How Microsoft Fights Off 100,000 Attacks A Month

El Lobo writes to mention a ComputerWorld article about Microsoft's battles with the Hackers of the world. The software giant fights off more than 100,000 attacks every month, protecting their data-heavy internal network from the paws of your average script kiddie. The article discusses Microsoft's 'defense in depth' strategy, and discusses just some of the layers in that barrier. From the article: "The first layer of protection for the Microsoft VPN is two-factor authentication. After an infamous incident in the fall of 2000, Microsoft installed a certificate-based Public Key Infrastructure and rolled out smart cards to all employees and contractors with remote access to the network and individuals with elevated access accounts such as domain administrators. Two-factor authentication requires that you have something physical, in this case the smart card, and also know something, in this case a password."

100,000 a month...?

[bhunachchicken]

So, who's doing the other 99,999 then...? :)

Re:100,000 a month...?

[hotdiggitydawg]

My guess would be some fella called "Windows Update"...

Thanks!

[moore.dustin]

Thanks for passing all those protection and security measures you develop to your customers! Wait a tic...

How about the best step . . .

[OverlordQ]

Keeping your vital data physically disconnected from the outside Internet. I know it'll cut off people who work remotely, but if it's that important, it's worth it.

Re:How about the best step . . .

[bugnuts]

MS is big, and vital data are distributed in not-so-vital chunks throughout the organization and in different ways.

Combined, it's all vital. But imho, saying "just cut the plug on the network" is not feasible and horribly short-sighted. MS has several web applications, update servers, search engines... what are you saying again? You propose they cut all that off, too? The damage is just as bad (if not worse) if their update servers get hacked instead of their personnel database.

Network security covers a little more than just "vital data".

Re:How about the best step . . .

"Keeping your vital data physically disconnected from the outside Internet."

Beyond that, Microsoft needs to control what executable code its employees can grab off the Internet. Apparently, even non-IT workers there can download and install almost anything. I know a contractor in technical support that just translates the phone conversations and really isn't a technical person at all. He just speaks multiple languages. And from what he tells me, he has no restrictions on his computer from installing software off the internet.

Re:How about the best step . . .

[diersing]

Thats great, as long as the people that use the vital data (executives, accounting, legal, sales, tech support, etc) don't need to get to the internet. Or do you have a kiosk set up that everyone queues up at?

I've worked for two large (150,000+) Fortune 100 companies. One was a bank and the other... the other employeed scientest and lets just say their IP, is the lifeblood of the business. And in my experience, no one is interested is disconnecting the data, it just isn't feasible (simple, yes). With two factor authentication, an IDS, and regular auditing a good remote access system is, IMHO, safer then LAN access. If its designed and implemented well there is nothing to worry about.

The thing you have to remember about information security is, if its not available to the users that are authorized, its considered down time and in most businesses, down time of the critical data is unacceptable.

Re:How about the best step . . .

[Oddscurity]

I've wondered about this update server before... does WinXP actually validate the stuff it downloads before installing it? Even if the update server is hard to compromise, some malware writer could have their malware auto-update by editing the hosts file.

Re:How about the best step . . .

[jacksonj04]

I don't believe so, as anyone can run a WUS server which keeps a local copy of updates for other machines on the domain to install. I've not read anything on the auth mechanisms used, but that doesn't mean there isn't something out there.

How to fend of 100,000 attacks a month

[LatexBendyMan]

They probably just run linux...

Re:How to fend of 100,000 attacks a month

[aliendisaster]

Actually, they do...to a point:

http://news.netcraft.com/archives/2003/08/17/wwwmi crosoftcom_runs_linux_up_to_a_point_.html
(old article and I wasn't able to duplicate their test so it may have changed)

Re:How to fend of 100,000 attacks a month

[Savage-Rabbit]

They probably just run linux...

Gee.. that's a surprise! I always thought Microsoft fended off attackers by throwing chairs at them...

There... now your cliché isn't lonely any more...

Re:How to fend of 100,000 attacks a month

[Overly+Critical+Guy]

They throw Beowulf clusters of naked and petrified statues of Natalie Portman as hot grits run down their pants expect in Russia where they throw you when you're not welcoming your new overlords or when old people aren't using the Internet in Korea.

Re:How to fend of 100,000 attacks a month

[Savage-Rabbit]

They throw Beowulf clusters of naked and petrified statues of Natalie Portman as hot grits run down their pants expect in Russia where they throw you when you're not welcoming your new overlords or when old people aren't using the Internet in Korea.

