Re: SCO

[Petri Helenius <pete () he iki fi>]

Valdis.Kletnieks () vt edu wrote:

> Umm,, I'll bite. If www.sco.com and www.caldera.com are on the same IP,
>
> how do you create a DDoS that wouldn't take out the Caldera site as well?
>
> A sheer-traffic DDoS will hurt both.  A synflood will hurt both.
>
> The webserver that's listening on port 80 doesn't know which site
> is being connected to until it actually reads in the HTTP/1.1 headers and
> looks at the Host: tag - and if there's enough things arriving with
> 'Host: www.sco.com', it will require some *very* creative filtering/limiting
> to keep one website working while the other is down....
>  
There are quite a few companies, big and small, who would be happy to 
sell you web or
content "switches" which forward the HTTP requests to the actual servers 
based on
almost any bit in the HTTP request.

So far there is no real indication that anything else happened than a 
single-machine website
at some corner of the internet got a little overwhelmed by the attention 
it got. For example
ftp.sco.com answers rapidly and is on the same subnet than the supposed 
DDoS target so
that rules congestion in the local loop out.

Since the number of requests is probably very reasonable, just cutting 
the page the windows machines
request to a bare minimum redirect would most likely made even grandpa´s 
old 486 to serve
the pages with modern kernel.

Does anybody have any numbers to actually support the theory that there 
would actually be significant
traffic flowing somewhere?

Pete