Want CNET to notify you of price drops and the latest stories?

Attack knocks out Microsoft Web sites

The company says Thursday's massive outage was the result of a denial-of-service attack that is unrelated to the problems that plagued its Web sites the previous two days.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
3 min read
Network attackers overwhelmed Microsoft's connection to the Internet on Thursday, causing traffic to the company's major Web sites to slow to a crawl.

How a denial of service attack works "During the morning of Jan. 25, Microsoft was the target of a denial-of-service attack against the routers that direct traffic to the company's Web sites," Microsoft said in a statement late Thursday afternoon. "As a result, access to some of the Microsoft Internet properties, including Microsoft.com and MSN.com, was intermittent for many customers throughout this morning."

The company emphasized that Thursday's attack, which began in the morning and extended into the afternoon, was not related to the technical glitch that crippled its sites late Tuesday and most of Wednesday.

Microsoft said it has asked the FBI to investigate and that the company's Web sites were fully functioning late Thursday.

The timing and duration of the embarrassing outage came as Microsoft--which operates the third most-visited sites on the Web--is trying to bolster its reputation among corporate customers. The company launched a $200 million advertising campaign Monday touting its business software in competition with Oracle, IBM and Sun Microsystems. The theme for the ads is "software for the agile business."

A denial-of-service attack overloads a site's servers with a flood of data, effectively blocking surfers from accessing the site. In this case, the attack was aimed not at the servers, but at the hardware switches that route data to the Web sites, Microsoft said. After hackers flooded these so-called routers, legitimate requests for Web pages could not be processed by Microsoft's servers.

According to networking consultancy Keynote Systems, at the height of the attack, as little as 2 percent of the requests for Microsoft Web pages were being completed Thursday. Normally, sites are able to fulfill 97 percent of all page requests, said Keynote representatives.

"For about two hours, the attack was a hundred percent successful," said Eric Siegel, senior Internet consultant for Keynote.

Siegel noted that a flaw in Microsoft's network design--which was highlighted by Tuesday's and Wednesday's outages--may have given the attackers the idea to flood Microsoft's key routers. The flaw: The Redmond, Wash., company connected its key DNS (domain name service) servers to a single switch that acted as the spigot for data going to the Internet.

DNS servers act as phone books for the Internet, linking Web sites names, such as Microsoft.com and Yahoo.com, to the numerical computer addresses that locate the proper server on the network.

"If Microsoft is using a single router as the entrance to a series of DNS servers and you take down that router, then the attack would be very successful," Siegel said. Essentially, Microsoft's Web sites would virtually disappear from the Internet.

Which is precisely what happened, according to the software giant.

Thursday's attack comes almost exactly one year after massive distributed denial-of-service (DDoS) attacks slowed, and in some cases halted, access to eight major Web sites, including Yahoo, eBay and CNN.com. DDoS attacks are denial-of-service attacks that use hundreds of servers to attack a single target, which makes finding the source of the attack much more difficult.

Canadian and United States law-enforcement officials are prosecuting a Canadian teenager--who allegedly used the handle "Mafiaboy"--as the culprit in the attacks last Feburary.

Microsoft outage chart Such attacks are fairly common but rarely so damaging, said Elias Levy, chief technology officer for security Web site SecurityFocus.com.

"They tend to occur nowhere near the magnitude of taking down Microsoft," he said. "But they do happen quite often to individual Web sites--more often than most people know."

Microsoft's network of Web properties ranks as the third most-visited destination on the Internet. According to Net research company Jupiter Media Metrix, Microsoft Web sites drew 54 million unique visitors in December, trailing only America Online's 61 million and Yahoo's 55 million.

No suspects have been named in the current investigation. FBI officials in Washington, D.C., and San Francisco could not be reached for comment late Thursday.