since that's a real attack, just they'd be
lying about the source. Which I think is a totally preposterous idea, but still
shows that even CAIDA isn't in a place to verify anything. Of course this along
with the bandwidth reports at the router from SCO's ISP... Well, then they
could have attacked themselves from those 1000 remote drones as well. I think
conspirarcy theorists could go on and on blaming SCO.

I tend to believe that there was an attack, but that their press release was not
technically accurate. Same as most of the journalism I've seen regarding the

Pam, great post. I don't know if this was an intended pun, but I got a kick out
of it.

"mostly from places like Korea, where I don't know a s[e]oul"

[ Reply to This | # ]

This can't keep happening to SCO.
Authored by: stdsoft on Saturday, December 13 2003 @ 01:31 AM EST
PJ said "this can't keep happening to SCO." Couldn't agree more.
I hope whoever did this is caught and prosecuted. Meanwhile, I hope SCO makes a
sincere effort to improve their infrastructure. Apparently, prior attacks
didn't convince them to take some simple counter-measures. Hopefully this one
gets their attention.

[ Reply to This | # ]

Simple Question
Authored by: leeway00 on Saturday, December 13 2003 @ 02:44 AM EST
Long time lurker here but first post.

This keeps bugging me.

1.) .12 server (WWW) is down - SYN flood attack - CPU/connection related - pipe
not necessarily flooded.

2.) .13 server (ftp) is up - pipe cannot be flooded for .13 to be responsive.

3.) SCO stated in one of their interviews that SMTP & Intranet were down
due pipe being flooded.

If there is a single pipe going into SCO, 2 & 3 are mutually exclusive. If
there more than one pipe, it would seem to be poor planning on their part that
publicly available services (prone to attack) & critical internal systems
are on the same pipe.

Comments? I'm a bit confused as to how to reconcile all 3 above.


[ Reply to This | # ]

SCO Is Back Online
Authored by: kpl on Saturday, December 13 2003 @ 04:10 AM EST
PJ: thanks for raising the Linux bar by this article!

One thing which would solve the question, (not that the
linux community would ever be allowed to see the results);
a traffic counter at the upstream ISP for the sco network.
Something like Mrtg (Multi Router Traffic Grapher) is fairly
trivial to set up to get some basic information.

Along with a small php script I use it to give me a
daily graph of all my systems' incoming and outgoing
traffic in a more easily read format.

As I said earlier, I doubt wether or not we would be
shown the results, but it would be interesting

mv sco /dev/null

[ Reply to This | # ]

How to get CAIDA kind of data.
Authored by: Anonymous on Saturday, December 13 2003 @ 04:31 AM EST
1. Get a machine outside of the network to spill ACKs to random addresses.
2. Doing it from inside intranet, but geographically far away (so that it takes
a few hops to get there). Send SYN attack packets to webserver to get your
backscatter packets.
3. .... fill in here .....

[ Reply to This | # ]

SCO is back down!!!
Authored by: Anonymous on Saturday, December 13 2003 @ 06:39 AM EST
SCO appears to be back down and the webserver is showing as


[ Reply to This | # ]

SCO Is Back Online
Authored by: Anonymous on Saturday, December 13 2003 @ 06:46 AM EST
First, let me add my agreement that I detest people who set out to attack others
on the web, whether by spamming, DoS, DDoS, launching viruses/worms/trojans or
any other for of nasty. I don't care who the victim is, the attack damages the
freedom of all to use the wonderful resource that we call "The Web",
the Internet, Cyberspace, whatever.

Second, I would like to also say that I have contempt for those that in theory
should know better but do not take known and readily available measures to
protect their sites from such attacks, they are are much part of the problem in
many ways as the attackers. I know, in a perfect world they (and I, and you)
shouldn't have to, we shouldn't have to lock our doors when we go out but in
the real world it's stupid not to and so we do.

If any of the above applies to SCO I don't know, and I don't know if their
"attack" was real, and if it was whether it was preventable or
something new that they can be excused for being caught with. I do know that the
way they have handled themselves recently (whether or not there is merit in
their case currently before the courts) means that their credibility is at a
very low ebb - any lower and they'd be digging.

