Attack Against SCO’s Web Site Continues

A crippling distributed denial of service that
began last week against software company SCO Group continued in sporadic bursts through the weekend, according to a company spokesman.

As a result of the attacks, The SCO Group’s Web site was having difficulty staying online — although it appeared to be back online in Monday afternoon.

The attacks began last Wednesday morning when the Lindon, Utah-based company’s servers were flooded with thousands of useless traffic data requests. The method of the attack, called a SYN flood, sends data packets with a bogus IP address.


The server, not knowing it’s dealing with an ever-increasing number of
invalid source addresses, eventually bogs down.

Officials were able to resume service Thursday evening, but a resumption
of the attack Saturday morning brought the servers down once again.
Officials aren’t sure when they will be able to get the site up and
running again, and have resigned themselves to the fact they won’t ever
find the person, or persons, behind the attack.

“I don’t know if I can honestly say whether we’re any closer to catching
someone about this,” said Blake Stowell, SCO spokesperson, Monday.

This is the third, and most persistent, DDoS attack the company has
suffered through this year, and officials blame the illegal activity on
zealots within the Linux community who are angered over SCO’s attempts
to license the open source technology. Darl McBride, the company’s CEO,
has chastised the
open source community
for allowing these attacks to happen in the
first place earlier this year.

What has confused security experts is the fact the technology to combat
a SYN flood attack has been available for years, and is a basic
component for any network security program. It’s uncertain why a
publicly-traded company — one beholden to shareholder scrutiny — that
has suffered two high-profile DDoS attacks already this year doesn’t
have tools in place to repel the attacks.

Colleen Shannon, a senior security researcher at the Cooperative
Association for Internet Data Analysis (CAIDA), said that despite SCO’s
claims to the contrary, the attack wasn’t a particularly sophisticated
one.

“SCO called this a highly sophisticated attack,” she said. “Without any
special configuration, which SCO obviously doesn’t have because they
were affected by it a lot, it is a hard attack to defend. But it’s
really nothing new and there is technology to defend against it.”

CAIDA released a report Friday showing a broad overview of the attack
that started Wednesday. Many Linux supporters had spent much of
Wednesday and Thursday claiming the attack was nothing more than a hoax
by SCO to garner sympathy, since the attack didn’t show up on other
network traffic monitors.

Interestingly enough, CAIDA’s Web site was attacked at 10:45 p.m. the
day the report was published. The site was down for only two hours
before technicians were able to resume service. Shannon and other
members in the organization suspect it is the same person behind the SCO
attacks, since the methods used were similar.

When asked how its site could be attacked after finding fault with SCO’s
own security arrangements, Shannon said her outfit doesn’t have the
money SCO has to be able to finance a robust security program.

SYN flood fixes go back as far as October 1996, when the U.S. Department
of Energy posted an advisory by Sun Microsystems
through its Computer Incident Advisory Capability (CAIC). Shannon said
many servers today come with the technology included in the hardware,
and the syn_cookie for SYN blocking is an existing tool in the Linux
kernel.

Jeff Carlon, SCO’s director of worldwide IT infrastructure, denied his
network wasn’t secured properly, saying that when the bandwidth reaches
the point it reached Wednesday and Thursday, the SYN flood remedies
aren’t enough.

“SYN attacks, from a single server or from one or two servers — there
are mechanisms available to handle that, but this wasn’t a simple SYN
attack,” he said. “We have a very good security plan; we’ve spent a lot
of time and effort making sure that our systems are secure.”

According to a report by CAIDA Friday, the attack began at roughly 4
a.m. Wednesday, when 35,000 packets-per-second (pps) hit the server
handling the SCO Web site. It tapered off to 5,000 pps two hours later.
Thursday morning at roughly the same time, the attackers hit SCO’s FTP
server with 50,000 pps, crippling that machine, while
continuing its attack on the first server at around 2-300 pps.

The report states that that many data packets are the equivalent to
20Mbit/second of Internet traffic, or a DS-3 Internet connection.
Carlon, however, said that SCO has a dedicated 45 Mbit/second bandwidth
pipe, with backup bandwidth if necessary, so it’s unclear how the attack
was able to bring down its servers.

According to Blake Stowell, officials from the FBI office in nearby Salt
Lake City were called in to assess the damage. The FBI, in turn,
referred SCO to the U.S. Secret Service, which spent Thursday and Friday
afternoon going through the logs of the attack and working with SCO’s
ISP to garner more information.

As to whether SCO will be able to eventually track down this week’s
attackers, it’s unlikely. The culprits from the first two attacks
remain elusive, and Shannon speculates that the company didn’t have the
equipment in place to track IP addresses back to the source.

“(Backtracking IP addresses) usually require special kinds of
instruments at the source and also a lot of cooperation with upstream
ISPs looking and seeing where traffic is actually coming from,” she
said. “If SCO doesn’t even have anything to block their own servers,
they probably don’t have anything like that.”

Carlon, when asked how they would be able to track down the
perpetrators, said they “absolutely” know where the attacks were coming
from. However, his clarification is slightly misleading. The attack
can be tracked back to the ISP the culprit was using to get on the
Internet, but with a spoofed IP address the exact computer used is, and
will remain, unknown without a little detective work and the cooperation
of that ISP.

“Whether it was a SYN attack, or whether certain things could or should
have been done, keep in mind that the thing that caused this was illegal
activity against a law-abiding company,” Carlon said. “We absolutely
know that this was a global distributed attack involving, I’ve heard, 50
Tier I ISPs. No company, not even the Microsoft’s of the world, can
afford to purchase enough bandwidth to be able to handle that kind of
activity.”

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web