Dude.... I wanted a quiet gathering of a few friendly clichés not a whole cliché convention!

Re:How to fend of 100,000 attacks a month

[markmier]

I *AM* an overlord, you insensitive clod!

Re:How to fend of 100,000 attacks a month

[Jerry]

A few days ago I used Netcraft to take a look at what Microsoft was using for its severs.
There were 355 servers listed. A few are "unknow", a few more are "Solaris" and some I don't recognize, but at least 1/3rd of them are Linux.

Re:How to fend of 100,000 attacks a month

[Firehed]

Now someone mod this post up to +5, Insightful and put the whole thing on a shirt, with the caption of "The Slashdot Moderation System at Work".

Re:How to fend of 100,000 attacks a month

I believe this is because Akamai does load balancing for them. I was at one of their 'gatherings' and the search guys claimed they ran the whole system on windows boxes which was apparently quite the challenge as windows boxes have not been traditionally used in that manner.

That's funny...

[stag_beetle]

I thought the first thing you were supposed to do to protect against attacks was to ensure you aren't using Microsoft products in any part of your infrastructure...

Re:That's funny...

[mdm-adph]

reminds me of the story from a long while back about a site touting the greatness of Windows Server Software (might have actually have been a Microsoft site) -- well, somebody gets an error message one day, and it turns out the site was running Apache on Unix.

Re:That's funny...

[slashwritr]

I thought that those sites were actually Apple "enthusiast" sites, and they were running on Linux? This site confirms it; the article was in 2004, though, and those sites might be on Apple servers now.

Over 100,000 every month

[Rik+Sweeney]

The software giant fights off more than 100,000 attacks every month, protecting their data-heavy internal network from the paws of your average script kiddie.

A network powered by Fedora Core 6...

Re:Over 100,000 every month

[Fred_A]

Actually I don't know how they count their attacks, but just attach a host to the network for a while and observe and you'll see automated attacks nonstop.
On my LAN gateway I have had a continuous stream of background SSH and misc Windows services attacks for years plus the occasional attempt at something more creative. Taking each of these into account I could probably arrive at thousands, if not tens of thousands per month.
I don't know how many machines MS has online but since the article doesn't really say what counts as an attack, the number seems to be ridiculously small.

I'm surprised...

[pdbaby]

The article seems to say they only use Microsoft solutions to provide their security.
I'm surprised they don't even have a little something from RSA. Is their solution that good (jokes aside!), or are they just suffering from major Not Invented Here syndrome?

Re:I'm surprised...

[db32]

Do you honestly believe they would admit to using anything other than MS? Do you remember the noise that was made about their website being protected by a company using linux servers to protect it from denial of service stuff? Do you remember the noise that was made when that linux based company signed up with their silly streaming media shit and was able to stream windows media more efficiently from linux boxes than what equivilent Windows boxes could do? (The worst part about this was that it could only stream windows media content to windows computers, and linux clients could't do anything with the streaming media from the linux server).

Give MS some credit...their Marketing/PR departments aren't stupid enough to talk about everyone else products used to secure their network, but I have a hard time believing that their technical folks are stupid enough to restrict themselves to MS products. I mean I have heard people explain to me how MS Proxy is the best proxy ever, or how that other stupid MS firewall/proxy/server thing is the best for boundary protection...but I assume those people will never work in security at a decent sized company for long if at all. MS products have their uses as much as I dislike many of them...but if I ever had anyone working for me try to use an MS product for something like boundary protection I would slap them, repeatedly, in front of the whole IT department.

Re:I'm surprised...

[morgan_greywolf]

Seriously. They might have a number of Microsoft products involved in running their VPN, but I'll bet it's mixed in with offerings from Cisco or Juniper. They could still claim it was an "all MS solution" since a Cisco ASA, for instance, is a "hardware appliance" and doesn't involve the use of software at all! (Damn, I can't say that with a straight face...)

Re:I'm surprised...

[Da_Weasel]

Not exactly. Here is a quote from a case study that Microsoft published regarding the migration of hotmail from FreeBSD to Windows 2000.

"The original builders of the application created a two-tier architecture built around various UNIX systems. FreeBSD, a UNIX-like system similar to the Linux operating system, was used to run the front-end Web servers that handled login, Microsoft Outlook Express, and Web-based content delivery tasks."

