Attack on SCO's servers intensifies

A day-old denial-of-service attack on the Web server of the controversial SCO Group has been expanded to assault the company's mail and file servers, SCO's top network administrator says.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
4 min read
A day-old denial-of-service attack on the Web server of the controversial SCO Group has been expanded to assault the company's mail and file servers, SCO's top network administrator said.

The attack, which first hit the company's Web and file servers on Wednesday around 3:20 a.m. PST, paused briefly last night before resuming against more SCO servers, said Jeff Carlon, director of worldwide information technology infrastructure for the Lindon, Utah, company.

"There is no way to fully prevent the attack; we are somewhat at the mercy of the guy that is doing the attack," he said.

The deluge of data that has swamped the company's network has also swept up its critics in a new wave of theories as to why the company cannot, or will not, stop the third such attack on its network in six months. Such attacks can usually be largely mitigated by buying up more bandwidth and connecting through Internet service providers that have special technology aimed to defeat the assaults.

Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

Security experts said that previous attacks in May and August should have been adequate warning for the company to have taken steps to protect its connection to the Internet.

"There are definitely things out there that they can buy, or services that solve this problem," said David Moore, assistant director and researcher at the Cooperative Association for Internet Data Analysis (CAIDA) and an expert on denial-of-service attacks. "It is just a question of how important your Web site is to you and how much you are willing to spend."

The attacks have been the third blow to SCO in the past three weeks: News of the attack appears as SCO has lost a key tactical battle in its court case against IBM and as the company delayed its earnings announcement.

SCO has gained the ire of the open-source community for its pursuit of a legal case that, if successful, would essentially give the company rights to important parts of the Linux source code. Most Linux users don't take the claims seriously, however, and the case hasn't slowed the growth of Linux. A recent report published by market researcher IDC found that sales of Linux servers grew almost 50 percent in the third quarter of 2003, compared with the same period a year earlier.

"The thing we have to keep in mind is that this is not something that we are doing," said SCO's Carlon, referring to the attack. "This is not something that we have made up. It is an illegal activity that is having a sizable impact on our company." SCO, in a rare move, is publicizing the attack.

The attack, which SCO identified as a SYN flood, tries to open a connection with a server across the Internet by sending a SYN packet to the computer. That data is a part of the normal communications process between computers and indicates that a computer on the Internet wants to start communicating with the server. The server would normally respond to the packet and await a connection, allocating memory for the process. An attacker, by sending a relatively small number of requests to a server, can essentially use up the target computer's resources.

The SCO Web site outage was confirmed by Internet performance company NetCraft. CAIDA's Moore also confirmed the attack by analyzing backscatter data showing that both SCO's Web server and FTP server had been inundated by network traffic. As many as 50,000 packets per second hit the company's servers on Wednesday night. By Thursday morning, the attack had been reduced to some 3,000 packets per second and the company's servers were responding to one in every three requests.

The statistics suggest, however, that the attack is more a brute-force tactic of inundating a network with data than a simple SYN flood.

"A SYN flood would have been trivially preventable," said David Conrad, chief technology officer for Nominum, an Internet infrastructure technology company. "Every major operating system vendor in the world could have defeated it."

A SYN flood can be prevented by using a Linux feature known as SYN cookies. The technique uses basic encryption to prevent memory from being used up by fake connection requests. However, it also constitutes a tradeoff: lower memory usage for higher processor usage.

Moreover, while the technique does protect the target computer, it doesn't prevent the network from succumbing to the onslaught of data. A SYN flood that fails to use up the target server's memory could still overwhelm its connection to the network, CAIDA's Moore said.

A flood of data can't easily be dodged, but by buying more bandwidth or by using an Internet service provider that has technology to shunt such an attack, it can be mitigated, Moore said.

"There is always kind of an arms race between how much money you are willing to spend and how much the attacker wants to bring down your network," said Moore.

SCO said that it is spending enough, if not too much, on defense.

"I can assure you that we are expending significant amounts of resource and money to combat this activity," Carlon said. "In doing so, as a result of these attacks, we have to spend money that we might not be able to spend elsewhere."