While Linux users have retracted accusations that SCO made up its claims to have been victim of a distributed denial-of-service attacks, doubts about SCO's claims linger.
In the face of third party evidence that the attacks did happen, Linux users retracted accusations that SCO was lying. But Linux and security experts stood by their statements that SCO's description of the attacks make no sense, and that competent network administrators can easily protect themselves against the type of attack SCO says happened to it.

In a statement issued Wednesday, the company said it was experiencing a distributed denial-of-service attack that caused its "Web site (www.sco.com) and corporate operational traffic to be unavailable during the morning hours including e-mail, the company intranet, and customer support operations."

SCO said on Friday that the attacks had ended.

The company claims it was targeted by a type of attack known as a SYN attack, where external servers begin to initiate a connection with a target server, and then refuse to release that connection.

Linux advocates -- led by the weblog Groklaw.net in a post made on Wednesday and Slashdot.org in a Thursday post -- were quick to dismiss SCO's claims, saying that the attacks did not appear to be happening at all, and that the evidence presented by SCO did not resemble evidence of SYN attacks. Linux advocates said SCO might therefore be lying about the attacks in an effort to discredit the open source community.

Linux advocates claims that the attacks didn't happen were undercut by a report from the Cooperative Association for Internet Data Analysis (CAIDA), which issued a report Dec. 11 confirming that the attacks occurred. CAIDA said the University of California San Diego Network Telescope, which monitors distributed denial of service attacks worldwide, detected evidence of the DDOS aginst SCO.

Groklaw posted a message on Friday afternoon retracting the accusation that SCO is lying, but stood by its assertions that SCO's network outage demonstrates the company has incompetent security.

Bruce Schneier, CTO of Counterpane Internet Security, agreed that SCO does not appear to have been under a SYN attack. "SCO's self-diagnosis makes no sense," he said. "But that doesn't mean SCO is lying."

He added, "We have no idea. We'll never know. Clearly, it's not a SYN flood, they're wrong about that. The question is, are they lying, or is a clever hacker doing something to them that looks to a nave observer like a SYN flood?"

He continued, "It could be a politically motivated attack. There could be a smart, politically motivated hacker doing it. SCO is a company people love to hate, like Microsoft and the furriers."

We asked several Linux and security experts to look over Groklaw's analysis of the attacks. These included: contributing editor Don MacVittie, who is currently an IT project manager for a major midwestern utility company, and has an extensive Linux and IT background; Neil Schneider, president of the Kernel-Panic Linux User Group; and Matt Brown, CEO of LAMP Host, a Linux-based Internet hosting company. While they did not have firsthand knowledge of the SCO situation, they agreed that Groklaw's analysis of the situation is credible and knowledgeable.

Groklaw raised questions about SCO's claims that its intranet was brought down by the attack. Why was the intranet exposed to the public Internet, Groklaw asked.

But SCO claims that, while the SYN attacks themselves were thwarted, the volume of the attacks flooded bandwidth to SCO's servers on the public Internet, making them inaccessible.

Jeff Carlon, director of worldwide IT infrastructure for SCO, said that the intranet was only partially hit by the attack. Intranet networks at individual SCO locations were unaffected by the attack, but connections between locations -- which are carried over the public Internet -- were down for about two hours, Carlon said.

"Our intranet here at this particularly location was available the whole time," Carlon said. "But our intranet also expands outward from a global perspective, and like many companies we rely on the Internet to provide that bandwidth. There was only a short period of about two hours when our intranet was unavailable, and that was because the bandwidth was overloaded."

SCO's critics said that defenses against SYN attacks have existed for a long time, and SCO is therefore incompetent. But Carlon said SCO has those protections in place; that SCO was victimized by the sheer flood of attacks overwhelming the company's bandwidth.

Carlon said that speculation on what kind of attack SCO suffered misses the point that SCO was the victim.

"We have spent a lot of time talking about what kind of attack we had, what we could have done, what we should have done," he said. "The thing we have to keep in mind is we are just like any other company out there trying to run a business. Just because someone doesn't agree with our business direction really doesn't give them the right to engage in criminal activities against our company."

SCO's Internet servers run on a third-party hosting company which -- ironically enough -- uses Linux. SCO claims that it owns the copyright to Linux, and that users who fail to purchase licenses from SCO are violating SCO's intellectual property. Carlon said SCO has not investigated whether its web hosting company has a clean Linux license.

"We have not had discussions with them regarding the license. They have not requested a license, nor have we really gone after them from a licensing perspective," Carlon said.

The Source

"The secret to creativity is knowing how to hide your sources."
-Albert Einstein

Tech Ninja Security