...

"During June and July of 2000, the Hotmail site was converted from FreeBSD running Apache Web services to Windows 2000 Server running Microsoft Internet Information Services 5.0."

You can read the case study here: http://www.microsoft.com/technet/interopmigration/ case/hotmail/default.mspx

Re:I'm surprised...

[ampmouse]

Hotmail ran on FreeBSD until after 2001, but microsoft bought hotmail in 1998. So, microsoft was running hotmail on FreeBSD for over 4 years.

Re:I'm surprised...

[bmajik]

funny you mention that - all outbound internet traffic from Microsoft's internal network goes through...

wait for it..

Microsoft ISA Server.

There may be other stuff out in front of that, but I have no evidence that there is.

I happen to dislike ISA server - because all of my traffic to the outside world goes through it, and if i notice it, its because it did something i didn't like (like forgot how to resolve hostnames - that's pretty common). I used to complain about it every day.. i'd say stuff like "ISA server makes me want to quit my job" or "maybe i could buy a 28.8 modem and get reliable fast internet access while at work). But, ISA server has gotten a lot better and the # of times a week I curse my existance has gone way down. I'll complain to co-workers that "there is no excuse for this - i've run Squid before and there are never any problems", but to be honest, i've never run a squid cluster with over 100 nodes serving over 100,000 PCs, so its not precisely apples to apples. And i've never put pre-production Squid code into a production environment -- which is exactly what we do with everything we make. My inbox has been on beta exchange for months, and over half the domain controllers here in Fargo are running Longhorn server builds.

Same thing with wireless. We deployed WPA before most of the outside world had heard of it. Internally, it was the only way to get wireless at all. If your device didn't do WPA, you didn't get to connect.

There are a few well-known "MS uses linux!!!!@#$!@#$ OMGZORZ!!!" stories out there, so i'll address the ones i am familiar with

MS uses Linux to host MS.Com

False. Microsoft.Com runs on windows servers. Microsoft has contracted with akamai to do geocaching of various web properties, and akamai uses linux to a large extent. This is why when you look at some MS.Com "machines" with tools like nmap, they'll come back as Linux boxes. they aren't MS machines, they aren't in any MS datacenter, and they aren't MS managed.

Hotmail is all linux

False. Hotmail was never linux. Hotmail has a distributed architecture, and at the time of acquisition, the front end machines were FreeBSD, and the back ends were Ultra enterprise 4500s. Eventually, the FE's were moved to Windows Server. My understanding is that they tried the transision using NT4 and it was miserable, and tried again with W2k and it was much much better. Eventually, all the Fe's got moved onto one of the server products (i dont remember if it was w2k or w2k3 before it was "done") and the hotmail capacity went UP.. i.e. re-writing the hotmail stuff natively for the new windows based platform has allowed hotmail to run more efficiently on less hardware, with lower management costs. The backend machines were still enormous sun boxes last time i asked about it a few years ago.. for a few reaons. 1) the investment in those was huge 2) the filesystem was completely customized for the application. I wouldn't be surprised if the back ends have also moved off of Sun machines. The back end boxes apparently did almost nothing with CPUs.. but lots and lots of disk IO. The custom filesystem is probably the biggest reason that moving back ends didn't happen earlier.

It's important to Microsoft to run our own stuff everywhere we can, because it demonstrates to customers that the product can meet their capacity needs, and because real world use is the best test of big complex systems. There are a few things we are NOT self hosting on yet - for instance, I am in the Business Division and while we sell a variety of ERP programs (from companies we've acquired), we still use 3rd party ERP systems to run "Microsoft, the Company". Those of you with ERP experience will understnad that this is not something you transition "over nite" or "just because". It is a goal for us in the Business Division to move MS onto our ERP stuff internally - it adds additional credibility to our products when we can tell customers "it can run Microsoft, so it can probably run your stuff". And our competitors _love_ saying things like "why buy MS's version of blah, they dont even use it themselves!"

Re:I'm surprised...

