In anticipation of the MyDoom.B payload striking www.microsoft.com tomorrow, Microsoft have shortened the TTL [time to live] on the www.microsoft.com DNS entry to five minutes. Yesterday the TTL was set to just under an hour.
Essentially, Microsoft is accepting the significantly higher load on its name servers [outsourced to Akamai] as the premium of an insurance policy in the event that it wants to move www.microsoft.com very quickly.
In this regard Microsoft is being very circumspect towards the potential payload of MyDoom B virus, which anti-virus companies have tended to belittle. Of course, this may simply reflect the fact that Microsoft is directly at risk from the payload, while the anti-virus companies are merely informed bystanders, rather than Microsoft's view of the likely traffic levels being significantly different to the anti-virus companies' expectations.
Our expectation is that Microsoft will defend the payload from its own network, at least initially. If Microsoft does decide to deploy Akamai's http caching, this should not necessarily be read as an admission that its in-house infrastructure could not cope; it is more likely to be motivated by a public spirited desire to keep the traffic off the Internet's main arteries by absorbing the payload as close to the sources of the attacks as possible.(more...)
The SCO Group, Inc. will use www.thescogroup.com as an alternate web site while www.sco.com remains under a denial of service attack from machines infected with the My Doom worm, the company said this morning. The URL is expected to serve as an interm site for SCO through Feb. 12, when the DDoS is expected to conclude. "SCO has developed layers of contingency plans to communicate with our valued customers, resellers, developers, partners and shareholders," asid Jeff Carlon, the company's director of worldwide IT infrastructure, who called the new domain "the first step" in its planning.
% host sco.com sco.com has address 188.8.131.52 % host www.thescogroup.com www.thescogroup.com has address 184.108.40.206 %
Performance data on www.thescogroup.com is available now.
Further corroboration of the generally good connectivity across the Internet can be seen by viewing www2.sco.com. which is on the same Class C that www.sco.com occupied until earlier this evening. http://www2.sco.com/ loads very quickly to the eye, and the traceroute seems very good considering the circumstances.
A graph of performance of www2.sco.com has just started appearing. while a comparative table of performance of some of the sites connected with the MyDoom virus is also available. Each is updated every fifteen minutes.
Note that sco.com and caldera.com, which both shared the same ip address as www.sco.com are still down, possibly because of stale DNS caching, or perhaps simply because the machine that ran those sites has been shut down.
% host sco.com sco.com has address 220.127.116.11 %host www.caldera.com www.caldera.com has address 18.104.22.168
The most recent Web Server Survey found some 58 hostnames running web sites that resolved to this ip address, and one would presume that SCO is unconcerned about their availability, since it would have been possible to give www.sco.com its own ip address in the prelude to the DDoS.(more...)
SCO have done the public spirited thing and taken www.sco.com out of the DNS. This means that there will be no more http traffic travelling across the internet from the infected machines to www.sco.com.
Plausibly, the hostmaster's plan was set the TTL to 60 seconds to give himself the flexibility of having changes propogate promptly, and then see what the http traffic was like before making a decision to remove the site from the DNS. He has now decided that he has seen enough. SCO may also have been the subject of pressure from ISPs to put a stop to the http traffic.
%host www.sco.com Host www.sco.com not found: 3(NXDOMAIN) % dig www.sco.com www.sco.com. IN A % date Sun Feb 1 19:29:50 GMT 2004
Generally, conditions on the Internet seem very acceptable at the moment, with few hosting company sites experiencing failed requests . This contrasts markedly with forecasts from Anti-virus companies and this morning's press release from SCO which reported the Internet as being overwhelmed.
We had expected that SCO might take www.sco.com out of the DNS in the run up to the MyDoom DDoS payload in order to keep the denial of service http traffic off the Internet. So far, though, www.sco.com still resolves and receives http requests, though closing the connection without sending a response.
That said, the sco.com hostmaster is reserving his options, with the TTL set to just 60 seconds at time of writing.
% host www.sco.com www.sco.com has address 22.214.171.124 % dig www.sco.com www.sco.com. 60 IN A 126.96.36.199 % telnet www.sco.com http Trying 188.8.131.52... Connected to www.sco.com. Escape character is '^]'. Connection closed by foreign host.
Contrastingly, www.microsoft.com's performance is as normal. Microsoft has chosen to leave the hostname still resolving to a set of 8 ip addresses in Redmond, rather than point it at Akamai's content distribution network, with their TTL set to just under an hour.
www.microsoft.com. 7 IN CNAME www.microsoft.akadns.net. www.microsoft.akadns.net. 7 IN CNAME www2.microsoft.akadns.net. www2.microsoft.akadns.net. 8 IN A 184.108.40.206 www2.microsoft.akadns.net. 8 IN A 220.127.116.11 www2.microsoft.akadns.net. 8 IN A 18.104.22.168 www2.microsoft.akadns.net. 8 IN A 22.214.171.124 www2.microsoft.akadns.net. 8 IN A 126.96.36.199 www2.microsoft.akadns.net. 8 IN A 188.8.131.52 www2.microsoft.akadns.net. 8 IN A 184.108.40.206 www2.microsoft.akadns.net. 8 IN A 220.127.116.11
Elsewhere, the Internet looks quite benign with presently just 10 of the fifty hosting company sites monitored by Netcraft showing failed requests during the last 24 hours, and none showing outages.
While Microsoft has a track record of deflecting DDoS attacks, the SCO Group's ability to defend its web site is complicated by the company's legal battle with Linux users. Both companies will be targeted Sunday by denial of service attacks from Windows computers infected by the MyDoom worm.
Content distribution networks (CDN) can play a key role in defeating DDoS attacks, using their large and widely distributed networks of servers to blunt their impact. Microsoft used a CDN service from Akamai to keep its web site online last August, when the Blaster worm programmed machines to launch a DDoS on the Windows Update site. Microsoft's strategy drew considerable attention, as the front page of the www.microsoft.com site was served by Linux machines on Akamai's network.
The largest CDN providers - Akamai, Cable & Wireless and Speedera - all make extensive use of Linux servers. That's a problem for SCO, which contends that Linux includes copyrighted code from its own operating system, and is asking Linux users to pay $699 per server for the right to use its intellectual property. It’s implausible that any of the CDN providers would pay this licence fee. If SCO feels that it is unable to patronise a very prominent Linux user, this eliminates one of the most proven defences and contrasts strongly with Microsoft’s practical and prosaic approach.(more...)