We can't say we weren't warned. In the most widely-expected attack since John Lydon sounded off against Jordan, the Mydoom virus hit The SCO Group's website.
The so-called "distributed denial-of-service" (or DDoS) attack began early Sunday as Mydoom-infected computers worldwide followed instructions to send messages to www.sco.com, overloading the company's Web servers. It is one of the largest DDoS attacks on record, anti-virus experts said.
In a statement, SCO confirmed the attack, saying that requests sent to www.sco.com from Mydoom-infected computers were responsible for making its Web site "completely unavailable". The company is working on "contingency plans" to deal with the DDoS problem, but as of Monday morning, the site is still unavailable.
SCO's website was already slowed last week by traffic from Mydoom machines with incorrect clocks. However, the site became totally unreachable shortly after 5:00 PM Pacific Time Saturday, when infected machines in Asia began registering the new day, said Craig Schmugar, anti-virus researcher at Network Associates Inc.'s (NAI) McAfee antivirus division.
The attack is caused by thousands of infected machines sending "get" requests to SCO's Web servers simultaneously. That is akin to what happens when individual users point their Web browser to www.sco.com. The large numbers of machines requesting the site, simultaneously, produces the attack, overwhelming SCO's Web infrastructure, Schmugar said.
The attack is one of the largest DDoS attacks linked to a virus infection but is not effecting traffic on the rest of the Internet, he said.
Estimates of the number of machines infected by Mydoom vary widely. F-Secure of Helsinki said that as many as one million machines may have the virus. NAI puts the number at around 500,000 systems.
However, for a variety of reasons, only a fraction of the machines infected by the virus are taking part in the attack, Schmugar said.
Machines that have been turned off for the weekend cannot attack. And, due to a coding error in the virus, only around one in four machines that is running, and infected, will launch an attack, he said.
NAI estimates that between 25,000 and 50,000 machines were involved in the attack on www.sco.com on Sunday, Schmugar said.
Prior to the attack, SCO spokesman Blake Stowell said that the company had contingency plans that would sidestep the coming DDoS attacks but did not want to give the Mydoom author advance notice of what those plans were.
He denied that SCO was considering moving its site to a managed network such as the one owned by Akamai Technologies, Inc. Any efforts to block the attack would be managed internally at SCO, he said.
Among the options SCO was considering was moving its Web site to a new Internet address that is not targeted by Mydoom, Stowell said.
As of Friday, SCO was speaking with customers about its plans and giving them ways to stay in contact with SCO during the attack. SCO would release more information about steps it was taking to deal with the Mydoom attack "on Sunday or Monday," Stowell said.
The Mydoom virus is programmed to continue its attack on www.sco.com until 12 February, 2004, F-Secure said.
The SCO Web site may be reachable before then, as the owners of infected computers remove the virus from their machines. However, the site will probably continue to be slowed until Mydoom turns itself off, Schmugar said.