Perhaps no one person understands the wrath of MyDoom's DDoS than SCO director of worldwide IT infrastructure Jeff Carlon. In an interview following SCO's "scheduled day of reckoning," Carlon, who was catching up on sleep after staying up all weekend preparing for the onslaught, told me: "Depending on who you talk to, we had anywhere between 100,000 and 600,000 machines distributed all of the world each sending us 64,000 packets per second, driving our bandwidth utilization through the roof. You have to realize that sooner or later all that traffic has to be routed to a single location. At some point, things will bottleneck and come to a grinding halt."

Indeed, SCO's Web site came to such a grinding halt that Carlon, in consultation with SCO CEO Darl McBride, decided to remove www.sco.com from the Domain Name System (DNS), the distributed database that maps the textual names of Internet destinations to physical IP addresses. To maintain its presence on the Web, the company created a new destination, www.thescogroup.com. "Once we removed the entry that the DDoS attack was relying on from the DNS," said Carlon, "any traffic destined for the site died on the first DNS lookup."

Even Carlon knows that long term, altering DNS entries is not an acceptable technique for fending off DDoS attacks. It's like a shopkeeper temporarily moving his shop without telling anybody. You might as well close your business. Ideally, mounting a successful DDoS defense means avoiding bandwidth choking bottlenecks by putting a stop to attacking traffic as close to that traffic's sources as possible, while making sure the legitimate traffic gets through. But, much like spam, as DDoS attacks become more sophisticated, the forensics required to tell the difference between bogus and legitimate traffic are not evolving fast enough.

Carlon, who spent many of his waking hours working with the company that runs SCO's hosting facilities, as well as upstream Internet Service and backbone providers believes that the response has to be a more coordinated effort among all the major ISPs on the Internet since the traffic ultimately affects them and their customers as well.

"It's almost like the Internet needs a jointly run ISP traffic and virus coordination center," Carlon said. "As DDoS attacks get more sophisticated, identifying bogus traffic will require the correlation of data from multiple sources--victims, hosting facilities, ISPs, backbone providers, etc.--and then a coordinated response," Carlon said. He reasoned that a more coordinated effort makes sense because the bottlenecks aren't restricted to the targeted site. Once the Internet connections to the facility where SCO's datacenter is hosted were overwhelmed by traffic, the other companies hosted at the same facility were also adversely impacted.

"Initially," Carlson said, "our Web servers started to degrade. But, before those could bomb out, the bandwidth into our data center was saturated. We have multiple datacenters, but we outsource the Web site hosting. We worked with them [the Web-hoster] and the ISPs up above them to put certain kinds of blocks in place. Initially just a handful of IP addresses--between 15 and 20--started spitting out traffic, and for a few hours we were able to do some basic blocking. Once the number of machines skyrocketed, there was no way to keep up and the connections got saturated. Not only did our hosting provider get hit, but their provider (a primary backbone provider) started to experience system failures. For a short period of time, other customers of those providers saw some slowness as well. Depending on what time it was, there was anywhere from 100 to 1000 times the normal amount traffic on the Internet."

In the case of the DDoS that was launched by MyDoom, Carlon says it was pretty easy to distinguish between the good and bad traffic. The various round trips between an infected computer and a Web site first involve some preliminary handshakes to initialize the connection, which are then followed by some more specific requests known as HTTP "Get" commands. It was the Get commands that, like viruses, bore a unique fingerprint.

From that point, it was easy to determine which IP addresses to block. While the list of positively identified attacking IP addresses grew, so did the number of new handshakes, which, unlike the Get commands, are not unique and are therefore very difficult to fingerprint.

Eventually, the handshakes overwhelmed SCO's site. Expressing dissatisfaction with DDoS solutions that he thinks are overhyped. "We've talked to all of these security vendors who claim to have the solution, but then they realize that we're not getting hit with your everyday standard DDoS attack," Carlon said.

Looking at the e-mail component of MyDoom, Carlon believes that the problem isn't going to be solved until the vendors of e-mail technologies and the Internet providers of e-mail services step up to the plate. "There's still a lot of mail traversing the Net with this virus in it," said Carlon. "Until that vulnerability gets addressed, we're going to see more companies doing what Brigham Young University did because they just don't want to deal with the traffic--they shut their e-mail systems down."

You can write to me at david.berlind@cnet.com. If you're looking for my commentaries on other IT topics, check the archives.