| Sunday, February 01, 2004 12:57 PM PST
MyDoom Worm; Update for Reporters from Keynote,
02/01/04
The following link is to a MyKeynote chart showing
www.sco.com performance (upper graph) and availability
(lower graph) for the past five days as measured by
Keynote's domestic US Agent network, measuring from
25 cities:
http://web506.keynote.com/mykeynote/Post/KB40data_020104_123955.asp
Performance and availability has been sporadic up until
approximately 9pm EST Saturday night, when availability
rapidly dropped to near-zero. It has remained near or
at zero availability since them.
The Internet (IP) address for www.sco.com was withdrawn
between midnight and 4 am EST, largely blocking the
effect of the attack. Starting at approximately 4 am,
the address was once again available, resulting in the
flow of sufficient attack traffic to cripple the site.
The DDoS payload in the MyDoom.A worm is crafted to
ensure that www.sco.com stays unavailable, while minimizing
the collateral damage to the rest of the Internet. Unlike
the Blaster worm, which sent traffic as fast as possible,
the MyDoom.A worm waits for a response or a timeout
from the www.sco.com site before sending more attack
traffic. This ensures that the site is inundated with
just enough traffic to keep it unavailable.
|
