[67064] in North American Network Operators' Group
Re: SCO
daemon@ATHENA.MIT.EDU (Petri Helenius)
Sun Feb 1 18:41:09 2004
Date: Mon, 02 Feb 2004 01:37:26 +0200
From: Petri Helenius <pete@he.iki.fi>
To: Valdis.Kletnieks@vt.edu
Cc: "Rubens Kuhl Jr." <rubens@email.com>, hackerwacker@cybermesa.com,
nanog@merit.edu
In-Reply-To: <200402012309.i11N9tjn026338@turing-police.cc.vt.edu>
Errors-To: owner-nanog-outgoing@merit.edu
Valdis.Kletnieks@vt.edu wrote:
> Umm,, I'll bite. If www.sco.com and www.caldera.com are on the same IP,
>
>how do you create a DDoS that wouldn't take out the Caldera site as well?
>
>A sheer-traffic DDoS will hurt both. A synflood will hurt both.
>
>The webserver that's listening on port 80 doesn't know which site
>is being connected to until it actually reads in the HTTP/1.1 headers and
>looks at the Host: tag - and if there's enough things arriving with
>'Host: www.sco.com', it will require some *very* creative filtering/limiting
>to keep one website working while the other is down....
>
>
There are quite a few companies, big and small, who would be happy to
sell you web or
content "switches" which forward the HTTP requests to the actual servers
based on
almost any bit in the HTTP request.
So far there is no real indication that anything else happened than a
single-machine website
at some corner of the internet got a little overwhelmed by the attention
it got. For example
ftp.sco.com answers rapidly and is on the same subnet than the supposed
DDoS target so
that rules congestion in the local loop out.
Since the number of requests is probably very reasonable, just cutting
the page the windows machines
request to a bare minimum redirect would most likely made even grandpa´s
old 486 to serve
the pages with modern kernel.
Does anybody have any numbers to actually support the theory that there
would actually be significant
traffic flowing somewhere?
Pete
