4 FEB 04
To date, the MyDoom email worm has been the most successful Internet
attack ever launched.  It appears to have come from Russia, more
significantly, it appears to harvest email addresses for commercial
gain.  After feasting on the infected PCs email list, the worm has
dessert by executing a distributed denial of service (DDOS) against
two companies SCO & Microsoft. But both companies had time to avoid
the attack.  How did they do it?

After one day of attack (Sunday), SCO had its Domain Name Service (DNS)
IP address removed from sco.com but left the same IP with TheScoGroup.com.
In this way, when a million copies of the worm looked up the DNS entry
for sco.com, they got nothing.

Microsoft uses a more sophisticated approach. Web requests aimed at
www.microsoft.com do not go to machines on Microsoft's network.
Instead, they're handled by the Akamai Technologies Inc. caching system,
which runs Linux.  Microsoft uses Akamai's extensive worldwide network
to distribute the massive traffic.  Akamai Technologies notes the IP
address of which computers were sending pings in a pattern that matched
MyDoom-infected PC and added those IP addresses to the firewall's "deny"
list.  In the event that the IP address might be dynamically assigned from
an ISP, the IP address is removed from the deny list if no pings were
received from that IP after several hours.