Microsoft attack raises concern over new DDOS variant

Recent attack on Microsoft websites sparked fears about a new form of DDoS attack that targets Internet routers and calls further into question the software giant's network management practices and architecture.

The attack that took many of Microsoft Corp.'s sites off the Web Thursday afternoon may have been a new, and more dangerous, variant of the distributed denial of service attacks that have hit many high-profile sites over the last year.

And, security experts say, this is just the beginning of a new breed of sophisticated infrastructure attacks.

After experiencing problems with access to its site for a second straight day, Microsoft admitted early Thursday evening to what a lot of Internet watchers had speculated - that it was the victim of a denial of service attack.

The attack was launched Thursday morning against the routers that direct traffic to the company's Web site and according to Microsoft was unrelated to a 22.5-hour outage that ended Wednesday evening. Officials at the Redmond, Wash., company said that earlier outage was caused by a configuration error in its domain name system (DNS) servers.

Unlike the DDoS attacks that struck Yahoo Inc. and numerous other sites last February, the hack that all but erased Microsoft's Web presence went after the company's Internet routers, not its Web servers. A traditional DDoS attack uses so-called zombie computers to flood the target's Web servers with false traffic, thereby preventing the legitimate traffic from getting through.

While Microsoft is not giving out any of the details of Thursday's attack, experts say that the incident could have been a distinct DoS attack that essentially shuts down the target's Internet router, preventing any traffic at all from getting through.

"This is definitely more difficult [than a DDoS attack] because there's not the huge laundry list of tools available to do it on the Web," said Ted Julian, founder of security consulting firm @Stake, and now chief strategy officer at start-up Arbor Networks Inc. "It's the first example we've seen of an infrastructure attack, but you'll see more of them in the future."

This type of hack is also more difficult to identify and defend against, because instead of receiving the tell-tale flood of packets and huge consumption of bandwidth that signal a DDoS attack, the target's Web servers operate normally during this kind of event. Indeed, Microsoft said at several points Thursday afternoon that it was not having any problems with its sites.

"We don't know exactly what type of attack they've experienced, but there are some attacks that can cause a router to reboot, so you only need to send packets every five or six minutes to keep taking it down," said Ryan Russell, incident analyst with, which runs the popular BugTraq mailing list. "You don't necessarily have to bang on one machine with hundreds of others and eat up a lot of bandwidth in order to deny service."

Web performance management services company Keynote Systems, which monitors Microsoft's and many other companies' Web sites, reported a noticeable downgrade in performance Thursday morning on Microsoft's site, which dropped to a 55 percent success rate, or the rate at which pings sent by Keynote can access the site.

The downgrade spread to shortly after that and by late morning Pacific Time, both sites were down to a 1.5 percent success rate, according to Keynote, of San Mateo, Calif. Rates have fluctuated through the day and Microsoft said late in the afternoon that service had been restored. Many observers believe the DNS problems of Tuesday night and Wednesday were also a denial of service attack, given that DNS configuration problems usually aren't so severe.

"I have to think there's some kind of politics at work," said Ric Steinberger, technology director of Seattle-based computer security company SecurityPortal. "The group that ultimately made the denial-of-service attack call did not want to contradict the group that said it was a bad router configuration."

Microsoft said it had reported the attack to the FBI and would take steps to improve its network security to prevent such attacks in the future. Experts agree that both the DNS service problems and the denial of service attack point out flaws in Microsoft's network management practices and architecture.

"It appears they weren't following all the best practices and were very susceptible to a failure," said Boston-based Web and data center management consultant Chris Bell.

"It doesn't matter where the problems came from, you have to follow best practices in terms of having redundancies for when systems fail and monitoring to catch problems early and correct them. Because of the way the Internet's designed, it's very easy for these DNS problems to occur."