www.sco.com goes down:
http://www.vnunet.com/News/1152431

But wouldn't it be possible to change www.sco.com to point to a different server, optimised to just return redirects to the correct web server. A DDoS attack shouldn't worry about the return value - in fact, if memory serves correctly, for a DDoS attack to work it has to spoof the from address anyway doesn't it?
The server could be heavily optimised to just rip out the from address and return a redirect packet. Very minimal processing required for that.
Legitimate requests would get the redirect packet and go to the correct server. DDoS requests wouldn't.

It would require all links on the site to be non-relative, or navigating the site would be hell. Just the first request should point the browser to www.notscohonestreallyguvpleasedon'tDDoSme.com or whatever.

I reckon that would at least ameliorate the effects of the DDoS. What do you lot think?

I thought "DoS" was the acronym for "Denial of Service." What's that extra "D" for?

------------------
"When all else fails, eat pie."
-¬thoughts from beyond observance

Distributed

Meaning a Denial of Service where many computers all participate simultaeously. There have been many ways found to circumvent DoS attacks, so it's only worth trying DDoS attacks these days.

Ah, learn something new every day.

I still have no idea what your talking about in the first post, though. heh

------------------
"When all else fails, eat pie."
-¬thoughts from beyond observance

MyDoom virus is a virus that used millions of computers to access SCO's website all at the same time in order to do what it did, knock it out. Someone was pissed at them for thier lawsuits I assume.

------------------
To artificial life, all reality is virtual.

What do SCO do?

------------------
Drugs & Stupidity, Tons of it.

They're a software company that is trying to lay claim to some code used in all modern versions of Linux. They are trying to get money from everyone who ever used it (as far as I understand).
http://news.com.com/2100-7344_3-5108956.html

------------------
To artificial life, all reality is virtual.

To elaborate, SCO claims they bought the full rights to UNIX System V and the UNIX source code from Novell. SCO is accusing several companies of porting System V code to Linux, and they're trying to extort money out of everybody who uses a *nix.

They released a list of Linux kernel sources that allegedly contain UNIX code. Pretty much all of them were started by Linus a decade ago.

Not many companies have fallen for their claims. Microsoft paid them just to get them to shut up. Windows legally contains BSD network code, and I guess it was in their best interest to keep SCO quiet about it.

The last I heard about this, Novell slapped SCO down about their UNIX agreement. Novell isn't just saying SCO's wrong about Linux, Novell is saying SCO doesn't have the legal claim to UNIX that they claim to have. And given that everybody's either running a free UNIX or Linux these days, SCO's entire revenue is coming from a few gullible people.

So basically, the people causing the DDoS attacks on SCO are just a bunch of angry Linux users?

I knew it! Linux geeks ARE dangerous!

------------------
"When all else fails, eat pie."
-¬thoughts from beyond observance

There are obviously some problems there, or SCO would've done something to counteract it already.

For one, how could the server tell the difference between ligitimate requests and DoS attacks? Technically, there's little to no difference that a server can make out. And there's too many of them: I hear that over 1 million PCs were infected, and making constant requests to SCO at whatever bandwidth they had. You must remember that DoS attacks deal damage by simply reaching the server; it doesn't matter if a server is equiped to sort out the packets, as a worm is very different from a virus.

Also, I think MyDoom.A is set to target IP addresses, not Internet addresses. That's what makes it far more dangerous than previous worms, such as MSBlast, which launched its attack at an Internet address, support.widows.com (or something like that). In the case of MSBlast, all Microsoft had to do was cut off that line; it wasn't critical to customers reaching support, as they could get it from the Microsoft website itself.

However, this new worm seems to be directed toward an IP address. For servers, IP addresses must be static, or else the Internet address wouldn't be able to link to it. Thus, there were only two choices for SCO: either keep things the way they were, and get bombarded by millions of data requests, or take the server offline, which they elected to do a few hours into the attack.

------------------
Nes digs around in the trash can.
Nes finds a hamburger!
Nes puts the hamburger in his backpack.

NO. Dont be so quick to blame Linux users for this damned worm. Odds are SCO wrote it themselves.


[Bruce Perens wrote a article that applies....]

------------------
The future is here, and all bets are off.

[This message has been edited by GBK (edited February 02, 2004).]

Useragents. Every browser sends one, unless youve manually disabled it. Most DDoS kits, however, dont.
I do this with my own server - if you get an error 404 on my server, but lack a useragent, you dont get a response. It really saves on the bandwidth when the script kiddies attack.

------------------
The future is here, and all bets are off.

My idea is that it wouldn't need to. The domain is pointed to a different machine that takes the brunt of the attack, for each request coming in sends a redirect to the new domain name of the web server. This is almost totally brainless, so the server should be able to cope with the maximum amount of data coming down the wire.

Only legitimate requests would acknowledge the redirect. So if it could manage to get through to the server (bandwidth to the server being the problem now) it will get a redirect and follow that to the new domain.

The server therefore doesn't need to differentiate between legit and DDoS packets.



Actually, they had plenty of notice. Enough to point www.sco.com to a server mirror. Allowing it several days to filter through all the DNS servers and then take the primary machine with that IP offline before the attack starts. I must admit having not heard any information to this effect though - where did it come from? (Out of interest, not accusing you of lying )

SCO would still have to pay for all that extra bandwidth, so, mission accomplished

They'll just up the license fees for Linux up to $899 a box instead of $699.

I'm not sure if MyDoom.A requires a "from" address any more than a traditional data packet. That's the part I was pointing out; if you simply sen a re-direct of all of the packets like that, you wind up having the DoS attack clogging up the bandwidth twice as fast.

Also, the redirect server would become so clogged up that it, too would have to be taken down, just from simple packet switches.

Nice DNS Error. I haven't heard anything about them re-directing it... such a change would require arround a week.

Common sense. MSBlast didn't cause any damage with its attack at all, because it directed its attack at an Internet address, which is easily moved. If the worm managed to take out SCO (which is by no means a weak network) and cause no noticable slowdown elsewhere, then it must be far more precise than using a domain name.

------------------
Nes digs around in the trash can.
Nes finds a hamburger!
Nes puts the hamburger in his backpack.

Now, why would SCO want to DDoS their own server?

Most DDoSs work by exhausting bandwidth, not server resources. No matter how small the file served, the shear quantity of requests would fill SCO's pipes.