The company, known for its claim of ownership of critical pieces of code in the Linux operating system, said the attack started on Wednesday at 3:20 a.m. (PST) and continues to block access to the site.
"A bunch of servers (on the Internet) are compromised," said Blake Stowell, a spokesman for the company. "Those servers are all turned to fire on the SCO Web site."
In August, hackers downed the Web site for almost three days. Another attack in May made the Web site inaccessible for several hours.
"If it is anything like past attacks, it will probably be resolved in about 24 hours or so," Stowell said. Without access to the company's Web site, customers may not be able to get timely updates and patches, he added.
The attack comes as SCO receives criticism for its pursuit of a legal case that, if successful, would turn over ownership of critical parts of the Linux source code the company.
However, critics won a tactical victory on Friday, when a judge gave SCO a month to show the portions of the Linux software it believes it owns and to point out where it believes IBM and others are infringing.
The case hasn't tamed the growth of Linux sales. A recent report published by market researcher IDC found that sales of Linux servers grew almost 50 percent in the third quarter of 2003, compared with the same period a year earlier.
Talkback
I wish ZDnet reported would do some checking, i think it was proved that the "attacks in August" were bogus, and they'd taken the servers down for "maintenance" or a "PR stunt" and it looks the same again
Some serious questions have been raised about
SCO's claim of a DDoS attack, noting that while
the site www.sco.com is inaccessible, ftp.sco.com
is responsive.
Please see the GROKLAW site:
<http://www.groklaw.net/article.php?story=20031210163721614>
"Security Expert Doubts SCO's Attack Story",
Wednesday, December 10 2003 @ 04:37 PM EST
All the best.
Please in every case when in receipt of SCO press releases, make your first source check Groklaw.
http://www.groklaw.net/article.php
Please see http://www.groklaw.net/article.php?story=20031210163721614 for more information on SCO's alleged DoS attack. Very interesting and informative.
What a bunch of boobs at SCO !! And they claim to be a computer company.
Their ftp server is still accessible (even though it's in the same subnetwork as their http server.)
This refutes the theory of a SYN attack.
This is, obviously, either another attempt of SCO to manipulate the media, or more evidence of their negligence. SCO, get a clue.
Journalists, do your job and stop taking SCO's claims at face value. Their PR stunts seem to have the media flabbergasted.
Did you even consult a knowledgeable third party opinion, or a security specialist?
Why did you take SCO's word on this?
There is overwhelming evidence no
attack occurred. See http://www.groklaw.net/article.php?story=20031210163721614
You people should really try to do a little research on these stories before you randomly cough them up on your website. Please see; http://www.groklaw.net/article.php?story=20031210163721614
Perhaps after reading you will realize your mistake and may llearn a bit in the process.
SCO contradicts themselves. They claimed the attack was both a syn flood and a page request flood at the same time. This technically can't happen because if it's a syb flood then page requests would not be getting through enough to be a flood.
When a company like SCO, who's record of FUD is well known, any 'facts' they claim should first be researched.
Does any reporter ever check their facts these days? Is the search for the "scoop" taking precedence for accuracy in reporting?
SCO's report of a DoS attack is most likely bogus- as bogus as their claims of IP infringement are appearing to be.
They're claiming it is a SYNflood, an attack where the attacker sends a stream of bogus SYN packets to the host, purporting to be session initiation requests from multiple clients.
The PROBLEM with this is that they would have to deliberately remove the SYNflood resistance built into the modern Linux kernel. It is worth nothing that the distribution they ship, which is likely to be the one they use for their Webserver since it DOES run on Linux, has this turned on by default in the kernel. In order to turn it off, you have to turn off the option and recompile the kernel. Since this feature is only needed to be off for rare circumstances (a regular webserver is NOT one of those...), does not impact network performance, and fixes one of the OLDEST Denial of Service exploits known- it's not likely that it's turned off. If the "SYN-cookies" feature is on, it would have the effect of the server facing heavy request traffic, but it'd be reachable all the same.
SCO's not telling the truth here. Either they're incompetent and can't tell a different DoS attack (keep in mind that most of the other attacks happen to be bandwith sapping attacks and therefore one would not be able to access adjacent hosts- ftp.sco.com IS accessable...) or they're lying about the "attack" and they've taken the server down for some unknown reason and are making it look like they're being attacked.
But, don't take MY word for it. Here's a little research for you.
http://www.cert.org/advisories/CA-1996-21.html
http://www.niksula.cs.hut.fi/~dforsber/synflood/result.html
http://cr.yp.to/syncookies.html
There's tons more out there in books and on the Internet (Just plug in "SYN flood" or "SYN cookies" in Google for more links...).
Posting a retraction might not be a bad idea, in light of the actual facts going on here.
You know what I want to say: Bob go do your homework!
Take a look at this link:
http://uptime.netcraft.com/perf/graph?site=www.sco.com
Notice SCO just up and disappears. There's no increase in response times, nothing, just one second it's there, the next it's gone.
DOS / DDOS attacks don't look like that. They show a big heavy spike for a few minutes, THEN the web server goes away.
Maybe you guys at zdnet could check netcraft next time SCO claims to have been DOSed.
Never blame on malice that which can be attributed to stupidity.