December 12, 2003

SCO: 'We have proof DOS attack was real'

Author: NewsForge Staff

We received an email from the SCO Group's public relations agency today,
with the subject "DDOS ATTACK ON SCO WAS REAL." The fact that the subject
was in all caps convinced us right away that they were onto something. And
of course, the fact that you have to sign a non-disclosure agreement to
see the proof of their latest assertion sealed the deal.

Just kidding about that last part. In fact, they refer to a report from
the Cooperative
Association of Internet Data Analysis
(CAIDA) describing evidence that
the attack was real.

We emailed one of the authors of the report to ask if SCO had paid the group
to investigate the attack. So far, we haven't heard back. If we do, we'll
mention that our site isn't "NewsForce," as CAIDA refers to us on its site, but
we won't let that little error affect our opinion of their credibility.

Of interest in the CAIDA report is the following passage:

Around 2:50 AM PST Thursday morning, December 11, the
attacker(s) began to attack SCO's ftp (file transfer protocol) servers in
addition to continuing the web server attack. Together and experienced a SYN flood of over 50,000 packet-per-second early
Thursday morning. By mid-morning Thursday (9 AM PST), the attack rate had
reduced considerably to around 3,700 packets per second. Throughout
Thursday morning, the ftp server received the brunt of the attack,
although the high-intensity attack on the ftp server lasted for a
considerably shorter duration than the web server attack. At 10:40 AM PST,
SCO removed their web servers from the Internet and stopped responding to
the incoming attack traffic. Their Internet Service Provider (ISP) appears
to have filtered all traffic destined for the web and ftp servers until
they came back online at 5 PM PST.

As our
readers will recall
, whether or not this attack is real has been
contested in the media since it was first
announced on Wednesday night

At that time, the debate
centered around the fact that SCO's FTP site was unaffected and responsive
at that time. The CAIDA report claims the FTP site was knocked out Thursday
morning, well after this fact came to light. Hmmm.

Darl McBride, the CEO of SCO Group and author of several hotly debated letters to the open source community on intellectual property matters, told NewsForge Friday he thought being asked whether his own company had caused the denial of service was "ludicrous" but that he understood that NewsForge had a journalistic obligation to get firsthand information.

"It's ludicrous that we even have to have this conversation," McBride said. "I mean, come on, we depend on our Web site for most of what we do -- downloading patches, providing all kinds of services. We get something like 400,000 hits per day on the site. We have 2.2 million servers (using our software) out there. Being down for two days was driving me crazy. We're not about to knock down our own site."

We asked SCO Group Director of Communications Blake Stowell whether SCO
meant to say "outside" unknown perpetrators in its statement, and he said,
"Yes, it should have read 'outside' unknown perpetrators, you're right. You
know, we had Secret Service guys here yesterday trying to track down where
the attack might have come from. It was clear to them that outside forces
were involved."

Asked whether he thought that voluntarily offering "proof" of the
DoS through a third party might simply appear to skeptics to be an extension
of a coverup, Stowell said, "You know it's really funny. Individuals want to
attack us just because we're being attacked. We're trying to show
objectivity through a third party, that's all. What else can we do? Our
hands are tied."

Update: Colleen Shannon of CAIDA reports SCO did not pay the group for its evaluation, and after receiving our email, she fixed NewsForge's name on the CAIDA site.


  • Humor
Click Here!