New attacks block access to Microsoft sites

[InfoSec News <isn () C4I ORG>]

http://news.cnet.com/news/0-1003-201-4615691-0.html?tag=mn_hd

By Robert Lemos
Special to CNET News.com
January 26, 2001, 11:25 p.m. PT

Update: For the fourth consecutive day, technical problems hindered
access to Microsoft's vast network of Web sites and services.

Microsoft acknowledged late Friday that another round of attacks had
briefly blocked access to the software giant's Web sites. The outage
followed a similar attack Thursday and a technical glitch that made
its sites inaccessible for a nearly 24-hour period on Tuesday and
Wednesday.

Friday's attack "was similar to Thursday's attack, in which someone
attempted to block legitimate access to our Web properties by flooding
our network routers with large volumes of bogus requests," the company
said in a statement.

"Unfortunately, as we have learned over the last few days, we did not
apply sufficient self-defense techniques to our use of some
third-party products at the front-end of parts of our core network
infrastructure," the statement continued, without naming the products.

Friday's problems came less than 24 hours after the company said it
stopped a denial-of-service attack on its systems that slowed traffic
to a crawl for more than two hours on Thursday. That attack followed
an outage that began Tuesday night and lasted nearly a day, which
Microsoft blamed on a mistake by its own technicians.

The outages came as Microsoft is trying to bolster its reputation
among corporate customers. The company launched a $200 million
advertising campaign Monday touting its business software in
competition with Oracle, IBM and Sun Microsystems. The theme for the
ads is "software for the agile business."

Ironically, the technical error that caused the first outage may have
exposed a weakness that was exploited in the Thursday and Friday
attacks.

The original problem was caused by a lack of access to the company's
DNS (domain name service) servers, the computers responsible for
translating domain names such as Microsoft.com into numerical
addresses that are understood by computers.

According to Paul Robertson, director of risk assessment for security
service provider TruSecure, Microsoft or its network provider failed
to create backup systems for distributing the DNS information across
the Internet.

Instead, all its servers seemingly shared the same physical network--a
security flaw waiting to be exploited, he said. "It is a poor design
choice to not hand out server addresses on different network blocks."

The exposure and publicity about the flaw on Wednesday may have
tempted hackers to attack the weakness on Thursday and Friday, he
said.

Microsoft declined to comment on its network design for this article.

CNET News.com received several e-mails from readers Friday morning
noting that access to Microsoft's sites was sporadic. The company's
sites, which collectively rank as the third most-visited destinations
on the Web, include MSN.com, Hotmail.com, Microsoft.com, Expedia.com,
Carpoint.com and Encarta.com.

A denial-of-service attack overloads a site's servers with a flood of
data, effectively blocking surfers from accessing the site.

Thursday's DoS attack was aimed not at the servers, but at the
hardware switches that route data to the Web sites. Because these
so-called routers were flooded, legitimate requests for Web pages were
not able to be processed by Microsoft's servers.

The Seattle office of the FBI confirmed to CNET News.com that it is
investigating Thursday's.

Earlier Friday, CNN.com had traffic stalled by unknown network
problems.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".