Microsoft Admits Hack Attacks

[InfoSec News <isn () C4I ORG>]

http://www.pcworld.com/news/article/0,aid,39322,00.asp

Cameron Crouch, PCWorld.com
Thursday, January 25, 2001

Poor network operation may be the source of Microsoft's initial site
failures this week, but a denial-of-service attack by outsiders caused
a resurgence Thursday in site blackouts.

Domain name system (DNS) errors caused Microsoft sites such as
BCentral, Expedia, Hotmail, Microsoft.com, MSN, and MSNBC to be
inaccessible Tuesday night and throughout Wednesday.

But after many Microsoft sites remained inaccessible throughout
Thursday, Microsoft acknowledged hacker attacks caused the subsequent
problems.

Microsoft "was the target of a denial-of-service attack against the
routers that direct traffic to the company's Web sites," the company
says in a statement. "As a result, access to some of the Microsoft
Internet properties, including Microsoft.com and MSN.com, was
intermittent for many customers throughout this morning."

Microsoft says the sites are now available and the attack is separate
from its site problems earlier this week.

"Microsoft's global networking team quickly determined that today's
issue was completely separate from yesterday's outage and has taken a
number of steps to address the issue," the company states.

Microsoft is working with the FBI and is taking immediate steps to
ensure its networks offer "improved protection from this type of
attack," according to the company.

Suspicions Raised

The disclosure is no surprise to some security experts. One of them
anticipated the denial-of-service possibility with Thursday's
resurgence of Microsoft site blackouts.

It's unlikely Microsoft technicians would make continuing DNS
configuration mistakes, says William Knowles, associate faculty at New
Dimensions International, a computer security training firm.

Even for Wednesday's outages, "My suspicion leans towards a
denial-of-service attack," says Knowles, referring to a procedure that
overloads servers to the point they cannot respond to requests.

He points to recent events, including the continued instability of
Microsoft's sites, and recent reports that Microsoft New Zealand was
down prior to the other site problems.

Other suspicions were raised by anti-Microsoft slogans that appeared
with a Whois search for Microsoft.com Wednesday. Whois tells you the
owner of any second-level domain name registered with Network
Solutions, the most widely used Internet registrar for .com names. A
search under Microsoft.com returns clearly invalid domains such as:
microsoft.com.is.secretly.run.by.illumaniti.terrorists.net.

Microsoft sustained a hack attack in October, when intruders entered
Microsoft's corporate network and accessed product information.
Although Microsoft downplayed the incident, security experts said the
company would be wise to evaluate its security.

A Weak Link

Microsoft had admitted late Wednesday that an internal error caused
the domain name problems. The company says a Microsoft technician
changed the configuration of routers on the edge of Microsoft's DNS
network. The change limited communication between DNS servers on the
Internet and Microsoft's DNS servers, causing many of Microsoft's
sites to be unreachable.

Experts promptly began questioning the security and stability of
Microsoft's DNS operation, which apparently leaves the network
vulnerable to such an internal error as well as third-party hacker
attack.

Although Microsoft contends the initial problem was an internal error,
the fact that it happened at all points to the vulnerability of
Microsoft's DNS network, and possibly to the DNS of the entire
Internet.

The way Microsoft's DNS network is designed could be partly to blame
for the outages, say some security experts. The company appears to
have all four of its DNS servers located on a single network, making
them more vulnerable to failure. Microsoft did not respond to repeated
requests for comment but has said its DNS is fully fault tolerant with
built-in redundancies.

But distributing DNS servers across networks wouldn't necessarily
help, suggests Martin Fong, a senior software engineer at research
institute SRI.

"The problem is, domain name servers tend to be hierarchical," Fong
says. "One server has to act as the authoritative distribution point;
this is a historical deficiency of DNS, not just a problem with
Microsoft."

"The whole Internet is structured this way. It's a lot more fragile
than people realize," he adds.

Preventive Measures Urged

Still, Fong suggests Microsoft could have done more to prevent such an
error from taking hold in the network. The company apparently failed
to perform the right checks and balances. Microsoft should have
validated any configuration change by testing the domain names from
outside the corporate network, Fong suggests.

"If you check [DNS changes] only from inside accounts, you can never
tell what's wrong," he says.

A DNS expert points out that DNS management is no small task. Failures
in DNS networks at large corporations are frequently difficult to
diagnose because of the complexity of the system, says Stewart Bailey,
cofounder and chief technology officer at InfoBlox, which sells DNS
appliance servers to businesses.

"What you'll find a lot is that when a DNS error occurs, because it's
at a very low level and affects so many subsystems, people aren't sure
it's a DNS problem. It's hard to diagnose," Bailey says. "The
networking people look at the routers, the systems people look at the
servers, and the DNS guys look at their part, and sometimes it takes a
while to figure out what's going on."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".