North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: SCO

  • From: Petri Helenius
  • Date: Sun Feb 01 18:42:44 2004

[email protected] wrote:

Umm,, I'll bite. If www.sco.com and www.caldera.com are on the same IP,

how do you create a DDoS that wouldn't take out the Caldera site as well?

A sheer-traffic DDoS will hurt both. A synflood will hurt both.

The webserver that's listening on port 80 doesn't know which site
is being connected to until it actually reads in the HTTP/1.1 headers and
looks at the Host: tag - and if there's enough things arriving with
'Host: www.sco.com', it will require some *very* creative filtering/limiting
to keep one website working while the other is down....

There are quite a few companies, big and small, who would be happy to sell you web or
content "switches" which forward the HTTP requests to the actual servers based on
almost any bit in the HTTP request.

So far there is no real indication that anything else happened than a single-machine website
at some corner of the internet got a little overwhelmed by the attention it got. For example
ftp.sco.com answers rapidly and is on the same subnet than the supposed DDoS target so
that rules congestion in the local loop out.

Since the number of requests is probably very reasonable, just cutting the page the windows machines
request to a bare minimum redirect would most likely made even grandpa´┐Żs old 486 to serve
the pages with modern kernel.

Does anybody have any numbers to actually support the theory that there would actually be significant
traffic flowing somewhere?

Pete




  • Follow-Ups: