A series of attacks on the network of software behemoth Microsoft last week has again highlighted just how far security is coming to the fore as an enterprise issue. Poor network operation may be the source of Microsoft's initial site failures early in the week, but a denial-of-service attack by outsiders caused a resurgence on Thursday in site blackouts.
Domain name system (DNS) errors caused Microsoft sites such as BCentral, Expedia, Hotmail, Microsoft.com, MSN, and MSNBC to be inaccessible Tuesday night and throughout Wednesday.
But after many Microsoft sites remained inaccessible throughout Thursday, Microsoft acknowledged hacker attacks caused the subsequent problems.
Microsoft "was the target of a denial-of-service attack against the routers that direct traffic to the company's Web sites," the company said in a statement. "As a result, access to some of the Microsoft Internet properties, including Microsoft.com and MSN.com, was intermittent for many customers."
Microsoft says the sites are now available and the attack is separate from its site problems earlier this week.
Microsoft is working with the FBI and is taking immediate steps to ensure its networks offer "improved protection from this type of attack," according to the company.
Microsoft sustained a hack attack in October, when intruders entered Microsoft's corporate network and accessed product information. Although Microsoft downplayed the incident, security experts said the company would be wise to evaluate its security.
Microsoft had admitted late Wednesday that an internal error caused the domain name problems. The company says a Microsoft technician changed the configuration of routers on the edge of Microsoft's DNS network. The change limited communication between DNS servers on the Internet and Microsoft's DNS servers, causing many of Microsoft's sites to be unreachable.
Experts promptly began questioning the security and stability of Microsoft's DNS operation, which apparently leaves the network vulnerable to such an internal error as well as third-party hacker attacks.
Although Microsoft contends the initial problem was an internal error, the fact that it happened at all points to the vulnerability of Microsoft's DNS network, and possibly to the DNS of the entire Internet.
The way Microsoft's DNS network is designed could be partly to blame for the outages, say some security experts. The company appears to have all four of its DNS servers located on a single network, making them more vulnerable to failure. Microsoft did not respond to repeated requests for comment but has said its DNS is fully fault tolerant with built-in redundancies.
But distributing DNS servers across networks wouldn't necessarily help, suggests Martin Fong, a senior software engineer at research institute SRI.
"The problem is, domain name servers tend to be hierarchical," Fong says. "One server has to act as the authoritative distribution point; this is a historical deficiency of DNS, not just a problem with Microsoft."
"The whole Internet is structured this way. It's a lot more fragile than people realise," he adds.
A DNS expert points out that DNS management is no small task. Failures in DNS networks at large corporations are frequently difficult to diagnose because of the complexity of the system, says Stewart Bailey, cofounder and chief technology officer at InfoBlox, which sells DNS appliance servers to businesses.
"What you'll find a lot is that when a DNS error occurs, because it's at a very low level and affects so many subsystems, people aren't sure it's a DNS problem. It's hard to diagnose," Bailey says. "The networking people look at the routers, the systems people look at the servers, and the DNS guys look at their part, and sometimes it takes a while to figure out what's going on."