EWeek is reporting an anonymous source that Wanadoo, a major French ISP,
has stopped all traffic to SCO's web site?
Is this true? Have any other ISPs taken similar action?
Here is a view from the west coast, This is via
Opentransit, which is my limited understanding of French
indicates is owned/part of FranceTelecom:
trace 216.250.128.12
Type escape sequence to abort.
Tracing the route to www.sco.com (216.250.128.12)
1 P12-0.PALBB2.Palo-alto.opentransit.net (193.251.240.26) 0 msec 0
msec 0 msec
2 * *
p5-0.IR1.PaloAlto-CA.us.xo.net (207.88.250.29) [AS 2828] !H
From Pastourelle, via Opentransit:
trace 216.250.128.12
Type escape sequence to abort.
Tracing the route to www.sco.com (216.250.128.12)
1 P12-0.NYKCR3.New-york.opentransit.net (193.251.241.134) 144 msec 216 msec 212 msec
2 P7-0.NYKBB3.New-york.opentransit.net (193.251.241.242) 76 msec 76 msec 76 msec
3 * * *
James Edwards wrote:
Here is a view from the west coast, This is via
Opentransit, which is my limited understanding of French
indicates is owned/part of FranceTelecom:
Opentransit (5511) is indeed France Telecom's AS for international
transit, and seems to block at least 216.250.128.12 (www.sco.com)
(apparently not the rest of 216.250.128.0/23 though).
And, just to be even safer, Wanadoo's internal cache DNS servers for
customers resolve www.sco.com and ftp.sco.com to 127.0.0.1 
And by blackholing that IP they've also blackholed www.caldera.com, which is
currently not a DDoS target but is also not respondig to requests.
Rubens
EWeek is reporting an anonymous source that Wanadoo, a major French ISP,
has stopped all traffic to SCO's web site?Is this true?
Dont know
Have any other ISPs taken similar action?
Not here. The only thing different I did was
ndc querylog
tail -f /var/log/daemon | grep www.sco.com
on my recursive servers and I have been .... underwhelmed by the output
---Mike
Mike Tancsa wrote:
Have any other ISPs taken similar action?
Not here. The only thing different I did was
ndc querylog
tail -f /var/log/daemon | grep www.sco.comon my recursive servers and I have been .... underwhelmed by the output
Maybe SCO just got overwhelmed by the requests by the people who are curious if
the site is still up and they were not prepared to serve more than the average lawsuit-
interested number of hits they do by default? Call it a socially engineered DDoS.
Pete
so, should they be renamed wanadon't? 
i.e. what's all this about anyway? what am i supposed to learn
from this that i am clearly missing? as far as i know, the
actual victim has not asked us to do anything. so i think i'll
go shopping for dinner and groceries before the fish counter
gets sparse.
randy
Can you block access to something that doesn't exist?
; <<>> DiG 9.2.2-P3 <<>> www.sco.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10008
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;www.sco.com. IN A
;; AUTHORITY SECTION:
sco.com. 1582 IN SOA ns.calderasystems.com.
hostmaster.caldera.com. 2004020103 3600 900 604800 1800
sco.com still has an A record, but it seems filtered. I can't
ping / traceroute / tcp/80 it.
Their MX is still reachable (ping / tcp/25 at least).
Umm, I'll bite. If www.sco.com and www.caldera.com are on the same IP,
how do you create a DDoS that wouldn't take out the Caldera site as well?
A sheer-traffic DDoS will hurt both. A synflood will hurt both.
The webserver that's listening on port 80 doesn't know which site
is being connected to until it actually reads in the HTTP/1.1 headers and
looks at the Host: tag - and if there's enough things arriving with
'Host: www.sco.com', it will require some *very* creative filtering/limiting
to keep one website working while the other is down....
Randy Bush wrote:
so, should they be renamed wanadon't?
i.e. what's all this about anyway? what am i supposed to learn
from this that i am clearly missing? as far as i know, the
actual victim has not asked us to do anything. so i think i'll
go shopping for dinner and groceries before the fish counter
gets sparse.
I don�t think there are new lessons to be learned, just identifying the beneficiaries
of the hype&fear machine will give you an idea where the money is going to.
Some people do this with software, some use more hardware. Usually the end
result is an excuse for governments to spend more to think and watch out for
you.
Pete
Just drop the www.sco.com DNS record, as they did... this particular worm
goes after the URL, not the IP it usually had.
nslookup www.sco.com
*** can't find www.sco.com: Non-existent domain
nslookup www.caldera.com
Non-authoritative answer:
Name: www.caldera.com
Address: 216.250.128.12
Rubens
There are quite a few companies, big and small, who would be happy to sell you web or
content "switches" which forward the HTTP requests to the actual servers based on
almost any bit in the HTTP request.
So far there is no real indication that anything else happened than a single-machine website
at some corner of the internet got a little overwhelmed by the attention it got. For example
ftp.sco.com answers rapidly and is on the same subnet than the supposed DDoS target so
that rules congestion in the local loop out.
Since the number of requests is probably very reasonable, just cutting the page the windows machines
request to a bare minimum redirect would most likely made even grandpa�s old 486 to serve
the pages with modern kernel.
Does anybody have any numbers to actually support the theory that there would actually be significant
traffic flowing somewhere?
Pete
(I was speaking to *this* particular incident, not to the question of
"how to prevent it" in general. Remember that this is the 5th or 6th
time SCO has been DoS'ed sucessfully...)
There are quite a few companies, big and small, who would be happy to sell you web or
content "switches" which forward the HTTP requests to the actual servers based on
almost any bit in the HTTP request.
Yes, but this assumes a sufficient supply of clue, available financial
resources, and motivation to deploy, and then balance the cost of those type of
boxes against the impact on your revenue stream of getting DDoS'ed. When your
web server isn't generating any revenue, your ongoing support (patch download,
etc) is via a still-working FTP server, and you can get lots of PR out of
saying "Those Linux freaks let loose a worm to DDoS us", why should you invest
in that technology?
Does anybody have any numbers to actually support the theory that there
would actually be significant
traffic flowing somewhere?
From SCO's 10K they filed with the SEC on Tues, Jan 28, and presumably actually
written at least a day or two before:
"Additionally, we have recently experienced a distributed denial-of-service
attack as a result of the "Mydoom" worm virus. It is reported that the effects
of this virus will continue into February 2004".
So for them, the DDoS was already "past tense" a week ago. Not "expecting"
or "will be shortly".
Draw your own conclusions what happens if the DDoS attack fizzles for any
reason, or if Netcraft's stats say a different story, etc...
The best commentary I've seen on the whole sorry mess so far:
So thats 1-0 to the worm!
You could do some real cool things if you were controlling the DNS for a site
under a major sustained DDoS, who doesnt the intended victim like.. just fire up
an A record and they're gone! ;p
Btw I'm seeing www.caldera.com disappear into Level3, seems theyre down.
Steve
So thats 1-0 to the worm!
[snip]
Btw I'm seeing www.caldera.com disappear into Level3, seems theyre down.
I see the same at the verio/xo handoff - no successful A record lookups
either.
J.