The MyDoom (dubbed Novarg.A by Symantec Corp. and MiMail.R by Trend Micro Inc.) DDoS flood began building momentum on Saturday evening, and hours later the SCO Web site was completely swamped.
The attack on SCO was anything but unexpected. Experts had been predicting this since shortly after it became clear that MyDoom was going to prove that it would be one of the most widely distributed worms of all time.
Jeff Carlon, worldwide director of SCOs IT infrastructure, said, "This large-scale attack, caused by the MyDoom computer virus that is estimated to have infected hundreds of thousands of computers around the world, is now overwhelming the Internet with requests to www.sco.com. While we expect this attack to continue throughout the next few weeks, we have a series of contingency plans to deal with this problem and we will begin communicating those plans on Monday morning."
According to Blake Stowell, director of public relations for the Lindon, Utah, company, "Hundreds of thousands of MyDoom-infected PCs are attempting to contact our site. Its as bad as anyone thought it could be."
SCO will not be defending itself against the attack though until Monday. Stowell explains, "We dont expect many real site visitors on not only Sunday, but Super Bowl Sunday." Stowell goes on, "We have seen this coming and do have plans in place to address it on Monday morning. If Plan A doesnt work, were ready with Plan B, and then with Plan C."
Although Carlon expects the attack not to end for several weeks, MyDoom, in its current form, is scheduled to end its assault on SCOs Web site on February 12, 2004. Active MyDoom infections, with their built-in backdoors, could be modified to extend the attack or to perform other tasks at its makers bidding.
Some ISPs, in order to preserve the quality of service for their users, have elected to stop all traffic to SCOs Web site, according to Stowell. While Stowell didnt reveal which ISPs had taken such action, an anonymous ISP source said that Wanadoo, a major French ISP, has taken this course.
Netcraft Ltd., the Bath, England-based Net performance and security firm, had expected SCO "might take www.sco.com out of the Domain Name System (DNS) in the run up to the MyDoom DDoS payload in order to keep the denial-of-service http traffic off the Internet. So far, though, www.sco.com still resolves and receives http requests, though closing the connection without sending a response. That said, the sco.com hostmaster is reserving his options, with the Time to Live (TTL) set to just 60 seconds."
With a TTL of 60 seconds, SCO could reset its IP address to another domain in less than a minute. As of Sunday morning, 11 a.m. EST, SCO has not availed itself of this option.
Microsoft Corp. used just such an option to deflect last Augusts Blaster DDoS attacks.Stowell says "While that is an option were looking at, I cant say if that will be the first thing we try."
Microsoft opted to shift its Web site front doorway to Akamai Technologies Inc., a Cambridge, Mass. content-distribution network (CDN) that runs its services on Linux.
But messages at Netcrafts imply that this could be an embarrassment to SCO. SCO itself, according to Netcrafts own records, has been running its Web site through 2003 and most of 2004 on its own UnitedLinux distribution. Recently, SCO shifted to running on NetBSD/OpenBSD.