North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical


  • From: Valdis.Kletnieks
  • Date: Sun Feb 01 19:39:08 2004

On Mon, 02 Feb 2004 01:37:26 +0200, Petri Helenius said:

(I was speaking to *this* particular incident, not to the question of
"how to prevent it" in general.  Remember that this is the 5th or 6th
time SCO has been DoS'ed sucessfully...)

> There are quite a few companies, big and small, who would be happy to sell you web or
> content "switches" which forward the HTTP requests to the actual servers based on
> almost any bit in the HTTP request.

Yes, but this assumes a sufficient supply of clue, available financial
resources, and motivation to deploy, and then balance the cost of those type of
boxes against the impact on your revenue stream of getting DDoS'ed.  When your
web server isn't generating any revenue, your ongoing support (patch download,
etc) is via a still-working FTP server, and you can get lots of PR out of
saying "Those Linux freaks let loose a worm to DDoS us", why should you invest
in that technology?

> Does anybody have any numbers to actually support the theory that there 
> would actually be significant
> traffic flowing somewhere?

From SCO's 10K they filed with the SEC on Tues, Jan 28, and presumably actually
written at least a day or two before:

"Additionally, we have recently experienced a distributed denial-of-service
attack as a result of the "Mydoom" worm virus. It is reported that the effects
of this virus will continue into February 2004".

So for them, the DDoS was already "past tense" a week ago.  Not "expecting"
or "will be shortly".

Draw your own conclusions what happens if the DDoS attack fizzles for any
reason, or if Netcraft's stats say a different story, etc...

The best commentary I've seen on the whole sorry mess so far:

Attachment: pgp00001.pgp
Description: PGP signature