noip.com dynamic domains seized!

Hang out, sip some ice tea, and shoot the breeze with TR regulars.

Moderators: emkubed, Captain Ned

noip.com dynamic domains seized!

Postposted on Tue Jul 01, 2014 6:44 am

I discovered this thanks to Phildoe in the minecraft thread about my server.

Yesterday Microsoft got a court order and seized 22 of the domains commonly used by noip.com's dynamic DNS business. So if you use *.no-ip.biz or the like, you are probably experiencing some problems right now. This is why.

Just a heads up.

https://www.noip.com/blog/2014/06/30/ip ... -takedown/
Glorious
Darth Gerbil
Gold subscriber
 
 
Posts: 7837
Joined: Tue Aug 27, 2002 6:35 pm

Re: noip.com dynamic domains seized!

Postposted on Tue Jul 01, 2014 7:11 am

Yeah, yesterday I was showing my cousin some stuff about SSH which I demonstrated by attempting to log into my server from my phone. No such luck! Everything made sense when I saw the headlines today.
alloyD
Gerbil
Gold subscriber
 
 
Posts: 76
Joined: Thu Apr 14, 2005 4:44 pm
Location: Missouri

Re: noip.com dynamic domains seized!

Postposted on Tue Jul 01, 2014 8:15 am

Sounds like a combination of a few bad apples spoiling the party for everyone, and Microsoft acting like a spastic bull in a china shop. :roll:

Note to MS: I appreciate that you're trying to play the role of sheriff to bring some order to the frontier here; someone's gotta do it. But if you're gonna pull crazy stunts like this, at least make sure the DNS servers you're moving the seized domains to can handle the load. Taking out thousands millions of legitimate users as collateral damage is simply not acceptable.

Edit: And if no-ip's statement is accurate, MS bypassed normal procedures for dealing with rogue domains and went straight to the courts to get the seizure order. I wonder if there might be grounds for a lawsuit (either from no-ip, or class action by their customers) here?
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37509
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: noip.com dynamic domains seized!

Postposted on Tue Jul 01, 2014 8:28 am

I'm a little confused as to how Microsoft has any say in the matter here. Do they run the servers that no-ip.org uses or something?
Ryhadar
Gerbil XP
Silver subscriber
 
 
Posts: 384
Joined: Tue Oct 21, 2008 9:51 pm

Re: noip.com dynamic domains seized!

Postposted on Tue Jul 01, 2014 8:33 am

Ryhadar wrote:I'm a little confused as to how Microsoft has any say in the matter here. Do they run the servers that no-ip.org uses or something?

No, they convinced a court to sign an order to transfer the domains. They now belong to Microsoft.

This is pretty annoying for me, as I have several free domains from No-IP, as well as a paid account for a client. This had better be resolved quickly, but I have a feeling Microsoft is gonna play hardball and drag it out.

EDIT: Ars story on the subject: http://arstechnica.com/security/2014/06 ... p-domains/
Desktop: FX-8350 | 32 GB | XFX Radeon 6950 | Windows 7 x64
Laptop: i7 740QM | 12 GB | Mobility Radeon 5850 | Windows 8.1.1.1.1 x64
SuperSpy
Gerbil Jedi
Gold subscriber
 
 
Posts: 1546
Joined: Thu Sep 12, 2002 9:34 pm
Location: TR Forums

Re: noip.com dynamic domains seized!

Postposted on Tue Jul 01, 2014 8:36 am

Ryhadar wrote:I'm a little confused as to how Microsoft has any say in the matter here. Do they run the servers that no-ip.org uses or something?

Reading between the lines, it looks like it went down like this: Microsoft managed to convince a court that No-IP was engaged in (or facilitating) illegal activity. Based on this, the court gave MS authority to seize the domains, at which point the DNS records for No-IP's servers were altered to redirect No-IP requests to MS's servers instead. MS's stated goal was to selectively nuke only those sub-domains which were involved in malware distribution; however, it appears that Microsoft's DNS servers are buckling under the load, causing service outages for everyone.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37509
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: noip.com dynamic domains seized!

Postposted on Tue Jul 01, 2014 8:36 am

just brew it! wrote:Edit: And if no-ip's statement is accurate, MS bypassed normal procedures for dealing with rogue domains and went straight to the courts to get the seizure order. I wonder if there might be grounds for a lawsuit (either from no-ip, or class action by their customers) here?

Hmm, since we're officially out of IPv4 addresses (can we please reclaim the multicast & "future uses" blocks from 224/8 and above?) there might be actionable interests in DNS resolution. To go further means all mimzy were the borogroves.
It is one of the blessings of old friends that you can afford to be stupid with them. Ralph Waldo Emerson.
Captain Ned
Global Moderator
Gold subscriber
 
 
Posts: 20112
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: noip.com dynamic domains seized!

Postposted on Tue Jul 01, 2014 8:41 am

just brew it! wrote:
Ryhadar wrote:I'm a little confused as to how Microsoft has any say in the matter here. Do they run the servers that no-ip.org uses or something?

Reading between the lines, it looks like it went down like this: Microsoft managed to convince a court that No-IP was engaged in (or facilitating) illegal activity. Based on this, the court gave MS authority to seize the domains, at which point the DNS records for No-IP's servers were altered to redirect No-IP requests to MS's servers instead. MS's stated goal was to selectively nuke only those sub-domains which were involved in malware distribution; however, it appears that Microsoft's DNS servers are buckling under the load, causing service outages for everyone.

Thank you for this summary but I'm still confused. Microsoft is a corporation. What right or authority do they have in getting a court of law to strong arm No-IP to give up their sub domains?
Ryhadar
Gerbil XP
Silver subscriber
 
 
Posts: 384
Joined: Tue Oct 21, 2008 9:51 pm

Re: noip.com dynamic domains seized!

Postposted on Tue Jul 01, 2014 8:48 am

Ryhadar wrote:Thank you for this summary but I'm still confused. Microsoft is a corporation. What right or authority do they have in getting a court of law to strong arm No-IP to give up their sub domains?

18 USC 1830 et seq, a/k/a the Computer Fraud and Abuse Act. Amended in 1998 to create a path for civil forfeiture of anything used to violate it.

http://en.wikipedia.org/wiki/Computer_F ... _Abuse_Act
It is one of the blessings of old friends that you can afford to be stupid with them. Ralph Waldo Emerson.
Captain Ned
Global Moderator
Gold subscriber
 
 
Posts: 20112
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: noip.com dynamic domains seized!

Postposted on Tue Jul 01, 2014 9:42 am

Captain Ned wrote:...To go further means all mimzy were the borogroves.


and ye mome raths outgrabe.
alloyD
Gerbil
Gold subscriber
 
 
Posts: 76
Joined: Thu Apr 14, 2005 4:44 pm
Location: Missouri

Re: noip.com dynamic domains seized!

Postposted on Tue Jul 01, 2014 1:14 pm

Captain Ned wrote:
just brew it! wrote:Edit: And if no-ip's statement is accurate, MS bypassed normal procedures for dealing with rogue domains and went straight to the courts to get the seizure order. I wonder if there might be grounds for a lawsuit (either from no-ip, or class action by their customers) here?

Hmm, since we're officially out of IPv4 addresses (can we please reclaim the multicast & "future uses" blocks from 224/8 and above?) there might be actionable interests in DNS resolution. To go further means all mimzy were the borogroves.


It would require every network operating system on servers, clients, and appliances across the planet to be updated. Not as if Class E isn't the only broken aspect either. The 127 range was also spectacularly wasted.

If we're going to be doing replacement of hardware/updating of operating systems across the planet we might as well get IPv6 instead. IPv4 has a bunch of problems beyond just limited address space i.e. broadcast traffic.
"Welcome back my friends to the show that never ends. We're so glad you could attend. Come inside! Come inside!"
Ryu Connor
Global Moderator
Gold subscriber
 
 
Posts: 3506
Joined: Thu Dec 27, 2001 7:00 pm
Location: Marietta, GA

Re: noip.com dynamic domains seized!

Postposted on Tue Jul 01, 2014 3:01 pm

Captain Ned wrote:Hmm, since we're officially out of IPv4 addresses (can we please reclaim the multicast & "future uses" blocks from 224/8 and above?) there might be actionable interests in DNS resolution. To go further means all mimzy were the borogroves.



OSPF neighbor and DR discovery, IGMP Snooping, 802.1d STP, and PIM snooping already use ipv4 224/8 multicasting addresses. There are some ranges that're up for grabs, but you need to be careful when doing so.


*EDIT*

Huh. Looks like NASDAQ Quotation Dissemination Service (NQDS) uses part of that block, too. I was totes unaware.

*edit 2*

"Further, since there is a 32:1 overlap of IP Multicast addresses to Ethernet MAC addresses, any multicast address in the [224-239].0.0.x and [224-239].128.0.x ranges should NOT be considered. "

Something else I was not aware of.
Hz so good
Gerbil XP
 
Posts: 465
Joined: Wed Dec 04, 2013 5:08 pm

Re: noip.com dynamic domains seized!

Postposted on Tue Jul 01, 2014 3:42 pm

SuperSpy wrote:
Ryhadar wrote:I'm a little confused as to how Microsoft has any say in the matter here. Do they run the servers that no-ip.org uses or something?

No, they convinced a court to sign an order to transfer the domains. They now belong to Microsoft.

This is pretty annoying for me, as I have several free domains from No-IP, as well as a paid account for a client. This had better be resolved quickly, but I have a feeling Microsoft is gonna play hardball and drag it out.

EDIT: Ars story on the subject: http://arstechnica.com/security/2014/06 ... p-domains/



Thanks for the link! Cisco's blog post on the matter was rather enlightening. Shame we can't (as of 4:42pm EST) read no-ip's rebuttal.
Hz so good
Gerbil XP
 
Posts: 465
Joined: Wed Dec 04, 2013 5:08 pm

Re: noip.com dynamic domains seized!

Postposted on Tue Jul 01, 2014 9:07 pm

Ryu Connor wrote:
Captain Ned wrote:
just brew it! wrote:Edit: And if no-ip's statement is accurate, MS bypassed normal procedures for dealing with rogue domains and went straight to the courts to get the seizure order. I wonder if there might be grounds for a lawsuit (either from no-ip, or class action by their customers) here?

Hmm, since we're officially out of IPv4 addresses (can we please reclaim the multicast & "future uses" blocks from 224/8 and above?) there might be actionable interests in DNS resolution. To go further means all mimzy were the borogroves.


It would require every network operating system on servers, clients, and appliances across the planet to be updated. Not as if Class E isn't the only broken aspect either. The 127 range was also spectacularly wasted.

If we're going to be doing replacement of hardware/updating of operating systems across the planet we might as well get IPv6 instead. IPv4 has a bunch of problems beyond just limited address space i.e. broadcast traffic.


From what I've heard, my ISP is doubling down on super-NATing. No support for IPv6 yet, even though my laptop, router, and modem supports it.
UnfriendlyFire
Gerbil
 
Posts: 40
Joined: Sat Aug 03, 2013 7:28 am

Re: noip.com dynamic domains seized!

Postposted on Tue Jul 01, 2014 9:25 pm

Classic Microsoft. Screwing over users on the basis of doing good with an idealized superman complex.
LASR
Gerbil
 
Posts: 56
Joined: Fri Jan 10, 2014 9:35 pm

Re: noip.com dynamic domains seized!

Postposted on Tue Jul 01, 2014 10:52 pm

LASR wrote:Classic Microsoft. Screwing over users on the basis of doing good with an idealized superman complex.

Sounds like they were overconfident as well. "Sure, we'll keep the DNS responses flowing for the legitimate domains. Our servers can handle it!" Yeah, right.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37509
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: noip.com dynamic domains seized!

Postposted on Wed Jul 02, 2014 7:38 am

What I don't understand is how they plan to actually handle the legit domains, considering the whole point of DDNS is it changes constantly. Can they just have their DNS forward back to the No-IP servers? (Effectively acting as a filter)

In any event, despite the 'all services restored' line from Microsoft, all of my *.hopto.org domains are still offline. :evil:
Desktop: FX-8350 | 32 GB | XFX Radeon 6950 | Windows 7 x64
Laptop: i7 740QM | 12 GB | Mobility Radeon 5850 | Windows 8.1.1.1.1 x64
SuperSpy
Gerbil Jedi
Gold subscriber
 
 
Posts: 1546
Joined: Thu Sep 12, 2002 9:34 pm
Location: TR Forums

Re: noip.com dynamic domains seized!

Postposted on Wed Jul 02, 2014 7:58 am

SuperSpy wrote:What I don't understand is how they plan to actually handle the legit domains, considering the whole point of DDNS is it changes constantly. Can they just have their DNS forward back to the No-IP servers? (Effectively acting as a filter)

I assumed that they also took control of the IPs/domains that host the servers that receive the dynamic DNS updates from the user systems. Which means they would need to duplicate No-IP's entire infrastructure. If this is what they in fact tried to do, it is no wonder it is an epic fail.

SuperSpy wrote:In any event, despite the 'all services restored' line from Microsoft, all of my *.hopto.org domains are still offline. :evil:

Yeah, Microsoft is outright lying now.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37509
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: noip.com dynamic domains seized!

Postposted on Wed Jul 02, 2014 8:08 am

I don't think they did anything to the update/api servers (I think there was a No-IP statement that mentions it in passing), AFAIK they just ordered the DNS records for a bunch of the hosts to be changed.

The clients update directly to no-ip.com (which wasn't hijacked [might as well call it like it is at this point]), and that still works (I can find my home PC by logging into my account and checking the last reported IP, even though the *.hopto.org host no longer resolves).
Desktop: FX-8350 | 32 GB | XFX Radeon 6950 | Windows 7 x64
Laptop: i7 740QM | 12 GB | Mobility Radeon 5850 | Windows 8.1.1.1.1 x64
SuperSpy
Gerbil Jedi
Gold subscriber
 
 
Posts: 1546
Joined: Thu Sep 12, 2002 9:34 pm
Location: TR Forums

Re: noip.com dynamic domains seized!

Postposted on Wed Jul 02, 2014 9:18 am

OK, so Microsoft is either completely incompetent when it comes to DNS (should have realized they couldn't do this cleanly without also taking over the update servers), or lied to the court about being able to preserve legitimate users' service.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37509
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: noip.com dynamic domains seized!

Postposted on Wed Jul 02, 2014 2:08 pm

Well...this explains why I can't connect to my home VPN.
Heavy is good, heavy is reliable. If it doesn't work, you can always hit them with it.
Dizik
Grand Gerbil Poohbah
Gold subscriber
 
 
Posts: 3014
Joined: Sun Jan 02, 2005 3:57 pm

Re: noip.com dynamic domains seized!

Postposted on Wed Jul 02, 2014 2:20 pm

Botnets have a direct societal impact in terms of time and money.

No-IP refused to police their own network despite pleas from outside parties. Let's not pretend that these botnets weren't already creating a social impact.

It is unfortunate that things are screwed up right now. In a perfect world this would have went off without a hitch, but we live in an imperfect world.

So which is worse?

A DoS for a limited subset of legitimate users of the no-ip services?

Or

Botnets whose spam, cryptocurrency mining, malware, and DDoS attacks hurt a far broader set of people than the total number of legitimate no-ip customers?

A logical man once said that the needs of the many outweigh the needs of the few or the one.

Edit: It strikes me some of you probably have no clue just how much damage one or two botnets can cause.

http://arstechnica.com/business/2011/10 ... takedowns/

The above article will help put it into perspective. In this instance there were 22 domains being used by botnets through No-IP services.
"Welcome back my friends to the show that never ends. We're so glad you could attend. Come inside! Come inside!"
Ryu Connor
Global Moderator
Gold subscriber
 
 
Posts: 3506
Joined: Thu Dec 27, 2001 7:00 pm
Location: Marietta, GA

Re: noip.com dynamic domains seized!

Postposted on Wed Jul 02, 2014 2:43 pm

Ryu Connor wrote:No-IP refused to police their own network despite pleas from outside parties.

At least, that's the claim. Have any linkage to a credible (as in, reasonably neutral third party) source to back that up?

Even if true, it does not excuse MS publicly stating that everything is back to normal, when legitimate users' service is obviously still messed up.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37509
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: noip.com dynamic domains seized!

Postposted on Wed Jul 02, 2014 3:19 pm

just brew it! wrote:
Ryu Connor wrote:No-IP refused to police their own network despite pleas from outside parties.

At least, that's the claim. Have any linkage to a credible (as in, reasonably neutral third party) source to back that up?

Even if true, it does not excuse MS publicly stating that everything is back to normal, when legitimate users' service is obviously still messed up.


Yes, the court order. What sort of kangaroo court system do you think we have? It is flawed, but it's not completely retarded. This fits your narrative of MS being the devil so of course you're all over it.

Am I going to have to fire up my PACER account?

Even a single botnet can generate billions with a b worth of spam messages. Let's ignore that though cause railing Microsoft is always fun.

From hells heart and my basement I stab at thee M$!
"Welcome back my friends to the show that never ends. We're so glad you could attend. Come inside! Come inside!"
Ryu Connor
Global Moderator
Gold subscriber
 
 
Posts: 3506
Joined: Thu Dec 27, 2001 7:00 pm
Location: Marietta, GA

Re: noip.com dynamic domains seized!

Postposted on Wed Jul 02, 2014 3:38 pm

First of all, the court order was based on evidence presented by Microsoft; No-IP did not know the seizure was coming until it happened, so they did not have a say. No-IP is now claiming (note that I take this with a grain of salt as well!) that Microsoft did not make a good faith effort to work with them to take down the offending domains prior to obtaining the court order.

Secondly, as I already noted, even if Microsoft had a legit reason to seize the domains, they are claiming that everything is back to normal now when clearly things are still pretty screwed up. This does not help their credibility.

Lastly, I would like to point out that screaming about anti-MS bias every time anyone criticizes them for anything gets just as tiresome as the M$ trolls.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37509
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: noip.com dynamic domains seized!

Postposted on Wed Jul 02, 2014 3:55 pm

just brew it! wrote:First of all, the court order was based on evidence presented by Microsoft; No-IP did not know the seizure was coming until it happened, so they did not have a say. No-IP is now claiming (note that I take this with a grain of salt as well!) that Microsoft did not make a good faith effort to work with them to take down the offending domains prior to obtaining the court order.


Of course they're going to claim that. Who isn't going to miss an opportunity to massage the message of your malfeasance into a story about how Microsoft is the bad guy?

What's especially crazy is that you've effectively and repeatedly accused Microsoft of perjury. That's pretty damn bold and really just shows how strong your bias is. Do you understand the consequences of that to both the company and their officers of the court if that were true?

Secondly, as I already noted, even if Microsoft had a legit reason to seize the domains, they are claiming that everything is back to normal now when clearly things are still pretty screwed up. This does not help their credibility.


This is a technical snafu and you've worked in this industry long enough to know that crap happens. That has no standing on the "credibility" of Microsoft's investigative work except for people who had it out for Microsoft any way.

Lastly, I would like to point out that screaming about anti-MS bias every time anyone criticizes them for anything gets just as tiresome as the M$ trolls.


That might be true if this thread had anyone else discussing the extent and damage botnets cause. Instead this thread has the typical geek narrative of MS bad everyone else good.

If this thread was about Google having done this, I contend there would be nary a peep.

Sometimes the duck is a duck and this thread is a duck.
"Welcome back my friends to the show that never ends. We're so glad you could attend. Come inside! Come inside!"
Ryu Connor
Global Moderator
Gold subscriber
 
 
Posts: 3506
Joined: Thu Dec 27, 2001 7:00 pm
Location: Marietta, GA

Re: noip.com dynamic domains seized!

Postposted on Wed Jul 02, 2014 3:59 pm

28. Further investigation revealed that No-IP is functioning as a major hub for 245 different types of malware circulating on the Internet. The figure below shows the diversity of malware that No-IP supports, each a threat to Microsoft and its consumers.

30. Dynamic DNS can be exploited to support and monetize cybercrime activities. This fact is evident from the massive number of malware supported by No-IP domains. By studying thousands of samples of malware, Microsoft has been able to identify approximately 18,472 subdomains of No-IP that are used by cybercriminals, and there are likely many more. Other researchers have observed the same. In April 2013, one researcher identified No-IP as the most used Dynamic DNS service for malicious purposes. Less than a year later, another security researcher concluded the same. For example, sub-domains of “zapto.org” (a No-IP domain) were found to be blocked 100% of the time by web browsers based on the domain’s reputation for being associated with malicious activity. Moreover, of the top Dynamic DNS domains most abused by malicious actors, No-IP domains had the highest number of malware samples than any other Dynamic DNS domain. The great variety and quantity of malware using No-IP sub-domains as infrastructure is testament to the utility of this kind of system for those engaged in illegal Internet activities. The top six types of malware currently using No-IP domains are described in the table below.


http://www.noticeoflawsuit.com/docs/Rev ... plaint.pdf
http://www.noticeoflawsuit.com/

Or you know, people might actually read the complaint and associated evidence. Hard work there, might even interfere with the narrative.

The Internet security community has noticed the abuse occurring on No-IP’s subdomains. In April 2013, OpenDNS published an article online detailing its investigation into Dynamic DNS abuse, and it identified No-IP sub-domains as the most used for malicious intent of any other provider. No-IP published the following response, representing that the company had a strict abuse policy and had an abuse team to combat computer fraud and crimes:


Oh, noes. OpenDNS is now working on the side of the man. Clearly this must be because No-IP was a competitor. Yes, let the conspiracies flow forth from you.

33. Despite its representation of having a “very strict abuse policy,” the abuse on No-IP sub-domains continued. Another Internet security group, Cisco, published an article on February 11, 2014 that again outlined the extensive abuse occurring on No-IP domains, including the distribution of malware. No-IP published a similar response and even provided that the company “work[s] with law enforcement daily to ensure that we are doing our part to keep the internet safe.”


Clearly this is just because Cisco is as evil as Microsoft.

34. OpenDNS Security Labs and Cisco are not the only security firms that have reported on the No-IP abuse. Other firms such as FireEye, Symantec, and General Dynamics have published reports detailing this abuse. The report Symantec published in March 2013 specifically identifies a group of Bladabindi malware distributors that is using No-IP sub-domains.


These security firms are just trying to make us buy their stuff. Clearly the whole world just has it out for No-IP.

36. Although Defendant Vitalwerks is on notice and should be aware that its services are heavily abused, it has failed to take sufficient steps to correct, remedy, or prevent the abuse and to keep its domains free from malicious activity. In its report, Cisco recommended that No-IP could implement a security measure, called DNS Response Policy Zone, that could be used to block malicious traffic. Additionally, other security measures exist that would curtail the malicious abuse of the No-IP domains, such as the use of a web reputation service. However, on information and belief, Defendant Vitalwerks has failed to employ the best practices available to stop the abuse. After the February 2014 Cisco report was published, Microsoft continues to see 2,000-3,000 new unique malware samples per month that are supported by No-IP.


Why would anyone trust the Cisco security teams recommendations? They probably just offered up something that was Cisco proprietary any way.
"Welcome back my friends to the show that never ends. We're so glad you could attend. Come inside! Come inside!"
Ryu Connor
Global Moderator
Gold subscriber
 
 
Posts: 3506
Joined: Thu Dec 27, 2001 7:00 pm
Location: Marietta, GA

Re: noip.com dynamic domains seized!

Postposted on Wed Jul 02, 2014 4:18 pm

just brew it! wrote:First of all, the court order was based on evidence presented by Microsoft; No-IP did not know the seizure was coming until it happened, so they did not have a say. No-IP is now claiming (note that I take this with a grain of salt as well!) that Microsoft did not make a good faith effort to work with them to take down the offending domains prior to obtaining the court order.


Something that's been bothering me a little, is that they said the same thing about Cisco, after the Dynamic Detection of Malicious DDNS blog post went up, back in February. Both times, No-IP claim that they were never notified. Once, ok, comms snafu. Twice, by another tech giant no less? Nuh uh. Something's off.

And I realize that the No-IP blog is handled by their marketing manager, but I don't like her use of "proactive". Proactive, to me, means No-IP would have automated processes in place to catch this on their own (or at least flag it for admins as suspicious), not the Abuse Dept waiting around for other people to tell them that there's a problem.

Secondly, as I already noted, even if Microsoft had a legit reason to seize the domains, they are claiming that everything is back to normal now when clearly things are still pretty screwed up. This does not help their credibility.


Did any of the "ZOMG, M$ stole my No-IP, and is trying to sell me Azure!!1!!" stories ever turn out to be verified? I saw a lot of that flying around during the outage.
Hz so good
Gerbil XP
 
Posts: 465
Joined: Wed Dec 04, 2013 5:08 pm

Re: noip.com dynamic domains seized!

Postposted on Wed Jul 02, 2014 9:07 pm

Ryu Connor wrote:http://www.noticeoflawsuit.com/docs/Revised_Final%20No-IP%20Complaint.pdf
http://www.noticeoflawsuit.com/

Or you know, people might actually read the complaint and associated evidence. Hard work there, might even interfere with the narrative.

Thanks for the links. (Seriously. Not being sarcastic.)

The complaint is interesting. The gist of Microsoft's argument seems to be:

1. Criminals are using dynamic DNS to facilitate the distribution of malware. (AFAIK this point isn't disputed by anyone.)

2. No-IP seems to be the dynamic DNS service most commonly used for criminal activity. (AFAIK this point isn't being disputed either.)

3. No-IP is not doing enough to prevent said criminals from using their services. (Debatable, but I'm willing to concede this point as well.)

4. The fact that a small percentage of No-IP's subdomains -- some of which are involved in the above mentioned criminal activities -- violate Microsoft's trademarks gives Microsoft the right to seize No-IP's parent domains, and -- implicitly -- disrupt services of millions of legitimate users who also happen to be hosted under those domains. (This is where I think we go off the rails.)

AFAICT, nowhere in the complaint does it indicate that No-IP was ever contacted by anyone with a list of subdomains that were suspected of being involved in criminal activity. All we really have is Cisco's accusation that No-IP isn't employing "industry best practices" (a somewhat subjective term) to weed out problematic users.

It is also worth noting that only DNS traffic flows through No-IP's servers; they don't serve content, and don't see complete URLs. So how are they supposed to know, a priori, that a given domain name is being used for nefarious purposes? Yes, subdomain names which are obviously intended to trick the user into believing they are owned by Microsoft (or another well-known company) should be a red flag... and this probably should've triggered additional scrutiny on No-IP's part. But parody/satire sites are an explicitly permitted form of free speech, so looking for common trademarks in domain names is not definitive.

Wouldn't a court order compelling No-IP to better police their users and remove problematic subdomain entries have been a more reasonable approach than outright seizure of all of the affected parent domains?

While it does indeed appear that No-IP may have been (at best) careless, TBH I don't think the presented evidence supports your narrative (which appears to be that MS is a "shining knight in armor") either. At best, I'd say MS has abused trademark law, and botched the takeover of No-IP's DNS servers.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37509
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: noip.com dynamic domains seized!

Postposted on Thu Jul 03, 2014 3:39 am

Microsoft has used these style actions in the past successfully to manage to deal with some seriously nasty botnets.

http://arstechnica.com/business/2011/09 ... -to-court/
http://arstechnica.com/information-tech ... ck-botnet/
http://arstechnica.com/business/2011/10 ... takedowns/

ArsTechnica wrote:Microsoft’s botnet hunters have been busy. Last month, Redmond’s Digital Crimes Unit teamed with Kaspersky Lab to dismantle the Kelihos botnet, which controlled 41,000 computers worldwide and was capable of sending 3.8 billion spam e-mails per day. While Kelihos had the potential to grow, its takedown won’t have the same impact on spam volume as previous operations. The Rustock botnet, with control of 1.3 million zombie computers, was responsible at its height for sending 30 billion spam e-mails a day.


This is an effective tool. They are not a white knight - I never said they were either - I said there was a choice to be made.

Ryu Connor wrote:A DoS for a limited subset of legitimate users of the no-ip services?

Or

Botnets whose spam, cryptocurrency mining, malware, and DDoS attacks hurt a far broader set of people than the total number of legitimate no-ip customers?

A logical man once said that the needs of the many outweigh the needs of the few or the one.


9. Microsoft is aware of over 1200 computers in Las Vegas alone that have encountered the Defendants’ malware. With this malware, Defendants are able to steal login credentials, such as user names and passwords, from victims’ computers, and set up networks of computers that are under their control.


40. Bladabindi/Jenxcus malware can be downloaded by other cybercriminals who then can use the malware’s “dashboard” to customize the malware to suit their needs. The dashboard is a user interface that allows the user to customize the malware and control the infected computers. The dashboard can display a list of all infected computers’ IP addresses and locations, and it can even display real time screen shots of the infected computers’ desktop. Below is a screenshot of a dashboard for Bladabindi, also known as the njRAT dashboard, showing what information is available to the Malware Defendant once he has control over an infected computer.


RAT or Remote Administration Tool. It's more than just a spam bot.

41. Malware Defendants have distributed and infected user computers with Bladabindi/Jenxcus. Microsoft has detected over 7,486,833 instances of Windows computers that have encountered one or more versions of Bladabindi or Jenxcus malware in the past year. This likely represents only a small subset of the number of computers because Microsoft is only able to monitor machines running its anti-malware software. Based on market share data, the total number of detections over the past year may easily be two to three times this amount.


Over 7m instances detected just from Microsoft Security Essential/Windows Defender. They're right to note that most likely just scratches the surface.

51. No-IP is the predominant Dynamic DNS service used by the Malware Defendants for Bladabindi/Jenxcus botnet communication. As shown in the figure below, out of all Dynamic DNS providers, No-IP domains are used 93% of the time to support Bladabindi/Jenxcus infections.


The figure shows that 11,612 No-IP subdomains were used for Bladabindi/Jenxcus botnet communication.

Dan Goodin wrote:In fairness to Microsoft, aggressive legal actions that confiscate domain names have played a key role in ridding the Internet of some of the most abusive and resilient botnets. The company's legal department deserves credit for innovating a maneuver that has made the Internet a safer place.


The bad guys don't play by any rules and are often in countries outside of the reach of the law. You have a choice to make about how much damage is appropriate. Botnets are growing increasingly slippery with the design of their C&C servers (many are moving toward a P2P design). Time is limited and so are the tools.

Sometimes the bad guys escape the full fall of the hammer:
http://arstechnica.com/security/2013/12 ... operators/

Sometimes the bad guys nearly escape the fall of the hammer:
http://arstechnica.com/security/2012/07 ... ng-breath/
"Welcome back my friends to the show that never ends. We're so glad you could attend. Come inside! Come inside!"
Ryu Connor
Global Moderator
Gold subscriber
 
 
Posts: 3506
Joined: Thu Dec 27, 2001 7:00 pm
Location: Marietta, GA

Next

Return to The Back Porch

Who is online

Users browsing this forum: No registered users and 14 guests