Did Wanadoo, French ISP, block access to SCO?
EWeek is reporting an anonymous source that Wanadoo, a major French ISP, has stopped all traffic to SCO's web site? Is this true? Have any other ISPs taken similar action?
Here is a view from the west coast, This is via Opentransit, which is my limited understanding of French indicates is owned/part of FranceTelecom: trace 216.250.128.12 Type escape sequence to abort. Tracing the route to www.sco.com (216.250.128.12) 1 P12-0.PALBB2.Palo-alto.opentransit.net (193.251.240.26) 0 msec 0 msec 0 msec 2 * * p5-0.IR1.PaloAlto-CA.us.xo.net (207.88.250.29) [AS 2828] !H
From Pastourelle, via Opentransit:
trace 216.250.128.12 Type escape sequence to abort. Tracing the route to www.sco.com (216.250.128.12) 1 P12-0.NYKCR3.New-york.opentransit.net (193.251.241.134) 144 msec 216 msec 212 msec 2 P7-0.NYKBB3.New-york.opentransit.net (193.251.241.242) 76 msec 76 msec 76 msec 3 * * *
James Edwards wrote:
Here is a view from the west coast, This is via Opentransit, which is my limited understanding of French indicates is owned/part of FranceTelecom:
Opentransit (5511) is indeed France Telecom's AS for international transit, and seems to block at least 216.250.128.12 (www.sco.com) (apparently not the rest of 216.250.128.0/23 though). And, just to be even safer, Wanadoo's internal cache DNS servers for customers resolve www.sco.com and ftp.sco.com to 127.0.0.1 :-) -- Thomas Seyrat
And by blackholing that IP they've also blackholed www.caldera.com, which is currently not a DDoS target but is also not respondig to requests. Rubens ----- Original Message ----- From: "James Edwards" <hackerwacker@tarpit.cybermesa.com> To: "Sean Donelan" <sean@donelan.com> Cc: <nanog@merit.edu> Sent: Sunday, February 01, 2004 7:20 PM Subject: Re: Did Wanadoo, French ISP, block access to SCO?
Here is a view from the west coast, This is via Opentransit, which is my limited understanding of French indicates is owned/part of FranceTelecom:
trace 216.250.128.12
Type escape sequence to abort. Tracing the route to www.sco.com (216.250.128.12)
1 P12-0.PALBB2.Palo-alto.opentransit.net (193.251.240.26) 0 msec 0 msec 0 msec 2 * * p5-0.IR1.PaloAlto-CA.us.xo.net (207.88.250.29) [AS 2828] !H
From Pastourelle, via Opentransit:
trace 216.250.128.12
Type escape sequence to abort. Tracing the route to www.sco.com (216.250.128.12)
1 P12-0.NYKCR3.New-york.opentransit.net (193.251.241.134) 144 msec 216
msec 212 msec
2 P7-0.NYKBB3.New-york.opentransit.net (193.251.241.242) 76 msec 76 msec 76 msec 3 * * *
On Sun, 01 Feb 2004 20:00:40 -0200, "Rubens Kuhl Jr." <rubens@email.com> said:
And by blackholing that IP they've also blackholed www.caldera.com, which is currently not a DDoS target but is also not respondig to requests.
Umm,, I'll bite. If www.sco.com and www.caldera.com are on the same IP, how do you create a DDoS that wouldn't take out the Caldera site as well? A sheer-traffic DDoS will hurt both. A synflood will hurt both. The webserver that's listening on port 80 doesn't know which site is being connected to until it actually reads in the HTTP/1.1 headers and looks at the Host: tag - and if there's enough things arriving with 'Host: www.sco.com', it will require some *very* creative filtering/limiting to keep one website working while the other is down....
Just drop the www.sco.com DNS record, as they did... this particular worm goes after the URL, not the IP it usually had.
nslookup www.sco.com
*** can't find www.sco.com: Non-existent domain
nslookup www.caldera.com
Non-authoritative answer: Name: www.caldera.com Address: 216.250.128.12 Rubens ----- Original Message ----- From: <Valdis.Kletnieks@vt.edu> To: "Rubens Kuhl Jr." <rubens@email.com> Cc: <hackerwacker@cybermesa.com>; <nanog@merit.edu> Sent: Sunday, February 01, 2004 9:09 PM Subject: Re: Did Wanadoo, French ISP, block access to SCO? On Sun, 01 Feb 2004 20:00:40 -0200, "Rubens Kuhl Jr." <rubens@email.com> said:
And by blackholing that IP they've also blackholed www.caldera.com, which
is
currently not a DDoS target but is also not respondig to requests.
