Slashdot Mirror
How Microsoft Fights Off 100,000 Attacks A Month
El Lobo writes to mention a ComputerWorld article about Microsoft's battles with the Hackers of the world. The software giant fights off more than 100,000 attacks every month, protecting their data-heavy internal network from the paws of your average script kiddie. The article discusses Microsoft's 'defense in depth' strategy, and discusses just some of the layers in that barrier. From the article: "The first layer of protection for the Microsoft VPN is two-factor authentication. After an infamous incident in the fall of 2000, Microsoft installed a certificate-based Public Key Infrastructure and rolled out smart cards to all employees and contractors with remote access to the network and individuals with elevated access accounts such as domain administrators. Two-factor authentication requires that you have something physical, in this case the smart card, and also know something, in this case a password."
reminds me of the story from a long while back about a site touting the greatness of Windows Server Software (might have actually have been a Microsoft site) -- well, somebody gets an error message one day, and it turns out the site was running Apache on Unix.
It is by my will alone my thoughts acquire motion; it is by the juice of the coffee bean that the thoughts acquire speed
Honestly, my own computers fight off thousands of "attacks" a month, if you lower the bar enough. Are there worms knocking on port 137? Or are these actual hackers with stolen passwords/passcards?
Actually, they do...to a point:
i crosoftcom_runs_linux_up_to_a_point_.html
http://news.netcraft.com/archives/2003/08/17/wwwm
(old article and I wasn't able to duplicate their test so it may have changed)
Freedom is a state of mind. A mind is a state of being. Stay the fuck out of my mind and my being. - Corporate Avenger
huh, I almost always use ping www.yahoo.com when I'm testing a DNS.
does everyone default to this for some reason that I'm not aware of? Is that what you're referring to?
ôó
I thought that those sites were actually Apple "enthusiast" sites, and they were running on Linux? This site confirms it; the article was in 2004, though, and those sites might be on Apple servers now.
Having worked with M$ for a few months, I called tech support a few times and they all asked me to set the "Automatically accept requests" for remote desktop support, and all support people were from outside vendors outside of the country. Each time I refused to check it, but imagine all the people that did leave it checked for others to easily remotely control their machines.
This is hilarious! I always ping yahoo.com when DNS testing too! I choose it because they have a reliable service and consistent response times.... and I never Yahoo! and I would not want to do this to a service/site I like/use :)
Invexi - a Phoenix, AZ based web design and web development company.
I would think the article should be more appropriately titled: How Microsoft Implements VPN Security to Fend off 100,000 Attacks. I have no doubts that MS uses companys' solutions like routers and firewalls as part of their overall security. This article was all about VPN security.
Well, there's spam egg sausage and spam, that's not got much spam in it.
100k attacks per month for Microsoft seems low to me. That is about 1 attack every 30 seconds. I'm not saying that this is a low number on an absolute scale, but it seems low for MS. I might have just assumed they were continuously under multiple attacks.
i\hbar\dot{\psi}=\hat{H}\psi
I've worked for two large (150,000+) Fortune 100 companies. One was a bank and the other... the other employeed scientest and lets just say their IP, is the lifeblood of the business. And in my experience, no one is interested is disconnecting the data, it just isn't feasible (simple, yes). With two factor authentication, an IDS, and regular auditing a good remote access system is, IMHO, safer then LAN access. If its designed and implemented well there is nothing to worry about.
The thing you have to remember about information security is, if its not available to the users that are authorized, its considered down time and in most businesses, down time of the critical data is unacceptable.
Actually I don't know how they count their attacks, but just attach a host to the network for a while and observe and you'll see automated attacks nonstop.
On my LAN gateway I have had a continuous stream of background SSH and misc Windows services attacks for years plus the occasional attempt at something more creative. Taking each of these into account I could probably arrive at thousands, if not tens of thousands per month.
I don't know how many machines MS has online but since the article doesn't really say what counts as an attack, the number seems to be ridiculously small.
May contain traces of nut.
Made from the freshest electrons.
I've wondered about this update server before... does WinXP actually validate the stuff it downloads before installing it? Even if the update server is hard to compromise, some malware writer could have their malware auto-update by editing the hosts file.
Indeed!
A few days ago I used Netcraft to take a look at what Microsoft was using for its severs.
There were 355 servers listed. A few are "unknow", a few more are "Solaris" and some I don't recognize, but at least 1/3rd of them are Linux.
Running with Linux for over 20 years!
If you've run a honeynet, you'll find that you tend to see between ~300 and ~1500 or so "attacks" per IP address per day-- about 80% TCP-based, about 15% UDP-based, and about 5% ICMP-based. I'm not sure a simple ICMP ECHO_REQUEST qualifies as an "attack" (although there are plenty of security vendors who will claim it is, simply to inflate their numbers), but ICMP redirects which try to tell a host to send local traffic to a remote IP surely does qualify as a hostile attack.
Assuming that there's about 1000 attacks per day on average, or 30K per month per IP, suggests that Microsoft only has three or four Internet-routable machines, which clearly isn't the case-- perhaps they are only counting attacks which make it through the front line of their existing firewalls, or they are aggregating a single source IP which launches the same viral payload against many destination IPs as a single "attack"...?
"The human race's favorite method for being in control of the facts is to ignore them." -Celia Green
I don't believe so, as anyone can run a WUS server which keeps a local copy of updates for other machines on the domain to install. I've not read anything on the auth mechanisms used, but that doesn't mean there isn't something out there.
How many people can read hex if only you and dead people can read hex?
I believe this is because Akamai does load balancing for them. I was at one of their 'gatherings' and the search guys claimed they ran the whole system on windows boxes which was apparently quite the challenge as windows boxes have not been traditionally used in that manner.