December 10-11, 2003
An analysis by David Moore and Colleen Shannon of the December 2003 Distributed Denial-of-Service (DDoS) Attack against the SCO Group. For more information contact firstname.lastname@example.org
We would like to thank Brian Kantor, Jim Madden, and Pat Wilson of UCSD for technical support of the Network Telescope project; Ranjita Bhagwan, kc claffy, and Mike Gannis for feedback on this document; and Rob Lemos for discussion as events unfolded. Support for this work was provided by Cisco Systems, NSF, DARPA, DHS, and CAIDA members.
At 3:20 AM PST on Wednesday, December 10, 2003, the UCSD Network Telescope began to receive backscatter traffic indicating a distributed denial-of-service attack against the SCO Group. Early in the attack, unknown perpetrators targeted SCO's web servers with a SYN flood of approximately 34,000 packets per second. In real world terms, the attack caused SCO to receive so many incoming prank phone calls that their switchboard was flooded.
Around 2:50 AM PST Thursday morning, December 11, the attacker(s) began to attack SCO's ftp (file transfer protocol) servers in addition to continuing the web server attack. Together www.sco.com and ftp.sco.com experienced a SYN flood of over 50,000 packet-per-second early Thursday morning. By mid-morning Thursday (9 AM PST), the attack rate had reduced considerably to around 3,700 packets per second. Throughout Thursday morning, the ftp server received the brunt of the attack, although the high-intensity attack on the ftp server lasted for a considerably shorter duration than the web server attack. At 10:40 AM PST, SCO removed their web servers from the Internet and stopped responding to the incoming attack traffic. Their Internet Service Provider (ISP) appears to have filtered all traffic destined for the web and ftp servers until they came back online at 5 PM PST.
In spite of rumors that SCO has faked the denial-of-service attack to implicate Linux users and garner sympathy from its critics, UCSD's Network Telescope received more than 2.8 million response packets from SCO servers, indicating that SCO responded to more than 700 million attack packets over 32 hours. The outage was also documented by Netcraft in their article and analysis graphs.
|The distributed denial-of-service attack against SCO December 10, 2003 3:20 AM PST - December 11, 2003 10:40 AM PST.|
This type of denial-of-service attack seeks to block access to targeted servers both by consuming computing resources on the servers themselves and by consuming all of the bandwidth of the network connecting the servers to the Internet. The current attack successfully blocked access to SCO web and ftp servers. A 50,000 packet-per-second SYN flood yields approximately 20 Mbits/second of Internet traffic in each direction, comparable to half the capacity of a DS3 line (roughly 45 MBits/second). The use of load balancers or proxies, SYN cookies, and Content Delivery Networks (CDNs) can help distribute the load of a denial-of-service attack, making it more difficult to saturate the available network and server resources.
Since January 2003, tension between SCO and the open source community has increased as SCO has asserted that other operating systems have misused their intellectual property. SCO has filed a lawsuit against software giant IBM, and has received counter-suits filed by both IBM and RedHat Linux. SGI and HP have also been involved in the controversy, with SCO threatening to revoke SGI's license to use its copyrighted software, and HP offering to indemnify users who purchase HP hardware systems with a Linux operating system. SCO was also the target of denial-of-service attacks perpetrated by unknown individuals on May 2, 2003 and August 22-25, 2003.
The UCSD Network Telescope monitors distributed denial-of-service attacks worldwide using a backscatter analysis technique. The backscatter technique is described in detail in the paper Inferring Internet Denial-of-Service Activity. An animation demonstrating the backscatter technique is available at:
- News Articles
- December 2003 Attack
- C|net: Attack on SCO sites at an end
- Yahoo: SCO Experiences Distributed Denial of Service Attack
- C|net: Attack on SCO's servers intensifies
- C|net: Data attack cripples SCO Web site
- theWHIR: SCO Site Hit by DDoS Attack, Remains Offline
- NewsForge: Who is DoSing SCO?
- GrokLaw: Security Experts Doubt SCO Was Attacked
- Yahoo: Some Security Experts Doubt SCO Was Attacked
- August 2003 Attack
- May 2003 Attack
- December 2003 Attack
- UCSD Network Telescope Background
- SCO Litigation Background
- Ross Oliver: Countering SYN Flood Denial-of-Service (DoS) Attacks
Colleen Shannon is a Senior Security Researcher at the Cooperative Association for Internet Data Analysis (CAIDA) at the San Diego Supercomputer Center (SDSC) at the University of California, San Diego (UCSD). David Moore is the Assistant Director of CAIDA and Ph.D. Candidate in UCSD Computer Science Department.