Umm,, I'll bite. If www.sco.com and www.caldera.com are on the same IP, how do you create a DDoS that wouldn't take out the Caldera site as well? A sheer-traffic DDoS will hurt both. A synflood will hurt both. The webserver that's listening on port 80 doesn't know which site is being connected to until it actually reads in the HTTP/1.1 headers and looks at the Host: tag - and if there's enough things arriving with 'Host: www.sco.com', it will require some *very* creative filtering/limiting to keep one website working while the other is down....
So thats 1-0 to the worm! You could do some real cool things if you were controlling the DNS for a site under a major sustained DDoS, who doesnt the intended victim like.. just fire up an A record and they're gone! ;p Btw I'm seeing www.caldera.com disappear into Level3, seems theyre down. Steve On Sun, 1 Feb 2004, Rubens Kuhl Jr. wrote:
Just drop the www.sco.com DNS record, as they did... this particular worm goes after the URL, not the IP it usually had.
nslookup www.sco.com
*** can't find www.sco.com: Non-existent domain
nslookup www.caldera.com
Non-authoritative answer: Name: www.caldera.com Address: 216.250.128.12
Rubens
----- Original Message ----- From: <Valdis.Kletnieks@vt.edu> To: "Rubens Kuhl Jr." <rubens@email.com> Cc: <hackerwacker@cybermesa.com>; <nanog@merit.edu> Sent: Sunday, February 01, 2004 9:09 PM Subject: Re: Did Wanadoo, French ISP, block access to SCO?
On Sun, 01 Feb 2004 20:00:40 -0200, "Rubens Kuhl Jr." <rubens@email.com> said:
And by blackholing that IP they've also blackholed www.caldera.com, which
is
currently not a DDoS target but is also not respondig to requests.
Umm,, I'll bite. If www.sco.com and www.caldera.com are on the same IP, how do you create a DDoS that wouldn't take out the Caldera site as well?
A sheer-traffic DDoS will hurt both. A synflood will hurt both.
The webserver that's listening on port 80 doesn't know which site is being connected to until it actually reads in the HTTP/1.1 headers and looks at the Host: tag - and if there's enough things arriving with 'Host: www.sco.com', it will require some *very* creative filtering/limiting to keep one website working while the other is down....
On Mon, 2 Feb 2004, Stephen J. Wilcox wrote:
So thats 1-0 to the worm!
[snip]
Btw I'm seeing www.caldera.com disappear into Level3, seems theyre down.
I see the same at the verio/xo handoff - no successful A record lookups either. J. -- Jess Kitchen ^ burstfire.net[works] _$ | www.burstfire.net.uk
Valdis.Kletnieks@vt.edu wrote:
Umm,, I'll bite. If www.sco.com and www.caldera.com are on the same IP,
how do you create a DDoS that wouldn't take out the Caldera site as well?
A sheer-traffic DDoS will hurt both. A synflood will hurt both.
The webserver that's listening on port 80 doesn't know which site is being connected to until it actually reads in the HTTP/1.1 headers and looks at the Host: tag - and if there's enough things arriving with 'Host: www.sco.com', it will require some *very* creative filtering/limiting to keep one website working while the other is down....
There are quite a few companies, big and small, who would be happy to sell you web or content "switches" which forward the HTTP requests to the actual servers based on almost any bit in the HTTP request. So far there is no real indication that anything else happened than a single-machine website at some corner of the internet got a little overwhelmed by the attention it got. For example ftp.sco.com answers rapidly and is on the same subnet than the supposed DDoS target so that rules congestion in the local loop out. Since the number of requests is probably very reasonable, just cutting the page the windows machines request to a bare minimum redirect would most likely made even grandpa´s old 486 to serve the pages with modern kernel. Does anybody have any numbers to actually support the theory that there would actually be significant traffic flowing somewhere? Pete
On Mon, 02 Feb 2004 01:37:26 +0200, Petri Helenius said: (I was speaking to *this* particular incident, not to the question of "how to prevent it" in general. Remember that this is the 5th or 6th time SCO has been DoS'ed sucessfully...)
