Microsoft admits defence against attacks was inadequate

Microsoft Corp. confirmed on Jan. 26 that some of its Web sites had been struck by a second round of denial-of-service attacks and acknowledged that it “did not apply sufficient self-defence techniques” to key parts of its computer networks before the assaults began.

In a statement, Microsoft CIO Rick Devenuti said the software vendor “accepts full responsibility” for the inconveniences caused to users because of the denial-of-service attacks. He added that “the painful lessons we’ve learned” have already prompted the company to make changes to its network architecture, including a deal with an outside firm to deploy a backup set of Domain Name System (DNS) servers for Microsoft’s sites.

“In the past, Microsoft has focused on understanding and protecting against attacks on Microsoft products,” Devenuti said. “Unfortunately, as we have learned over the last few days, we did not apply sufficient self-defence techniques to our use of some third-party products at the front-end of parts of our core network infrastructure.”

Security analysts had said, before the second round of denial-of-service attacks came to light, that Microsoft should take a closer look at its security practices. In particular, the company faced questions about having all four of its DNS servers on a single network – a set-up that observers said was an inviting target for attackers.

Microsoft spokesman Adam Sohn said the company has now arranged backup DNS servers for its Web sites through a “short-term deal” with Akamai Technologies Inc. in Cambridge, Mass. One of the fastest lessons learned from last week’s problems “was to go ahead and distribute our DNS [systems]” over several locations, he added. The cost and length of the backup deal weren’t immediately available.

Most of Microsoft’s Web sites were inaccessible on three separate occasions that same week. The second denial-of-service attack followed a similar assault that disrupted the company’s sites for much of one day. That, in turn, was preceded by a 22-hour outage that began two days earlier and was blamed by Microsoft on a faulty configuration change made to the routers on its DNS network.

The Akamai-run backup servers were since added in response to the initial outage, not the later attacks, Sohn said. Other changes could follow as Microsoft reviews its defensive strategies, he added, but nothing has been finalized yet. “I think we’re a little too close [to when the attacks happened] to know what final architectural decisions to make,” Sohn said.

Devenuti said the Jan. 26 attack was less disruptive than the one the day before. Users trying to access Microsoft’s Web sites experienced “intermittent delays” during two 15-minute periods, he said, adding that all of the company’s sites were back up and running in normal fashion by 3:30 p.m. EST.

The Microsoft CIO pledged that the company will continue to examine its systems, network architecture and internal processes in an attempt to devise additional safeguards. Microsoft “regrets any inconvenience to our customers” as a result of the outages, Devenuti said. But, he added, no customer data was compromised as part of the attacks.

Denial-of-service attacks flood networks with huge numbers of bogus information requests, which eventually can overload the servers and cause them to stop responding to legitimate queries. Security analysts have said that there currently are no adequate mechanisms for stopping the attacks once they’re launched.

The recent outages followed an incident last fall in which Microsoft disclosed that its internal computer network was hacked by intruders who were able to view the source code for an unspecified future product. And two months ago, a Dutch hacker penetrated one of Microsoft’s Web servers on two separate occasions after the company failed to plug a known security hole in its Web server software.