SCO Denial-of-Service Attack, Take Two

SCO had no sooner recovered from Wednesday's denial of service attack before it was hit by another one on Saturday afternoon.

Days after a denial-of-service attack laid its Web site low, controversial Unix contender The SCO Group Inc. on Saturday was apparently hit by a second DoS attack.

When alerted to the outage by, Blake Stowell, director of public relations for the Lindon, Utah, company, checked with his companys IT department and reported to, "Theyre in the middle of calling in all the network engineers; were clearly under another denial of service."

Stowell added, "This doesnt do SCO any good, but this kind of thing doesnt do the open-source community any good either.

After the attack, Stowell said, "The attack began at 3 a.m. on Saturday morning and stopped on Sunday at around 11 p.m." It is also Stowells understanding that the CAIDA (Cooperative Association for Internet Data Analysis) site, an independent research group with no ties to SCO, which was analyzing the attack on SCOs site, was actually attacked for a few hours on Friday night.

SCO was attacked earlier in the week by what it described as an SYN distributed denial of service (DDoS). The weekend attack, according to Stowell, was also an SYN attack.

Some Linux advocates suggested that the first attack could have been faked by SCO in an attempt to blacken the open-source communitys reputation because of the companys current dispute with IBM and other Linux companies and users over code it said is covered by its copyrights. Later, though, CAIDA showed proof that the SCO Web and FTP sites had indeed undergone a DDoS attack.

After the first attack, some securtiy experts on Groklaw claimed that SCO should have been able to easily stop the SYN DoS attack. According to many security documents though, such as Ciscos Defining Strategies to Protect Against TCP SYN Denial of Service Attacks, for public sites such as SCOs Web site, "there is no clear cut defense against [an SYN] attack from a random IP address."

Other technical discussions of SYN attacks point out that while there are operating system patches that can help against an SYN flood, as Mariusz Burdach points out in his Hardening the TCP/IP stack to SYN attacks, "under heavy SYN attacks (like Distributed SYN flooding attack) these methods may help but still not solve the problem."

It would appear that under a heavy enough SYN attack, any public site can be brought down even if it uses best-of-breed protection methods.


Today, SCOs site is back online.

Discuss This in the eWEEK Forum