Printer Friendly

Extreme Measures Defend Microsoft From Attack.

By Kevin Murphy

Microsoft Corp took extreme measures to defend itself from the denial of service attack the Blaster worm planned to launch August 16 - turning off the domain at which the attack was to be targeted.

Each copy of Blaster was due to start SYN-flooding Microsoft's windowsupdate.com site at midnight on Saturday. With a few hundred thousand machines infected over the course of the week, the traffic could have been considerable.

But if Blaster does a lookup for windowsupdate.com and finds no IP address, it does not have any contingency plan, so does nothing. So, according to Microsoft spokesperson Sean Sundwall, Microsoft simply stopped directing the domain to its servers.

"We effectively appear to have defanged the worm," Sundwall said. "We're pretty confident based on what we're seeing to this point that the worm will have no impact."

Windowsupdate.com redirected to windowsupdate.microsoft.com, which is the primary domain for downloading Windows patches, Sundwall said. Turning off one domain has no effect on the other.

There are no plans to bring windowsupdate.com back in future. Of course, this is a tactic that worked this time, but is a totally impractical solution for anybody doing regular business from a domain.

"We did some other things and we had some other ideas on the table," Sundwall said. "But this URL was disposable, was not being used by our customers, so we decided to get rid of it."

The demise of the windowsupdate.com site will not hurt Windows users that have configured the OS to automatically update itself with security patches. That feature looks to windowsupdate.microsoft.com for its patches.

But it could affect users of Software Update Services, which is Microsoft server software used by companies for coordinating patches to multiple PCs on the same network.

According to technical documents published by Microsoft, SUS uses windowsupdate.com. Sundwall could not confirm that.

As an extra precaution, Microsoft started using Akamai Technologies Inc's EdgeSuite content delivery services to lighten the load on its own servers. Neither company would confirm that (but it was clear to anybody visiting www.windowsupdate.microsoft.com.edgesuite.net).

Keynote Systems Inc was to track the progress of the DDoS attack, but as of Friday morning US Pacific time, when PC clocks in the Asia-Pacific region started ticking over to August 16, no effects had been felt.

Keynote's Lloyd Taylor said Microsoft was able to shut down the domain quickly and have the effects felt by all internet users. Microsoft had previously set the "time-to-live" value on the domain to just ten minutes, meaning most name servers on the internet would not cache the old IP address beyond that amount of time.

Meanwhile, the worm continued to spread. Network Associates Inc's HackerWatch said that during the outbreak Monday to Friday, 1.4 million machines were infected. There were about 160,000 still infected as of Friday morning.

Akamai added that it was tracking the spread of the virus based on infection attempts to its global network of content servers, and that it saw the rate of infections increase late in the week, particularly in the US, after slowing mid-week.

VeriSign Inc also revealed that data on a huge spike in DNS lookups that indicated widespread infections, which the firm publicized Thursday, turned out to be bogus and based on a flaw in its own internal software (see separate story).

Separately yesterday, Microsoft warned that some unscrupulous individuals are sending around emails containing malicious Trojan software and backdoors in the guise of a Microsoft product patch. The company says it never sends software to users via email.
COPYRIGHT 2003 Datamonitor
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2003 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Publication:Computergram International
Geographic Code:1USA
Date:Aug 18, 2003
Words:604
Previous Article:China and India Deepen Tech Ties.
Next Article:SCO Rejects IBM GPL Attack.
Topics:


Related Articles
Microsoft's Latest Antitrust PR: Freedom to Innovate >BY Rachel Chalmers.
Microsoft critical flaw.
Extreme Networks and Vernier team up to provide internal security solution for enterprises.
Regrettably, there is an exception ... the old maxim that extreme cases make for bad laws has been forgotten by today's conservatives.
Extreme Exploits-Advanced Defenses Against Hardcore Hacks, is a guide that explains how to defend against vulnerabilities in software and network...
Dobson pro-gay?
Database protection.

Terms of use | Privacy policy | Copyright © 2018 Farlex, Inc. | Feedback | For webmasters