Microsoft aims to outsmart denial-of-service attack

Microsoft on Friday took steps to defend its patch download site from a denial-of-service attack expected to be launched this weekend by machines infected by the now notorious Blaster worm.

A key move was disabling its windowsupdate.com URL, the target of the anticipated attack. This URL is used solely to direct traffic to the actual Web site where users can download patches (windowsupdate.microsoft.com).

“We have taken down the URL windowsupdate.com to try and make sure that we have continuous service on the windowsupdate.microsoft.com site,” says Stephen Toulouse, security program manager at Microsoft.

In theory, requests to windowsupdate.com as prescribed by the worm will merely drop into a black hole.

Also, Microsoft and its provider of DNS services, Akamai, have been adjusting DNS routing variables associated with the disabled URL in a move that is thought to be an additional defense against the attack, which is expected to come in waves, when the URL is again live.

 Blaster-infected machines in far Eastern time zones such as Australia should have been flooding widowsupdate.com at 10 a.m. EDT, but Microsoft said the attack failed to raise traffic levels appreciably.

Shutting down the URL is seen as a strategic retreat by Microsoft that renders the windowsupdate.com redirection service unavailable indefinitely.

The windowsupdate.com URL mainly acts as a safety net for users who mistakenly type that URL into their browser instead of windowsupdate.microsoft.com. The redirection technique is commonly used on Web sites so users who may mistype or guess at a URL still reach their destination.

While Microsoft could not say how much traffic is redirected through the windowsupdate.com URL, users of Windows 2000 and Windows XP have the real update Web site address hard-coded into buttons on the Start menu and in the browser. So it is clear that these users don’t pass through that re-direction URL if they use the pre-configured buttons in the operating system and the browser and therefore won’t see a disruption in service due to the shutdown of the windowsupdate.com URLs.

It is unknown if the author or authors of the Blaster worm intended to attack the windowsupdate.com URL or if they made an error. A simple DNS lookup on the Internet would have revealed the true address of the Microsoft site that is used to download patches.

In any case, Microsoft may be the beneficiary of a mistake that will make it much easier to keep its update site running or it may be cutting off the Web site for now to brace for an onslaught of traffic.

This morning, Microsoft and Akamai changed the DNS routing tables so that the IP addresses associated with the URL windowsupdate.com will change every 20 seconds, according to an Internet search of DNS records. Typically those associations called “time to live” or TTL records last for days or weeks.

Akamai officials deferred all questions to Microsoft, which would not offer any specific details.

“I’m afraid that would be talking about specific preventative measures,” said Microsoft’s Toulouse. “We want to play our cards close. We want to ensure that customers can get and apply the patch. We don’t want to endanger that.” Toulouse also said Microsoft was not only looking at Blaster, but a number of variants that have popped up this week.

“I don’t know what kind of game they may be up to,” says Paul Mockapetris, the inventor of DNS and the chief scientist for Nominum. “They could be trying to add servers to handle the load. They could be trying to identify where the attacks are coming from and trying to separate the infected machines from users actually trying to get to the update site.”

The DNS can respond to a browser request to match a URL with an IP address with up to 13 answers. Mockapetris says the number corresponds to the 13 root servers.

Mockapetris says if Microsoft had 100 servers for windowsupdate.com it could in effect be using the 20-second interval as a sort of load balancing measure. In essence, every 20 seconds a new set of 13 servers would be handling requests for windowsupdate.com. But Mockapetris says the short life intervals on the DNS responses could actually result in more traffic as people who may be blocked initially from the site try to access it another time.