[UnknowingFool]

I would think the article should be more appropriately titled: How Microsoft Implements VPN Security to Fend off 100,000 Attacks. I have no doubts that MS uses companys' solutions like routers and firewalls as part of their overall security. This article was all about VPN security.

ok, sure .. .this is somehow news because

[zappepcs]

this is a story about how MS is doing security... however, 2 factor authentication has been in use for decades, even before computers became the common day things they are today. In the military, I've seen where it takes 3 people and two keys just to open a door to a secured space. The tech is new, and hopefully now that MS is telling people that is how they do things, perhaps banks and other people with my personal information stored up will start doing the same??? sigh

Re:ok, sure .. .this is somehow news because

[GeckoX]

Where did it mention that MS is doing anything groundbreaking or revolutionary here?

This is simply an article about how MS, arguably the most targeted entity out there, secures their business.

Further, it appears to work very well for them, without sacrificing their employees ability to work.

Really, what are you trying to say here? Should it require 3 people and 2 keys to log into your office over VPN every day to get some work done? Somehow I thing not, but that still leaves me wondering what is your point?

Re:ok, sure .. .this is somehow news because

[wtansill]

perhaps banks and other people with my personal information stored up will start doing the same??? sigh

You really do not want to go there. Let's say you have the following (reasonably typical) scenario:

1. You have a checking account
2. You have a 401(k) through your company
3. You have a Visa credit card
4. You have a MasterCard credit card

Each institution where you maintain an account decides to require two-factor authentication.

• Do the security keys interoperate, or do you have to now have four seperate tokens?
• Your spouse wishes to log in as well, can (s)he use the same tokens, or does (s)he have to have their own?
• Spend a lot of time on the road? Want to check your account(s) from your hotel room? Take all your tokens. Which, BTW, means that the spouse cannot check while you are away unless each account issues one token per spouse or other authorized account user (which, BTW, adds cost for the institution).
• You have an emergency of some sort and must have access to your account, but forgot/lost your token, the battery died, whatever. Is there a secondary mechanism that will allow you to access your account which does not rely on the use of the security token? If so, you've just doubled the institution's cost of doing business with no net benefit to the institution.

Add to that the scary fact that two-factor authentication does nothing to prevent man-in-the-middle attacks -- someone can still get hold of your session and possibly access your supposedly secure accounts -- and the luster dims for the two-factor scheme.

It works well in some limited instances, but I shudder to think of the possibilities if it's ever adopted on a wide scale.

Re:ok, sure .. .this is somehow news because

[johneee]

I don't know about that, but I do have accounts in three different banks, and they do have two factor authentication - bank card and pin - for some of the access I have to them. Mostly it works pretty well...

If all else fails...

[jbeaupre]

They whip out the OEM image CD and reinstall. The down side is they have to get rid of all those AOL icons and replace Norton AV each time.

Seems unlikely that they'd run Linux

[coleopterana]

I've noticed that the best way to find problems with your own product is to have your employees (forced to) use it on a daily basis. I'm no Microsoft fan nor a software engineer but it seems to me to be the quickest way to find holes that testing didn't uncover. Now that in itself presents an interesting question: does that make it harder to find SECURITY problems if you're testing your product behind all those corporate protections (assuming they work)? It's no real-world experience to do that.

what counts as an "attack"?

[Doctor+Crumb]

Honestly, my own computers fight off thousands of "attacks" a month, if you lower the bar enough. Are there worms knocking on port 137? Or are these actual hackers with stolen passwords/passcards?

Balance?

[Rob+T+Firefly]

The software giant fights off more than 100,000 attacks every month

I wonder how the number of attacks on other sites enabled by botnets of compromised Windows machines compares to this. Are they taking more or less than their software dishes out to the rest of the world?

Re:Balance?

[cswiger2005]

If you've run a honeynet, you'll find that you tend to see between ~300 and ~1500 or so "attacks" per IP address per day-- about 80% TCP-based, about 15% UDP-based, and about 5% ICMP-based. I'm not sure a simple ICMP ECHO_REQUEST qualifies as an "attack" (although there are plenty of security vendors who will claim it is, simply to inflate their numbers), but ICMP redirects which try to tell a host to send local traffic to a remote IP surely does qualify as a hostile attack.

Assuming that there's about 1000 attacks per day on average, or 30K per month per IP, suggests that Microsoft only has three or four Internet-routable machines, which clearly isn't the case-- perhaps they are only counting attacks which make it through the front line of their existing firewalls, or they are aggregating a single source IP which launches the same viral payload against many destination IPs as a single "attack"...?

