The contents of this legacy page are no longer maintained nor supported, and are made available only for historical purposes.

SCO Offline from Denial-of-Service Attack

December 10-11, 2003

An analysis by David Moore and Colleen Shannon of the December 2003 Distributed Denial-of-Service (DDoS) Attack against the SCO Group. For more information contact info@caida.org

We would like to thank Brian Kantor, Jim Madden, and Pat Wilson of UCSD for technical support of the Network Telescope project; Ranjita Bhagwan, kc claffy, and Mike Gannis for feedback on this document; and Rob Lemos for discussion as events unfolded. Support for this work was provided by Cisco Systems, NSF, DARPA, DHS, and CAIDA members.

Cooperative Association for Internet Data Analysis UCSD Computer Science Department University of California at San Diego San Diego Supercomputer Center Cisco Systems National Science Foundation Defense Advanced Research Projects Agency U.S. Department of Homeland Security

At 3:20 AM PST on Wednesday, December 10, 2003, the UCSD Network Telescope began to receive backscatter traffic indicating a distributed denial-of-service attack against the SCO Group. Early in the attack, unknown perpetrators targeted SCO's web servers with a SYN flood of approximately 34,000 packets per second. In real world terms, the attack caused SCO to receive so many incoming prank phone calls that their switchboard was flooded.

Around 2:50 AM PST Thursday morning, December 11, the attacker(s) began to attack SCO's ftp (file transfer protocol) servers in addition to continuing the web server attack. Together www.sco.com and ftp.sco.com experienced a SYN flood of over 50,000 packet-per-second early Thursday morning. By mid-morning Thursday (9 AM PST), the attack rate had reduced considerably to around 3,700 packets per second. Throughout Thursday morning, the ftp server received the brunt of the attack, although the high-intensity attack on the ftp server lasted for a considerably shorter duration than the web server attack. At 10:40 AM PST, SCO removed their web servers from the Internet and stopped responding to the incoming attack traffic. Their Internet Service Provider (ISP) appears to have filtered all traffic destined for the web and ftp servers until they came back online at 5 PM PST.

In spite of rumors that SCO has faked the denial-of-service attack to implicate Linux users and garner sympathy from its critics, UCSD's Network Telescope received more than 2.8 million response packets from SCO servers, indicating that SCO responded to more than 700 million attack packets over 32 hours. The outage was also documented by Netcraft in their article and analysis graphs.

The continuing distributed denial-of-service attack against SCO December 10, 2003 3:20 AM PST - December 11, 2003 10:40 AM PST
The distributed denial-of-service attack against SCO December 10, 2003 3:20 AM PST - December 11, 2003 10:40 AM PST.

This type of denial-of-service attack seeks to block access to targeted servers both by consuming computing resources on the servers themselves and by consuming all of the bandwidth of the network connecting the servers to the Internet. The current attack successfully blocked access to SCO web and ftp servers. A 50,000 packet-per-second SYN flood yields approximately 20 Mbits/second of Internet traffic in each direction, comparable to half the capacity of a DS3 line (roughly 45 MBits/second). The use of load balancers or proxies, SYN cookies, and Content Delivery Networks (CDNs) can help distribute the load of a denial-of-service attack, making it more difficult to saturate the available network and server resources.

Since January 2003, tension between SCO and the open source community has increased as SCO has asserted that other operating systems have misused their intellectual property. SCO has filed a lawsuit against software giant IBM, and has received counter-suits filed by both IBM and RedHat Linux. SGI and HP have also been involved in the controversy, with SCO threatening to revoke SGI's license to use its copyrighted software, and HP offering to indemnify users who purchase HP hardware systems with a Linux operating system. SCO was also the target of denial-of-service attacks perpetrated by unknown individuals on May 2, 2003 and August 22-25, 2003.

The UCSD Network Telescope monitors distributed denial-of-service attacks worldwide using a backscatter analysis technique. The backscatter technique is described in detail in the paper Inferring Internet Denial-of-Service Activity. An animation demonstrating the backscatter technique is available at:

More information:

Colleen Shannon is a Senior Security Researcher at the Cooperative Association for Internet Data Analysis (CAIDA) at the San Diego Supercomputer Center (SDSC) at the University of California, San Diego (UCSD). David Moore is the Assistant Director of CAIDA and Ph.D. Candidate in UCSD Computer Science Department.

Cooperative Association for Internet Data Analysis UCSD Computer Science Department University of California at San Diego San Diego Supercomputer Center Cisco Systems National Science Foundation Defense Advanced Research Projects Agency U.S. Department of Homeland Security
This work was supported by grants from Cisco Systems, the National Science Foundation (NSF), the Defense Advanced Research Projects Agency (DARPA), the Department of Homeland Security (DHS), and CAIDA members.

Published