In the Wake of Microsoft's Downed Sites, Web Infrastructure Reexamined
By Erica D. Rowell 
N E W Y O R K, Nov. 1 — The seesaw performance of Microsoft's Web sites last
week thrusts the safety and security of the Internet
back into the spotlight. If technology powerhouse
Microsoft is vulnerable, who isn't?
The quick and easy answer is "no one." But experts
say this doesn't hurt the overall health of the Web and its role in
the growing field of e-commerce. The downed Microsoft sites do,
however, put the software giant on a steeper path in developing its
Internet strategy. And the incidents provide an imperative reminder
to businesses about the need for better network design.
"I haven't seen any indications from data we've looked at that
says this is undermining [consumer] trust of the broad Web," says
Forrester Research analyst Carl Howe. "I think it does cause
Microsoft's brand to take a hit."
In August, Microsoft announced its .NET initiative that aims to
untether from the desktop some of the company's most popular
software, such as parts of the Windows operating system, and bring
them to the Internet. For a company that's trying to boost its Net
presence, last week's Web problems amount to, at the very least, a
big public relations problem. A host of troubles that rendered Web
sites — including portal MSN, news site MSNBC.com and travel agency
Expedia — inaccessible began with an engineer's technical goof on
Tuesday and culminated in several computer attacks on Thursday and
Friday.
The problems came nearly a full year after denial-of-service
(DoS) attacks took down such popular Web sites as Yahoo!, CNN.com
and Amazon.com. On Feb. 7, 2000, computer attackers bombarded these
sites with mock traffic from shanghaied machines, effectively
blocking out users. Security experts view this year's high-profile
assault as yet another wake-up call.
"I think of it as a reality check," says Joel Scambray, co-author
of Hacking Exposed, Second Edition. "A DoS attack is the
equivalent of throwing a rock or driving a car into a store front
window. There are steps you can take to stop people from doing that,
but ultimately if someone really wants to, they can take you out."
Security experts like Scambray stress that, although it's not
possible to make a Web site completely invulnerable to an attack,
there are basic design concepts that can be built into networks that
mitigate the potential.
"The question is can you substantially increase the availability
and reliability of the site?" says Phil London, CEO of Mazu
Networks, a start-up based in Cambridge, Mass. which is developing a
technology that detects and minimizes potential for distributed DoS
o9i attacks — the type that is believed to have brought down some of
Microsoft's Web sites on Thursday and Friday.
Fixing the
Problems
Microsoft says it has been in normal mode of
operation since Friday afternoon. But, says Microsoft's Adam Sohn,
"we're certainly on a heightened state of alert."
While the company is loath to give out any details of security
that a hacker could exploit, Sohn says Microsoft has taken a number
of steps to combat last week's problems, including adding servers
and other back-up equipment. Microsoft said today it was working with Cambridge, Mass.-based
Akamai Technologies, Inc., to use a number of backup domain-name
servers, which connect numerical Internet addresses with the Web
domains users type in to access them. Domain name server problems
resulted in Web site outages on Tuesday and Wednesday, before
attackers hit sites with denial-of-service attacks.
"We regret the inconvenience [Friday's] attack has caused to our
customers," said Microsoft Vice President and Chief Information
Officer Rick Devenuti in a press statement. "This attack was similar
to Thursday's attack, in which someone attempted to block legitimate
access to our Web properties by flooding our network routers with
large volumes of bogus requests."
Devenuti acknowledged weaknesses in Microsoft's security
operations had allowed the attacks to succeed. "Unfortunately, as we
have learned over the last few days, we did not apply sufficient
self-defense techniques," to parts of the company's "core network
infrastructure," he said.
Microsoft's Web site outages amounted to performance problems,
where users experienced varying degrees of difficulty accessing the
Web sites. Security experts say the issues stemming from the
incidents are not new, but they do point to changes in strategy some
companies must take to minimize the potential of such an occurrence.