Slashvertisement

[HairyCanary]

The article reads like an advertisement for Microsoft products. The article has a nice catchy subject line and the proceeds to explain how Microsoft leverages such neat toys as Exchange proxies, Microsoft Office Communicator, etc. The article is so heavy on naming each little piece of software that it reads like a big advertisement. How much do you want to bet it is a press release from Microsoft reprinted by Computerworld?

Yahoo Ping Department

[suso]

Tommorow we're going to hear from the ping department at Yahoo.

I always wondered what they do with all those echo requests.

Re:Yahoo Ping Department

[binarybum]

huh, I almost always use ping www.yahoo.com when I'm testing a DNS.
    does everyone default to this for some reason that I'm not aware of? Is that what you're referring to?

Re:Yahoo Ping Department

[Da_Weasel]

They are building up a stock pile of pings. It's all part of a diabolical plan to rule the universe through their pingopoly. Soon we shall all bow before their pingy-ness-ish-ness. Those who obey their pingy commands will recieve their daily ration of echo packets, everyone else will be left wanting... MMWhhaAHahHAhahahAHahahHAh!!!!

Re:Yahoo Ping Department

[MrP-(at+work)]

I think its very common.

I know everyone here always does ping yahoo.com to test DNS/network connections.

We also ping google.com somtimes too

I feel bad for them

Re:Yahoo Ping Department

[moore.dustin]

This is hilarious! I always ping yahoo.com when DNS testing too! I choose it because they have a reliable service and consistent response times.... and I never Yahoo! and I would not want to do this to a service/site I like/use :)

Marketting Material

[dave562]

That article wasn't very informative. It only talks about the security functionality offered by Microsoft products (specifically VPN/ISA and Exchange). It doesn't even address what kind of attacks are being launched against the company beyond the typical "Virus emails." In other words, it's just thinly disguised marketting material put out under a header that seems interesting.

I wonder how they got to the 100,000 number. If you count port scans and IP spoofs then my home network sees thousands of attacks every month.

Statistics...gotta 'luv em

[djupedal]

The software giant fights off more than 100,000 attacks every month, protecting their data-heavy internal network from the paws of your average script kiddie.

If MS is using the routine fuzzy-math they tend to throw out when attempting to make the company seem more powerful and dominating than is backed up by reality, the '100,000 attacks' could be 99,999 pieces of spam email and one ping-flood.

See, this is how MS routinely tries to brainwash Joe and Jane consumer. Toss out a statistic that is impossible to verify, along with just enough verbal imagery to impress non-tech savvy spenders and you're on your way to profitsville!

'data-heavy internal network...' That is some pretty shiny bull-shit, by the way...data-heavy! As opposed to what? I can see those steel grey towering industrial strength routers, embedded into solid concrete bunkers, laced with 50 cm MIL spec reinforcing bar that is tied deep in bedrock, far below the cavernous data centers the brave MS engineers toil without end to feed, with miles and miles of 1 meter thick ethernet cables, snaking like giant blood veins, throbbing quietly as the beast that is MS R&D works around the clock for the good of mankind.

Makes me proud to be an American, I 'tell ya!

100,000 is very low for automated attacks

[192939495969798999]

100,000 is very low, on a typical home machine if you're getting hundreds or thousands of attempts by bots, then surely the biggest software maker is getting millions. However, if they mean 100,000 attacks by individuals per month, meaning someone directly trying to "hack into microsoft", that seems impressively high. Wouldn't at least several of those get in through social engineering alone (i.e. pretend to be hot girl, get password, etc.)?

They use bees

[Overly+Critical+Guy]

Microsoft sends care packages of bees to hackers. Leaked internal memos suggest turmoil amongst executives who can't decide if they should send more bees or just pull out entirely. A study group has determined that Microsoft should begin talks with various hacker groups as a diplomatic means of ending the bloodshed, but few believe that it will stop the attacks or the need for more bees. Many mourn for the loss of the bees, who die upon losing their stingers, while others point out that these are volunteer bees and that it's to be expected.

Re:They use bees

[kkwst2]

African or European?

100k seems low

[xPsi]

100k attacks per month for Microsoft seems low to me. That is about 1 attack every 30 seconds. I'm not saying that this is a low number on an absolute scale, but it seems low for MS. I might have just assumed they were continuously under multiple attacks.

TRON....

[rubberbando]

And all this time, I thought they just used that laser from Tron attached to a satellite that they would aim at unsuspecting hackers to digitize them into the gaming grid where they must dodge flying chairs thrown by a virtual Steve Balmer (Donkey Kong Style).