SCO drop from the DNS

SCO have done the public spirited thing and taken out of the DNS. This means that there will be no more http traffic travelling across the internet from the infected machines to

Plausibly, the hostmaster's plan was set the TTL to 60 seconds to give himself the flexibility of having changes propogate promptly, and then see what the http traffic was like before making a decision to remove the site from the DNS. He has now decided that he has seen enough. SCO may also have been the subject of pressure from ISPs to put a stop to the http traffic.

Host not found: 3(NXDOMAIN)
% dig                   IN      A
% date
Sun Feb  1 19:29:50 GMT 2004

Generally, conditions on the Internet seem very acceptable at the moment, with few hosting company sites experiencing failed requests . This contrasts markedly with forecasts from Anti-virus companies and this morning's press release from SCO which reported the Internet as being overwhelmed.

Sunday morning and is still in the DNS

We had expected that SCO might take out of the DNS in the run up to the MyDoom DDoS payload in order to keep the denial of service http traffic off the Internet. So far, though, still resolves and receives http requests, though closing the connection without sending a response.

That said, the hostmaster is reserving his options, with the TTL set to just 60 seconds at time of writing.

% host has address
% dig            60      IN      A
% telnet http
Connected to
Escape character is '^]'.
Connection closed by foreign host.

Contrastingly,'s performance is as normal. Microsoft has chosen to leave the hostname still resolving to a set of 8 ip addresses in Redmond, rather than point it at Akamai's content distribution network, with their TTL set to just under an hour.      7       IN      CNAME 7     IN      CNAME 8    IN      A 8    IN      A 8    IN      A 8    IN      A 8    IN      A 8    IN      A 8    IN      A 8    IN      A

A graph of the response times, is available while people may also subscribe to receive outage alerts on the sites.

Elsewhere, the Internet looks quite benign with presently just 10 of the fifty hosting company sites monitored by Netcraft showing failed requests during the last 24 hours, and none showing outages.

February 2004 Web Server Survey

In the February 2004 survey we received responses from 47,173,415 sites.

The number of responding sites is up by over one million from January; however the percentage share between the different web servers is little changed, with Microsoft's half a percent drop in active sites being the most salient point of interest.

Graph of market share for top servers across all domains, August 1995 - February 2004

Top Developers
Developer January 2004Percent February 2004Percent Change

Continue reading is a weapon of mass destruction

Much of the commentary on the SCO distributed denial of service scenario, including our own, has been based on the premise that SCO badly wants to keep their web site running. This may not be the case: unlike Microsoft, which has a real business to run and a real need to keep its web site operational, SCO Executives may not strongly care about the availability of After all, Michael Doyle’s half a billion dollar patent win against Microsoft scarcely hinged on the response times of the Eolas web site.

In fact, the author of the MyDoom virus has delegated control of the most enormous volume of http traffic that the Internet has yet seen to On a whim, SCO can direct that Tsunami at an object of their choosing, simply by changing an A record in named.conf in time for the change to propagate by Sunday.

In this context, SCO Executives may have latitude to consider alternative defenses which do not involve having to parlay with low-down-no-good-Linux-loving-CDN-providers.

Continue reading

Phishers expand into telephony

Further evidence of the financial rewards presently available from phishing is that fraudsters can afford the time and labour of making the attacks by phone rather than being constrained to electronic mail. A mail we received continues the story.

My husband was called on Wednesday by "VISA" and I was called on Thursday by "MasterCard". It worked like this:

Person calling says, "This is Carl Patterson (any name) and I'm calling from the Security and Fraud department at VISA. My Badge number is 12460. Your card has been flagged for an unusual purchase pattern, and I'm calling to verify. This would be on your VISA card. Did you purchase an Anti-Telemarketing Device / any expensive item for £497.99 from a marketing company based in 'Anywhere'?"

Continue reading

SCO legal case poses a conundrum on how it should defend a DDoS

While Microsoft has a track record of deflecting DDoS attacks, the SCO Group's ability to defend its web site is complicated by the company's legal battle with Linux users. Both companies will be targeted Sunday by denial of service attacks from Windows computers infected by the MyDoom worm.

Content distribution networks (CDN) can play a key role in defeating DDoS attacks, using their large and widely distributed networks of servers to blunt their impact. Microsoft used a CDN service from Akamai to keep its web site online last August, when the Blaster worm programmed machines to launch a DDoS on the Windows Update site. Microsoft's strategy drew considerable attention, as the front page of the site was served by Linux machines on Akamai's network.

The largest CDN providers - Akamai, Cable & Wireless and Speedera - all make extensive use of Linux servers. That's a problem for SCO, which contends that Linux includes copyrighted code from its own operating system, and is asking Linux users to pay $699 per server for the right to use its intellectual property. It’s implausible that any of the CDN providers would pay this licence fee. If SCO feels that it is unable to patronise a very prominent Linux user, this eliminates one of the most proven defences and contrasts strongly with Microsoft’s practical and prosaic approach.

Continue reading