Microsoft Crashes: The Fallout

One day after it claimed human error shut down all of its websites, Microsoft admitted that a second shut-down was the result of a denial of service attack.

The news left many wondering whether both attacks were actually the work of crackers, or whether Microsoft might have chosen to cover up a second internal error by shifting the blame outside of the company.

But sources close to the company insist that Microsoft had indeed been the victim of a denial of service attack on Thursday.

It also appears that Microsoft has now handed over the management of its DNS routing systems to Akamai, and may be running Linux on at least one of its servers.

A network technician at Microsoft, who declined to be identified, dismissed reports that indicated that the media's extensive coverage of the first outage gave crackers the inside information that they needed to bring down Microsoft's network on Thursday.

"I'd love to blame it on you people in the media, but the truth is that everything that was written about the configuration of our network was pulled from easily and always-accessible records. Anyone who looked up Microsoft's domain name registration records, an easy thing to do, could have figured out how we were set up."

The technician believed that the DoS attack was probably due to the attackers assuming that Microsoft already had its hands full.

"I believe that maybe someone saw our network as a wounded antelope and attacked. And they were right. Everything was so messed up that although we saw the attack coming we weren't sure if it was a flood of visitors who wanted to check their Hotmail accounts, or a DoS attack. We were, for a few moments, like the proverbial deer caught in the headlights."

Only after the problem had been fixed, the technician said, did the sick jokes start circulating.

"The joke of the day over here was, 'Did the janitor shut off the same light switch in the closet again?' and 'Did the temp (worker) trip over that cord again?' It was either laugh or puke. Some of us did both."

Although some reports indicated that Microsoft engineers had said that the attacks "appeared to be relatively sophisticated, judging by the choice of such vulnerable targets," many are scoffing at the idea that DoS is a tool that a skilled cracker would use.

DoS attacks are considered to be the province of "script kiddies," relatively unskilled youngsters who have just enough technical knowledge to follow instructions on how to attack networks.

No self-respecting real cracker would ever consider doing a DoS," said "Tepes," who defines himself as a "cracker, not a hacker ... and damned proud of it."

DoS attacks are simple to implement. Many websites contain step-by-step instructions on where to download the tools and how to launch the attack. "And real crackers don't use cookbooks," Tepes said. "We explore new territory and make our own maps."

Microsoft falling to a few unskilled kids struck Tepes as "funny, but not remarkable."

"I do find it interesting that every techie in Redmond, home of the ├╝bergeeks, had to be hunched over those servers, looking at what was happening on that network. So even though they are saying someone took advantage of them when they were down and out, in truth it should have been harder to get in when they were all on the alert.

"Sort of like showing up in the afternoon to rob a bank when the feds are still there investigating that morning's robbery."

But most security experts agree that the network configuration problems that were revealed by Microsoft's original blackout are far more serious than the company's later fall to DoS attacks.

Microsoft itself seems to agree with those sentiments, and has evidently asked for help in managing its DNS records. DNS (domain name system) servers are analogous to an Internet business phone book: They translate computer names into the numbers that are needed to actually access the computer.

Greg Keefe, the owner and operator of DNS service provider HammerNode.com, noted that the company had "frantically off-loaded the management of their DNS to another company today."

"I simply can't respect that move coming from a Fortune 100 company that develops and sells DNS software as part of their core business," added Keefe.

Keefe also had his doubts about whether Microsoft definitely suffered from a DoS attack.

"When DNS service returns after an extended outage, a higher-than-normal load should be expected, because cached DNS information has expired around the Internet. Since it's trivial to masquerade the originating IP address of most DNS queries (the nature of UDP/IP packets), Microsoft could easily hide behind the veil of a 'possible' DoS attack."

Matt Power of the BindView Corporation's RAZOR Team also noted Microsoft's outsourcing of its DNS.

"The central '.COM' DNS servers now list a number of servers in the akadns.com domain as authoritative DNS servers for Microsoft's domain names, such as microsoft.com, msnbc.com and passport.com. The akadns.com domain belongs to Akamai Technologies," Power said.

Power and Keefe both interpreted this to mean that Microsoft has, at least in part, outsourced its DNS service to Akamai.

Power also noted that his research indicated that the "z*.msft.akadns.com" servers are using a "networking implementation very similar to that of Linux."

0 comments: