Personal computing discussed
Moderators: askfranklin, renee, emkubed, Captain Ned
Ryhadar wrote:I'm a little confused as to how Microsoft has any say in the matter here. Do they run the servers that no-ip.org uses or something?
Ryhadar wrote:I'm a little confused as to how Microsoft has any say in the matter here. Do they run the servers that no-ip.org uses or something?
just brew it! wrote:Edit: And if no-ip's statement is accurate, MS bypassed normal procedures for dealing with rogue domains and went straight to the courts to get the seizure order. I wonder if there might be grounds for a lawsuit (either from no-ip, or class action by their customers) here?
just brew it! wrote:Ryhadar wrote:I'm a little confused as to how Microsoft has any say in the matter here. Do they run the servers that no-ip.org uses or something?
Reading between the lines, it looks like it went down like this: Microsoft managed to convince a court that No-IP was engaged in (or facilitating) illegal activity. Based on this, the court gave MS authority to seize the domains, at which point the DNS records for No-IP's servers were altered to redirect No-IP requests to MS's servers instead. MS's stated goal was to selectively nuke only those sub-domains which were involved in malware distribution; however, it appears that Microsoft's DNS servers are buckling under the load, causing service outages for everyone.
Ryhadar wrote:Thank you for this summary but I'm still confused. Microsoft is a corporation. What right or authority do they have in getting a court of law to strong arm No-IP to give up their sub domains?
Captain Ned wrote:...To go further means all mimzy were the borogroves.
Captain Ned wrote:just brew it! wrote:Edit: And if no-ip's statement is accurate, MS bypassed normal procedures for dealing with rogue domains and went straight to the courts to get the seizure order. I wonder if there might be grounds for a lawsuit (either from no-ip, or class action by their customers) here?
Hmm, since we're officially out of IPv4 addresses (can we please reclaim the multicast & "future uses" blocks from 224/8 and above?) there might be actionable interests in DNS resolution. To go further means all mimzy were the borogroves.
Captain Ned wrote:Hmm, since we're officially out of IPv4 addresses (can we please reclaim the multicast & "future uses" blocks from 224/8 and above?) there might be actionable interests in DNS resolution. To go further means all mimzy were the borogroves.
SuperSpy wrote:Ryhadar wrote:I'm a little confused as to how Microsoft has any say in the matter here. Do they run the servers that no-ip.org uses or something?
No, they convinced a court to sign an order to transfer the domains. They now belong to Microsoft.
This is pretty annoying for me, as I have several free domains from No-IP, as well as a paid account for a client. This had better be resolved quickly, but I have a feeling Microsoft is gonna play hardball and drag it out.
EDIT: Ars story on the subject: http://arstechnica.com/security/2014/06 ... p-domains/
Ryu Connor wrote:Captain Ned wrote:just brew it! wrote:Edit: And if no-ip's statement is accurate, MS bypassed normal procedures for dealing with rogue domains and went straight to the courts to get the seizure order. I wonder if there might be grounds for a lawsuit (either from no-ip, or class action by their customers) here?
Hmm, since we're officially out of IPv4 addresses (can we please reclaim the multicast & "future uses" blocks from 224/8 and above?) there might be actionable interests in DNS resolution. To go further means all mimzy were the borogroves.
It would require every network operating system on servers, clients, and appliances across the planet to be updated. Not as if Class E isn't the only broken aspect either. The 127 range was also spectacularly wasted.
If we're going to be doing replacement of hardware/updating of operating systems across the planet we might as well get IPv6 instead. IPv4 has a bunch of problems beyond just limited address space i.e. broadcast traffic.
LASR wrote:Classic Microsoft. Screwing over users on the basis of doing good with an idealized superman complex.
SuperSpy wrote:What I don't understand is how they plan to actually handle the legit domains, considering the whole point of DDNS is it changes constantly. Can they just have their DNS forward back to the No-IP servers? (Effectively acting as a filter)
SuperSpy wrote:In any event, despite the 'all services restored' line from Microsoft, all of my *.hopto.org domains are still offline.
Ryu Connor wrote:No-IP refused to police their own network despite pleas from outside parties.
just brew it! wrote:Ryu Connor wrote:No-IP refused to police their own network despite pleas from outside parties.
At least, that's the claim. Have any linkage to a credible (as in, reasonably neutral third party) source to back that up?
Even if true, it does not excuse MS publicly stating that everything is back to normal, when legitimate users' service is obviously still messed up.
just brew it! wrote:First of all, the court order was based on evidence presented by Microsoft; No-IP did not know the seizure was coming until it happened, so they did not have a say. No-IP is now claiming (note that I take this with a grain of salt as well!) that Microsoft did not make a good faith effort to work with them to take down the offending domains prior to obtaining the court order.
Secondly, as I already noted, even if Microsoft had a legit reason to seize the domains, they are claiming that everything is back to normal now when clearly things are still pretty screwed up. This does not help their credibility.
Lastly, I would like to point out that screaming about anti-MS bias every time anyone criticizes them for anything gets just as tiresome as the M$ trolls.
28. Further investigation revealed that No-IP is functioning as a major hub for 245 different types of malware circulating on the Internet. The figure below shows the diversity of malware that No-IP supports, each a threat to Microsoft and its consumers.
