Valdis.Kletnieks@vt.edu wrote:
Umm,, I'll bite. If www.sco.com and www.caldera.com are on the same IP,
how do you create a DDoS that wouldn't take out the Caldera site as well?
A sheer-traffic DDoS will hurt both. A synflood will hurt both.
The webserver that's listening on port 80 doesn't know which site is being connected to until it actually reads in the HTTP/1.1 headers and looks at the Host: tag - and if there's enough things arriving with 'Host: www.sco.com', it will require some *very* creative filtering/limiting to keep one website working while the other is down....
There are quite a few companies, big and small, who would be happy to sell you web or content "switches" which forward the HTTP requests to the actual servers based on almost any bit in the HTTP request. So far there is no real indication that anything else happened than a single-machine website at some corner of the internet got a little overwhelmed by the attention it got. For example ftp.sco.com answers rapidly and is on the same subnet than the supposed DDoS target so that rules congestion in the local loop out. Since the number of requests is probably very reasonable, just cutting the page the windows machines request to a bare minimum redirect would most likely made even grandpa´s old 486 to serve the pages with modern kernel. Does anybody have any numbers to actually support the theory that there would actually be significant traffic flowing somewhere? Pete