Attack Against SCO's Web Site Continues

Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  

A crippling distributed denial of service that began last week against software company SCO Group continued in sporadic bursts through the weekend, according to a company spokesman.

As a result of the attacks, The SCO Group's Web site was having difficulty staying online -- although it appeared to be back online in Monday afternoon.

The attacks began last Wednesday morning when the Lindon, Utah-based company's servers were flooded with thousands of useless traffic data requests. The method of the attack, called a SYN flood, sends data packets with a bogus IP address.

The server, not knowing it's dealing with an ever-increasing number of invalid source addresses, eventually bogs down.

Officials were able to resume service Thursday evening, but a resumption of the attack Saturday morning brought the servers down once again. Officials aren't sure when they will be able to get the site up and running again, and have resigned themselves to the fact they won't ever find the person, or persons, behind the attack.

"I don't know if I can honestly say whether we're any closer to catching someone about this," said Blake Stowell, SCO spokesperson, Monday.

This is the third, and most persistent, DDoS attack the company has suffered through this year, and officials blame the illegal activity on zealots within the Linux community who are angered over SCO's attempts to license the open source technology. Darl McBride, the company's CEO, has chastised the open source community for allowing these attacks to happen in the first place earlier this year.

What has confused security experts is the fact the technology to combat a SYN flood attack has been available for years, and is a basic component for any network security program. It's uncertain why a publicly-traded company -- one beholden to shareholder scrutiny -- that has suffered two high-profile DDoS attacks already this year doesn't have tools in place to repel the attacks.

Colleen Shannon, a senior security researcher at the Cooperative Association for Internet Data Analysis (CAIDA), said that despite SCO's claims to the contrary, the attack wasn't a particularly sophisticated one.

"SCO called this a highly sophisticated attack," she said. "Without any special configuration, which SCO obviously doesn't have because they were affected by it a lot, it is a hard attack to defend. But it's really nothing new and there is technology to defend against it."

CAIDA released a report Friday showing a broad overview of the attack that started Wednesday. Many Linux supporters had spent much of Wednesday and Thursday claiming the attack was nothing more than a hoax by SCO to garner sympathy, since the attack didn't show up on other network traffic monitors.

Interestingly enough, CAIDA's Web site was attacked at 10:45 p.m. the day the report was published. The site was down for only two hours before technicians were able to resume service. Shannon and other members in the organization suspect it is the same person behind the SCO attacks, since the methods used were similar.

When asked how its site could be attacked after finding fault with SCO's own security arrangements, Shannon said her outfit doesn't have the money SCO has to be able to finance a robust security program.

SYN flood fixes go back as far as October 1996, when the U.S. Department of Energy posted an advisory by Sun Microsystems through its Computer Incident Advisory Capability (CAIC). Shannon said many servers today come with the technology included in the hardware, and the syn_cookie for SYN blocking is an existing tool in the Linux kernel.

Jeff Carlon, SCO's director of worldwide IT infrastructure, denied his network wasn't secured properly, saying that when the bandwidth reaches the point it reached Wednesday and Thursday, the SYN flood remedies aren't enough.

"SYN attacks, from a single server or from one or two servers -- there are mechanisms available to handle that, but this wasn't a simple SYN attack," he said. "We have a very good security plan; we've spent a lot of time and effort making sure that our systems are secure."

According to a report by CAIDA Friday, the attack began at roughly 4 a.m. Wednesday, when 35,000 packets-per-second (pps) hit the server handling the SCO Web site. It tapered off to 5,000 pps two hours later. Thursday morning at roughly the same time, the attackers hit SCO's FTP server with 50,000 pps, crippling that machine, while continuing its attack on the first server at around 2-300 pps.

The report states that that many data packets are the equivalent to 20Mbit/second of Internet traffic, or a DS-3 Internet connection. Carlon, however, said that SCO has a dedicated 45 Mbit/second bandwidth pipe, with backup bandwidth if necessary, so it's unclear how the attack was able to bring down its servers.

According to Blake Stowell, officials from the FBI office in nearby Salt Lake City were called in to assess the damage. The FBI, in turn, referred SCO to the U.S. Secret Service, which spent Thursday and Friday afternoon going through the logs of the attack and working with SCO's ISP to garner more information.

As to whether SCO will be able to eventually track down this week's attackers, it's unlikely. The culprits from the first two attacks remain elusive, and Shannon speculates that the company didn't have the equipment in place to track IP addresses back to the source.

"(Backtracking IP addresses) usually require special kinds of instruments at the source and also a lot of cooperation with upstream ISPs looking and seeing where traffic is actually coming from," she said. "If SCO doesn't even have anything to block their own servers, they probably don't have anything like that."

Carlon, when asked how they would be able to track down the perpetrators, said they "absolutely" know where the attacks were coming from. However, his clarification is slightly misleading. The attack can be tracked back to the ISP the culprit was using to get on the Internet, but with a spoofed IP address the exact computer used is, and will remain, unknown without a little detective work and the cooperation of that ISP.

"Whether it was a SYN attack, or whether certain things could or should have been done, keep in mind that the thing that caused this was illegal activity against a law-abiding company," Carlon said. "We absolutely know that this was a global distributed attack involving, I've heard, 50 Tier I ISPs. No company, not even the Microsoft's of the world, can afford to purchase enough bandwidth to be able to handle that kind of activity."

Submit a Comment

Loading Comments...