SCO – Attack or Not

Posted on by

OK, SCO was allegedly felled by a DDoS attack early on Wed., Dec. 10.

Now, there were (and are) a lot of postings on /. and Groklaw saying this was probably just smoke and mirrors on SCO’s part.

Well, a CAIDA report seems to confirm that SCO did experience an attack, and Netcraft graphs appear to support this, as well. With a few days of reporting under its belt, the Netcraft graphs show the site going down on three of the four days at what appears to be precisely the same time – which would indicate an attack that is scheduled to go off at a certain time on compromised machines.

OK, I began writing about is alleged attack a few days ago and then just decided to let it drop – basically, the message was going to be divided into two sections: Attack is real; attack is a fraud.

Each of the two sections would have questions and comments associated with them.

Since the attack appears legit, one half of my doc is unnecessary.

But it still leaves the following questions and comments:

  • The FTP server stayed up the entire time – and it is (by IP) on the same subnet (.12 is Web server, .13 is FTP). If the attack did consume the bandwidth, why was the FTP site fully accessible? Note: As I type this, SCO’s Web site is again down; the FTP site is still operational and zippy. And the IPs have not changed, so rule that out. So – again – this is not a bandwidth issue. Has SCO just pulled the Web box off the Internet?

  • SCO Spokesman Blake Stowell says the attack knocked out there intranet, as well. Why? Sure, users inside SCO wouldn’t be able to get out if all bandwidth was consumed, but the intranet should be separated from the Internet with a DMZ, so the intranet should still work. Unless they are real amateurs, which – as an OS company – they shouldn’t be.

  • This has happened before – why didn’t they harden their servers? (The whole SYN-cookies issue has been widely discussed). Again, this is an OS company, not a pet shop’s Web site.

  • According to SCO, they got hit with a SYN attack. While they may (or may not) have had bandwidth sucked dry, a SYN attack is an old and basically uninteresting attack. Easily defended against. Why didn’t they do it?

  • When the site came back, it appears to be different. Which led many to say the attack was actually an update gone bad. But if the attack is truth, why different content and HTML type (one Groklaw poster reports new XHTML code)? Either they didn’t have good backups (again, they look like amateurs), or they decided to take this opportunity – off-line server – to roll out changes. The latter doesn’t make a lot of sense to me – why roll out new code before you get the first job (getting the current site back) done? Again, this is amateur hour…or something else is going on. Just doesn’t look kosher.

Don’t get me wrong – if SCO was attacked, I don’t condone it. Virtually everyone feels that attacks are stupid, conter-productive and just plain wrong, regardless of the target.

But SCO should didn’t come out of this looking any better to the tech community; they looked like newbies who had been given root.