There are quite a few companies, big and small, who would be happy to sell you web or content "switches" which forward the HTTP requests to the actual servers based on almost any bit in the HTTP request.
Yes, but this assumes a sufficient supply of clue, available financial resources, and motivation to deploy, and then balance the cost of those type of boxes against the impact on your revenue stream of getting DDoS'ed. When your web server isn't generating any revenue, your ongoing support (patch download, etc) is via a still-working FTP server, and you can get lots of PR out of saying "Those Linux freaks let loose a worm to DDoS us", why should you invest in that technology?
Does anybody have any numbers to actually support the theory that there would actually be significant traffic flowing somewhere?
From SCO's 10K they filed with the SEC on Tues, Jan 28, and presumably actually written at least a day or two before: "Additionally, we have recently experienced a distributed denial-of-service attack as a result of the "Mydoom" worm virus. It is reported that the effects of this virus will continue into February 2004". So for them, the DDoS was already "past tense" a week ago. Not "expecting" or "will be shortly". Draw your own conclusions what happens if the DDoS attack fizzles for any reason, or if Netcraft's stats say a different story, etc... The best commentary I've seen on the whole sorry mess so far: http://ars.userfriendly.org/cartoons/?id=20040201
At 03:52 PM 01/02/2004, Sean Donelan wrote:
EWeek is reporting an anonymous source that Wanadoo, a major French ISP, has stopped all traffic to SCO's web site?
Is this true?
Dont know
Have any other ISPs taken similar action?
Not here. The only thing different I did was ndc querylog tail -f /var/log/daemon | grep www.sco.com on my recursive servers and I have been .... underwhelmed by the output ---Mike
Mike Tancsa wrote:
Have any other ISPs taken similar action?
Not here. The only thing different I did was ndc querylog tail -f /var/log/daemon | grep www.sco.com
on my recursive servers and I have been .... underwhelmed by the output
Maybe SCO just got overwhelmed by the requests by the people who are curious if the site is still up and they were not prepared to serve more than the average lawsuit- interested number of hits they do by default? Call it a socially engineered DDoS. Pete
so, should they be renamed wanadon't? :-) i.e. what's all this about anyway? what am i supposed to learn from this that i am clearly missing? as far as i know, the actual victim has not asked us to do anything. so i think i'll go shopping for dinner and groceries before the fish counter gets sparse. randy
Randy Bush wrote:
so, should they be renamed wanadon't? :-)
i.e. what's all this about anyway? what am i supposed to learn from this that i am clearly missing? as far as i know, the actual victim has not asked us to do anything. so i think i'll go shopping for dinner and groceries before the fish counter gets sparse.
I don´t think there are new lessons to be learned, just identifying the beneficiaries of the hype&fear machine will give you an idea where the money is going to. Some people do this with software, some use more hardware. Usually the end result is an excuse for governments to spend more to think and watch out for you. Pete
On Sun, 1 Feb 2004, Sean Donelan wrote:
EWeek is reporting an anonymous source that Wanadoo, a major French ISP, has stopped all traffic to SCO's web site?
Is this true? Have any other ISPs taken similar action?
Can you block access to something that doesn't exist? ; <<>> DiG 9.2.2-P3 <<>> www.sco.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10008 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.sco.com. IN A ;; AUTHORITY SECTION: sco.com. 1582 IN SOA ns.calderasystems.com. hostmaster.caldera.com. 2004020103 3600 900 604800 1800 sco.com still has an A record, but it seems filtered. I can't ping / traceroute / tcp/80 it. Their MX is still reachable (ping / tcp/25 at least). ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
participants (11)
-
James Edwards -
Jess Kitchen -
jlewis@lewis.org -
Mike Tancsa -
Petri Helenius -
Randy Bush -
Rubens Kuhl Jr. -
Sean Donelan -
Stephen J. Wilcox -
Thomas Seyrat -
Valdis.Kletnieks@vt.edu