"Skype’s network resources," the company said on its Heartbeat blog. "This caused a flood of login requests, which, combined with the lack of peer-to-peer network resources, prompted a chain reaction that had a critical impact."
The company said normally the service can withstand this type of event through an "inbuilt ability to self-heal." However, the incident, which began Thursday, unearthed a vulnerability in the services’ network resource allocation algorithm, which prevented the self-healing component from working.
Skype’s announcement today dispelled rumors that hackers were responsible for the DoS attack. A poster on a Russian forum claimed the crash was caused by exploiting a buffer overflow vulnerability by sending malformed requests to Skype’s authorization server. The exploit code was posted on a Romanian website.
"We can confirm categorically that no malicious activities were attributed or that our users’ security was not, at any point, at risk," the company said, adding that it has instituted software improvements to prevent a similar incident from happening in the future.
Peter Thermos, chief technology officer of Palindrome Technologies and a VoIP expert, told SCMagazine.com that he finds it odd that a buffer overflow exploit was revealed, but the outage was blamed on Microsoft security updates.
"If [a crash due to patch updates] happened, I’d assume it would happen when Skype was taking off, when they were beginning to become well-known as a peer-to-peer communications company," he said.
Since its launch about four years ago, Skype has faced its fair share of criticism from security experts. Last year, the Burton Group recommended enterprises should evaluate whether the closed-source Skype fits into their information protection posture.
In March, variants of the Stration worm used Skype as a vector to spread.
Experts have warned internet telephony is at risk to such threats as toll fraud, eavesdropping and phishing.
"This disruption was unprecedented in terms of its impact and scope," Skype said. "We would like to point out that very few technologies or communications networks today are guaranteed to operate without disruptions."
Skype, owned by eBay, reportedly has more than 200 million registered users.
Skype blames downtime on Patch Tuesday re-start, not hackers
By Dan Kaplan on Aug 21, 2007 7:21AM