Doubts Linger About SCO's Cyber-Attack Claims

While Linux users have retracted accusations that SCO made up its claims it was a victim of a distributed denial-of-service attacks, doubts about those claims linger.

In the face of third-party evidence that the attacks did happen, Linux users retracted accusations that SCO wasn't telling the truth. But Linux and security experts stood by their statements that SCO's description of the attacks make no sense, and that competent network administrators could easily protect themselves against the type of attack SCO says occurred.

In a statement issued Wednesday, the company said it was experiencing a distributed denial-of-service (DDoS) attack that caused its "Web site (www.sco.com) and corporate operational traffic to be unavailable during the morning hours, including e-mail, the company's intranet, and customer-support operations."

SCO said on Friday that the attacks had ended.

The company claims it was targeted by a type of attack known as a SYN attack, in which external servers begin to initiate a connection with a target server, and then refuse to release that connection.

Linux advocates — led by the weblog Groklaw.net in a post made on Wednesday and Slashdot.org in a post the next day — were quick to dismiss SCO's claims, saying the attacks did not appear to be real, and that the evidence presented by SCO did not resemble evidence of SYN attacks. Linux advocates said SCO might therefore be falsifying the attacks in an effort to discredit the open-source community.

Claims that the attacks weren't real were later undercut by a report from the Cooperative Association for Internet Data Analysis (CAIDA), which issued a report on Thursday confirming the attacks had occurred. CAIDA said the University of California San Diego Network Telescope, which monitors DDoS attacks worldwide, detected evidence of the attacks against SCO.

Groklaw posted a message on Friday afternoon retracting its accusation that SCO was misrepresenting the truth about the attacks, but the weblog stood by its assertions that SCO's network outage demonstrates security incompetence.

Bruce Schneier, CTO of Counterpane Internet Security, agreed that SCO does not appear to have been under a SYN attack. "SCO's self-diagnosis makes no sense," he said. "But that doesn't mean SCO is lying."

He added, "We have no idea. We'll never know. Clearly, it's not a SYN flood, they're wrong about that. The question is, are they lying, or is a clever hacker doing something to them that looks to a nave observer like a SYN flood?"

Schneier continued, "It could be a politically motivated attack. There could be a smart, politically motivated hacker doing it. SCO is a company people love to hate, like Microsoft and the furriers."

We asked several Linux and security experts to look over Groklaw's analysis of the attacks. These included contributing editor Don MacVittie, an IT project manager for a major Midwestern utility company who has an extensive Linux and IT background; Neil Schneider, president of the Kernel-Panic Linux User Group; and Matt Brown, CEO of LAMP Host, a Linux-based Internet hosting company. While they did not have firsthand knowledge of the SCO situation, all agreed that Groklaw's analysis of the situation is credible and knowledgeable.

Groklaw raised questions about SCO's claims that its intranet was brought down by the attack. Why was the intranet exposed to the public Internet, Groklaw asked.

SCO claims that, while the SYN attacks themselves were thwarted, the volume of the attacks flooded bandwidth to SCO's servers on the public Internet, making them inaccessible.

Jeff Carlon, director of worldwide IT infrastructure for SCO, said that the intranet was only partially hit by the attack. Intranet networks at individual SCO locations were unaffected by the attack, but connections between locations -- which are carried over the public Internet -- were affected.

"Our intranet here at this particular location was available the whole time," Carlon said. "But our intranet also expands outward from a global perspective, and like many companies we rely on the Internet to provide that bandwidth. There was a short period of about two hours when our intranet was unavailable, and that was because the bandwidth was overloaded."

SCO's critics said that defenses against SYN attacks have existed for a long time, and SCO is therefore incompetent. But Carlon said SCO has those protections in place; that SCO was victimized by the sheer flood of attacks overwhelming the company's bandwidth.

Carlon added that speculation on what kind of attack SCO suffered misses the point that SCO was the victim.

"We have spent a lot of time talking about what kind of attack we had, what we could have done, what we should have done," he said. "The thing we have to keep in mind is we are just like any other company trying to run a business. Just because someone doesn't agree with our business direction doesn't give them the right to engage in criminal activities against our company."

SCO's Internet servers run on a third-party hosting company which, ironically, are based on Linux. SCO claims that it owns the copyright to Linux, and that users who fail to purchase licenses from SCO are violating SCO's intellectual property. Carlon said SCO has not investigated whether its Web-hosting company has a clean Linux license.

"We have not had discussions with them regarding the license. They have not requested a license, nor have we really gone after them from a licensing perspective," Carlon said.