30. Dynamic DNS can be exploited to support and monetize cybercrime activities. This fact is evident from the massive number of malware supported by No-IP domains. By studying thousands of samples of malware, Microsoft has been able to identify approximately 18,472 subdomains of No-IP that are used by cybercriminals, and there are likely many more. Other researchers have observed the same. In April 2013, one researcher identified No-IP as the most used Dynamic DNS service for malicious purposes. Less than a year later, another security researcher concluded the same. For example, sub-domains of “zapto.org” (a No-IP domain) were found to be blocked 100% of the time by web browsers based on the domain’s reputation for being associated with malicious activity. Moreover, of the top Dynamic DNS domains most abused by malicious actors, No-IP domains had the highest number of malware samples than any other Dynamic DNS domain. The great variety and quantity of malware using No-IP sub-domains as infrastructure is testament to the utility of this kind of system for those engaged in illegal Internet activities. The top six types of malware currently using No-IP domains are described in the table below.
The Internet security community has noticed the abuse occurring on No-IP’s subdomains. In April 2013, OpenDNS published an article online detailing its investigation into Dynamic DNS abuse, and it identified No-IP sub-domains as the most used for malicious intent of any other provider. No-IP published the following response, representing that the company had a strict abuse policy and had an abuse team to combat computer fraud and crimes:
33. Despite its representation of having a “very strict abuse policy,” the abuse on No-IP sub-domains continued. Another Internet security group, Cisco, published an article on February 11, 2014 that again outlined the extensive abuse occurring on No-IP domains, including the distribution of malware. No-IP published a similar response and even provided that the company “work[s] with law enforcement daily to ensure that we are doing our part to keep the internet safe.”
34. OpenDNS Security Labs and Cisco are not the only security firms that have reported on the No-IP abuse. Other firms such as FireEye, Symantec, and General Dynamics have published reports detailing this abuse. The report Symantec published in March 2013 specifically identifies a group of Bladabindi malware distributors that is using No-IP sub-domains.
36. Although Defendant Vitalwerks is on notice and should be aware that its services are heavily abused, it has failed to take sufficient steps to correct, remedy, or prevent the abuse and to keep its domains free from malicious activity. In its report, Cisco recommended that No-IP could implement a security measure, called DNS Response Policy Zone, that could be used to block malicious traffic. Additionally, other security measures exist that would curtail the malicious abuse of the No-IP domains, such as the use of a web reputation service. However, on information and belief, Defendant Vitalwerks has failed to employ the best practices available to stop the abuse. After the February 2014 Cisco report was published, Microsoft continues to see 2,000-3,000 new unique malware samples per month that are supported by No-IP.
just brew it! wrote:First of all, the court order was based on evidence presented by Microsoft; No-IP did not know the seizure was coming until it happened, so they did not have a say. No-IP is now claiming (note that I take this with a grain of salt as well!) that Microsoft did not make a good faith effort to work with them to take down the offending domains prior to obtaining the court order.
Secondly, as I already noted, even if Microsoft had a legit reason to seize the domains, they are claiming that everything is back to normal now when clearly things are still pretty screwed up. This does not help their credibility.
Ryu Connor wrote:http://www.noticeoflawsuit.com/docs/Revised_Final%20No-IP%20Complaint.pdf
http://www.noticeoflawsuit.com/
Or you know, people might actually read the complaint and associated evidence. Hard work there, might even interfere with the narrative.
ArsTechnica wrote:Microsoft’s botnet hunters have been busy. Last month, Redmond’s Digital Crimes Unit teamed with Kaspersky Lab to dismantle the Kelihos botnet, which controlled 41,000 computers worldwide and was capable of sending 3.8 billion spam e-mails per day. While Kelihos had the potential to grow, its takedown won’t have the same impact on spam volume as previous operations. The Rustock botnet, with control of 1.3 million zombie computers, was responsible at its height for sending 30 billion spam e-mails a day.
Ryu Connor wrote:A DoS for a limited subset of legitimate users of the no-ip services?
Or
Botnets whose spam, cryptocurrency mining, malware, and DDoS attacks hurt a far broader set of people than the total number of legitimate no-ip customers?
A logical man once said that the needs of the many outweigh the needs of the few or the one.
9. Microsoft is aware of over 1200 computers in Las Vegas alone that have encountered the Defendants’ malware. With this malware, Defendants are able to steal login credentials, such as user names and passwords, from victims’ computers, and set up networks of computers that are under their control.
40. Bladabindi/Jenxcus malware can be downloaded by other cybercriminals who then can use the malware’s “dashboard” to customize the malware to suit their needs. The dashboard is a user interface that allows the user to customize the malware and control the infected computers. The dashboard can display a list of all infected computers’ IP addresses and locations, and it can even display real time screen shots of the infected computers’ desktop. Below is a screenshot of a dashboard for Bladabindi, also known as the njRAT dashboard, showing what information is available to the Malware Defendant once he has control over an infected computer.
41. Malware Defendants have distributed and infected user computers with Bladabindi/Jenxcus. Microsoft has detected over 7,486,833 instances of Windows computers that have encountered one or more versions of Bladabindi or Jenxcus malware in the past year. This likely represents only a small subset of the number of computers because Microsoft is only able to monitor machines running its anti-malware software. Based on market share data, the total number of detections over the past year may easily be two to three times this amount.
51. No-IP is the predominant Dynamic DNS service used by the Malware Defendants for Bladabindi/Jenxcus botnet communication. As shown in the figure below, out of all Dynamic DNS providers, No-IP domains are used 93% of the time to support Bladabindi/Jenxcus infections.
Dan Goodin wrote:In fairness to Microsoft, aggressive legal actions that confiscate domain names have played a key role in ridding the Internet of some of the most abusive and resilient botnets. The company's legal department deserves credit for innovating a maneuver that has made the Internet a safer place.