Microsoft network criticised after outage

Security and network experts have slammed Microsoft for blaming yesterday's website outage on human error rather than its own network design.

Judging from a statement posted on Microsoft's website following the day-long outage, experts believe disaster struck because all of Microsoft's Domain Name System (DNS) servers are on the same network, making the sites inherently fallible because they are too interdependent.

DNS servers translate domain names, such as vnunet.com, into numerical IP addresses - for example 11.11.11.11 - which are used to identify servers. The system lets web surfers use memorable domain names, rather than strings of numbers, to locate websites.

The statement said that Microsoft's main websites, including Hotmail and MSN, blacked out because "a Microsoft technician made a configuration change to the routers on the edge of Microsoft's Domain Name Server network".

It continued: "The mistaken configuration change limited communication between DNS servers on the internet and Microsoft's DNS servers."

Microsoft went on to deny that the security of its networks was to blame and said that the "issue is resolved".

John Bennett, security specialist at systems integrator GFI Informatics, said Microsoft was "talking out of its backside. They are saying that the problem is sorted out but they have put all their eggs in one basket. If all the IP addresses are on one server, a single error to one IP address will affect them all."

Bennett said the network is "clearly not robust" and exposes Microsoft to the risk of hackers. "One person hacking into just one IP address could bring the whole lot down."

Ollie Whitehouse, computing security architect for @stake, said the Microsoft DNS servers "did not have the geographic dispersion they needed, making them vulnerable to a higher degree of interference".

He said: "From a resilience and strategy point of view, it's a mistake on Microsoft's part. It has created a single point of failure in terms of their internal network. They are offering a key service to the public, and in those cases I would always push for a resilient design."

Paul Rogers, a network security analyst at MIS, agreed with Whitehouse that locating all the DNS servers in one place was a mistake: "I'm shocked. If the servers that provide the mapping to the raw IP addresses aren't working, then a mistake means you are not contactable."

He added: "There is a lack of disaster recovery. Microsoft would be better off having servers in the UK and dotted around the US."