Microsoft.com falls to DOS attack

The company is working with law enforcement officials looking into the attack

Microsoft Corp.'s main Web site was inaccessible for two hours late yesterday, the victim of an Internet-borne distributed denial-of-service (DDOS) attack, the company said. The company is cooperating with federal law enforcement officials investigating the attack, the second successful DOS attack against Microsoft.com this month.

The attack occurred yesterday at 11:45 p.m. EDT and was directed at www.microsoft.com, the company's main Web address, according to Sean Sundwall, a Microsoft spokesman. Microsoft.com was completely inaccessible for two hours and experienced "off and on" disruptions for another two hours, Sundwall said.

Microsoft's products and Web pages have been the subject of much attention this week, with the release of a new worm, W32.Blaster, that targets machines running Microsoft Windows XP and Windows 2000. Blaster spreads by exploiting a security flaw in Windows software and contains a preprogrammed DDOS attack against the company's windowsupdate.com Web page. That attack is scheduled to begin tomorrow.

However, yesterday's attack wasn't linked to Blaster or the security hole exploited by Blaster. "We're really confident that this was not an attack from the Blaster worm," Sundwall said. The timing of the attack and a technical analysis of the traffic sent to Microsoft indicates a source other than machines infected with Blaster.

Early reports that Microsoft's Windows Update site was the target of the attack proved false, though some users reported difficulty reaching the site this morning.

The windowsupdate.microsoft.com and download.microsoft.com sites, which distribute software updates to Microsoft customers, were unaffected, Sundwall said. Users continued to access and download software patches from those sites.

Helsinki, Finland-based security company F-Secure Corp. has been monitoring Windows Update since Wednesday and detected no interruption as of midmorning, according to Mikko Hypponen, head of antivirus research at F-Secure.

While both yesterday's attack and the Aug. 1 attack against Microsoft.com were DDOS attacks, Microsoft doesn't believe the two were linked. "That's the only similarity we can confirm at this point. We think the sources were different," Sundwall said.

Microsoft couldn't comment on the details of the attack, but Sundwall said that it was a DDOS attack emanating from machines worldwide.

DOS attacks come in many flavors, but are all designed to cripple a Web site or computer network using floods of useless traffic. Microsoft didn't know how many computers were involved in the attack, but Sundwall pointed out that Microsoft's Web site is a popular target and is designed to withstand even large-scale attacks without disruption.

The attackers probably have a very large network of compromised "zombie" machines that are being coordinated to attack Microsoft, he said.

With two successful attacks in one week, Microsoft is looking into software and other technology to prevent future threats, Sundwall said. Microsoft is already a customer of Cambridge, Mass.-based Akamai Technologies Inc., which operates a distributed worldwide network that can diffuse DDOS attacks.

Microsoft wouldn't comment on whether the attack affected only Microsoft servers, or whether Akamai servers were involved as well.

For now, the company is cooperating with federal officials and continues to research the attack, Sundwall said.

Copyright © 2003 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon