Microsoft Corp. is not saying much yet, but hackers are not being ruled out as the cause of domain name system (DNS) problems that have left some of Microsoft’s most popular sites inaccessible for the past day.
Hard evidence of sabotage is slim. Nevertheless, some security experts and a PC World investigation suggest that domain name system tampering could have redirected traffic from popular Microsoft sites like Hotmail, MSN, bCentral, and Microsoft.com, making them essentially unreachable.
Microsoft confirms it’s a DNS problem, but the cause is unknown.
“We are not ruling anything out or anything in as to the cause at this time,” says Adam Sohn, a Microsoft spokesperson. “We have not issued an all-clear.”
Servers Lose Direction
The domain name system is name resolution software that lets users find computers on the Internet by name rather than a number. Microsoft’s site domains failed to call their corresponding Web pages starting Tuesday night, and continuing sporadically across the Web through Wednesday afternoon. Microsoft contends the problem is a temporary DNS issue and not a security breach.
But investigating the domain trail through a Whois request produces some interesting results. Whois tells you the owner of any second-level domain name, according to who has registered it with Network Solutions, the most widely used Internet registrar for .com names.
Inputting “microsoft.com” at the site BetterWhois.com returns a list of colorful but bogus domain names. Among them:
— microsoft.com.should.give.up.because.linuxisgod.com
— microsoft.com.owned.by.mat.hacksware.com
— microsoft.com.must.stop.takedrugs.org
— microsoft.com.is.soon.going.to.the.deathcorporation.com
— microsoft.com.is.secretly.run.by.illuminati.terrorists.net
— microsoft.com.is.nothing.but.a.monster.org
But could these fake domain names really lead to traffic being misdirected away from genuine Microsoft sites? Security experts say it’s possible, but evidence is scant. Oddly, late Wednesday afternoon, the BetterWhois.com site began to show error messages when queried about Microsoft.
Graffiti, Not Vandalism
Domain names alone wouldn’t cause the sites’ blackout, says Martin Fong, a senior software engineer at research institute SRI International.
“These are domain names no one will ever type in,” Fong says. “This is not DNS poisoning but just junk in the DNS record.”
When you type in a domain name, the name calls up the IP address with which it’s associated, Fong explains. If it can’t find the address, the site won’t appear on your screen. But changing the domain name won’t alter the IP address, he says.
“The only way you can screw up a site is to tamper with the cache so that a given domain name is associated with a different IP address,” Fong says. “Here we have alternate domain names, which don’t matter; what matters is Microsoft.com goes to the right IP address.”
George Kurtz, president and chief executive of Foundstone and an Internet security expert, agrees.
“The Whois listing pulls up any record that has Microsoft in it no matter who it is,” Kurtz says. “I honestly don’t think in this case the problem is a security issue. It’s probably some DNS issue, but I don’t think it’s related to a security breach of the DNS system.”
But whether the Whois list of false domain names points to any larger IP address tampering remains unclear.
Microsoft Downplays Problem
Microsoft acknowledges it has a DNS problem, but denies the likelihood of a security problem or hacker situation. Still, it’s certain that a high-traffic group of Microsoft Web sites was unreachable Tuesday night and remains unreliable Wednesday. If the domain name registrars were attacked, other sites could be vulnerable to this kind of blackout.
“As a general rule, mistakes are more likely the cause than maliciousness,” says Bruce Schneier, chief technology officer at CounterPane Internet Security. We simply don’t have enough information to know what or who caused the domain name server problems, he says. “The answer is possibly, but we don’t know,” Schneier adds.
Still, Schneier contends it’s too early to speculate on any single cause.
Microsoft isn’t saying anything, he notes. But then, Microsoft denied any problems after the much-publicized break-in of its servers last fall, he adds.
In October, hackers broke into Microsoft’s corporate network, and gained access to information on its upcoming update to Windows, code-named Whistler. Although Microsoft tried to minimize the incidents, the attacks did expose possible security holes within the company’s networks.
Untangling the Domain Game
Representatives of Network Solutions say it’s still investigating the situation and, like Microsoft, won’t definitively declare the cause. But Foundstone’s Kurtz suggests one possibility that ties the problem to Network Solutions.
“Network Solutions runs the DNS server for many Internet companies,” Kurtz says. “If someone convinces Network Solutions to change the domain name–something referred to as domain name hijacking–the domain points to something other than, say, Microsoft.”
Kurtz does not suggest Microsoft has experienced such a domain name hijack. But he notes that it happened to America Online in 1998.
One of the three ways to tell Network Solutions to change a domain name is by e-mail, Kurtz says. In AOL’s case, someone forged an e-mail message from an AOL site administrator. Network Solutions mistakenly changed the DNS information, so an AOL site pointed to somewhere else, he says.
It’s unclear whether Microsoft’s domain names were hijacked, the DNS was hacked, a simple domain name system error occurred, or some other problem caused the snafu.
But something caused the Web sites of the world’s largest software company to go AWOL for a very long time Wednesday.