What I hate most though is the term "someone in the Linux community"
being used to describe any attacker? They never talk of other attacks as coming
from "the Microsoft community"? I suggest that anyone carrying out
an attack on SCO is an outcaste from any the Linux community at best, a member
of the Criminal community at the least, pond scum and effluent that should be
filtered out and treated.

Again, I hate the attacker for attacking SCO (if one, as it looks may be the
case, did) because it's an attack also on anyone who uses and values the
freedom of the web. I also hate them because it was a couple of days lost when
SCO could not provide more material to be picked over and torn to shreds here on
Groklaw - I've become addicted to watching skilled "web detectives"
researching and pulling to pieces the (mis-)information that otherwise appears
in the press and go unchallenged by the lazy journalists who should verify what
they put into print.


PS. I would sign up and stop being anonymous if I didn't feel in such awe of
some of the company I'd be keeping...

[ Reply to This | # ]

A Couple Lessons
Authored by: jsoulejr on Saturday, December 13 2003 @ 08:55 AM EST
First, even with all our doubts about SCO, we all have to be careful about
jumping to conclusions.

Second, when presented with reasonble doubt, PJ backed off in public. I truly
admire that I wish all parties in this little squabble followed her example.

[ Reply to This | # ]

Authored by: phrostie on Saturday, December 13 2003 @ 09:52 AM EST
according to netcraft they went down again last night.

the flip side is that the OS went from unknown back to linux.

Oh I have slipped the surly bonds of DOS
and danced the skies on Linux silvered wings.

[ Reply to This | # ]

Authored by: phrostie on Saturday, December 13 2003 @ 09:53 AM EST
according to netcraft they went down again last night.

the flip side is that the OS went from unknown back to linux.

Oh I have slipped the surly bonds of DOS
and danced the skies on Linux silvered wings.

[ Reply to This | # ]

Part of SCO Is Back Online
Authored by: Anonymous on Saturday, December 13 2003 @ 10:57 AM EST
It seems like, and the mail-server does not respond. The
other ones do.

So, if it is some sort of attack it is of a kind which only affect a specific
host not the entire network. In that case the attacker must have decided not to
attack all or he has not capability of attacking more than a few machines at a
time (sounds like a script kiddie).

I saw this trick in a movie... (Matrix)

$ nmap -Ps

Starting nmap V. 3.00 ( )
Host ( appears to be up.
Host ( appears to be up.
Host ( appears to be up.
Host ( appears to be up.
Host ( appears to be up.
Host ( appears to be up.
Host ( appears to be up.
Host ( appears to be up.
Host ( appears to be up.
Host ( appears to be up.
Host ( appears to be up.
Host ( appears to be up.
Host ( appears to be up.
Host ( appears to be up.
Host ( appears to be up.
Host ( appears to be up.
Host ( appears to be up.
Host ( appears to be up.
Host ( appears to be up.
Host ( appears to be up.
Host ( appears to be up.
Host ( appears to be up.
Host ( appears to be up.
Host ( appears to be up.
Host ( appears to be up.
Host ( appears to be up.
Host ( appears to be up.
Host ( appears to be up.
Host ( appears to be up.
Host NFT.Com ( appears to be up.
Host Canopy.Com ( appears to be up.
...and a lot more.

[ Reply to This | # ]

SCO Is Back Online
Authored by: Steve Martin on Sunday, December 14 2003 @ 09:21 AM EST
SCO DoS attack: fact or fiction?

[ Reply to This | # ]

SCO Is Back Online
Authored by: wap3 on Sunday, December 21 2003 @ 04:12 PM EST
So this is a week late and my first post.
Last night I was catching up on the list for the mail server I use at the office
- Mercury32 - and found this posting by the creator of Pegasus Mail and
Mercury32, David Harris.

"As of about midnight last night, I have been under sustained DOS
attack from what appears to be a network of zombie systems.........guessing
someone has taken offense to my anti-spam position....."

Full posting at:

If SCO things they are the _ONLY_ ones to suffer from random acts by clueless
people the do not deserve to be on the internet anyway.

Just my $0.175us

Trey Pattillo

[ Reply to This | # ]

Groklaw © Copyright 2003-2013 Pamela Jones.
All trademarks and copyrights on this page are owned by their respective owners.
Comments are owned by the individual posters.

PJ's articles are licensed under a Creative Commons License. ( Details )