• United States

Microsoft aims to outsmart denial-of-service attack

Aug 15, 20034 mins

Microsoft on Friday took steps to defend its patch download site from a denial-of-service attack expected to be launched this weekend by machines infected by the now notorious Blaster worm.

A key move was disabling its URL, the target of the anticipated attack. This URL is used solely to direct traffic to the actual Web site where users can download patches (

“We have taken down the URL to try and make sure that we have continuous service on the site,” says Stephen Toulouse, security program manager at Microsoft.

In theory, requests to as prescribed by the worm will merely drop into a black hole.

Also, Microsoft and its provider of DNS services, Akamai, have been adjusting DNS routing variables associated with the disabled URL in a move that is thought to be an additional defense against the attack, which is expected to come in waves, when the URL is again live.

 Blaster-infected machines in far Eastern time zones such as Australia should have been flooding at 10 a.m. EDT, but Microsoft said the attack failed to raise traffic levels appreciably.

Shutting down the URL is seen as a strategic retreat by Microsoft that renders the redirection service unavailable indefinitely.

The URL mainly acts as a safety net for users who mistakenly type that URL into their browser instead of The redirection technique is commonly used on Web sites so users who may mistype or guess at a URL still reach their destination.

While Microsoft could not say how much traffic is redirected through the URL, users of Windows 2000 and Windows XP have the real update Web site address hard-coded into buttons on the Start menu and in the browser. So it is clear that these users don’t pass through that re-direction URL if they use the pre-configured buttons in the operating system and the browser and therefore won’t see a disruption in service due to the shutdown of the URLs.

It is unknown if the author or authors of the Blaster worm intended to attack the URL or if they made an error. A simple DNS lookup on the Internet would have revealed the true address of the Microsoft site that is used to download patches.

In any case, Microsoft may be the beneficiary of a mistake that will make it much easier to keep its update site running or it may be cutting off the Web site for now to brace for an onslaught of traffic.

This morning, Microsoft and Akamai changed the DNS routing tables so that the IP addresses associated with the URL will change every 20 seconds, according to an Internet search of DNS records. Typically those associations called “time to live” or TTL records last for days or weeks.

Akamai officials deferred all questions to Microsoft, which would not offer any specific details.

“I’m afraid that would be talking about specific preventative measures,” said Microsoft’s Toulouse. “We want to play our cards close. We want to ensure that customers can get and apply the patch. We don’t want to endanger that.” Toulouse also said Microsoft was not only looking at Blaster, but a number of variants that have popped up this week.

“I don’t know what kind of game they may be up to,” says Paul Mockapetris, the inventor of DNS and the chief scientist for Nominum. “They could be trying to add servers to handle the load. They could be trying to identify where the attacks are coming from and trying to separate the infected machines from users actually trying to get to the update site.”

The DNS can respond to a browser request to match a URL with an IP address with up to 13 answers. Mockapetris says the number corresponds to the 13 root servers.

Mockapetris says if Microsoft had 100 servers for it could in effect be using the 20-second interval as a sort of load balancing measure. In essence, every 20 seconds a new set of 13 servers would be handling requests for But Mockapetris says the short life intervals on the DNS responses could actually result in more traffic as people who may be blocked initially from the site try to access it another time.