from Hacker News

Microsoft takes down No-IP.com domains

by anExcitedBeast on 6/30/14, 8:21 PM with 251 comments

  • by Zancarius on 6/30/14, 9:03 PM

    > On June 26, the court granted our request and made Microsoft the DNS authority for the company’s 23 free No-IP domains, allowing us to identify and route all known bad traffic to the Microsoft sinkhole and classify the identified threats.

    Something about this bothers me. So the courts granted MS the rights to essentially take over No-IP's DNS in order to "identify" ... "bad traffic?"

    The implications of this are... chilling. As much as I want to reserve judgement, this makes me uneasy (malware aside).

  • by alasdair_ on 6/30/14, 9:05 PM

    "On June 19, Microsoft filed for an ex parte temporary restraining order (TRO) from the U.S. District Court for Nevada against No-IP. On June 26, the court granted our request and made Microsoft the DNS authority for the company’s 23 free No-IP domains, allowing us to identify and route all known bad traffic to the Microsoft sinkhole and classify the identified threats. "

    How can this be legal? Does this mean that if I get malware from a hotmail.com address, I can file for a TRO against Microsoft and control their domains?

    I honestly don't understand why Microsoft should be given this ability.

  • by nostromo on 6/30/14, 9:11 PM

    According to Reuters, Microsoft is only sending traffic from computers that are infected with malware to Microsoft instead of No-IP.

    http://uk.reuters.com/article/2014/06/30/us-cybercrime-micro...

    That may still make people uncomfortable, but it seems much less egregious than Microsoft taking control of No-IP's domains, which is what this press release implies.

    Edit: the reuters article is in error here, not the Microsoft Blog. See below. Turns out this really is as egregious as it sounds.

  • by runarb on 6/30/14, 9:08 PM

    Has I understood this correctly? Microsoft, a private company, has been granted the right to filter all dns traffic, and choose what will bee forward to this other company, No-IP. No-IP will so bee allowed to run there service for the remaining customers Microsoft approves?

    Is this common practices in the us legal system? Would it work like this in the offline world also? If my neighbor sometimes had loud parties that bothered me, could I be granted the right to stand in front of his door and turn any potential troublemakers away.

  • by hendersoon on 6/30/14, 9:56 PM

    It's just plain outrageous that this court order was granted. It essentially puts no-ip out of business when they were not complicit in anything illegal.

    It took me 5 minutes to switch my completely legitimate hosts over to ddns.net. I'm sure the evil botnet owners have backup hostnames and will do the same, or more likely switch to another provider entirely.

    The end result will be a short-lived dip in criminal activity over the next 72 hours or so, inconveniencing many thousands of legit users, and putting a completely innocent company out of business. Nice move, MS.

  • by andrewstuart2 on 6/30/14, 9:09 PM

    So let me get this straight. Microsoft got a court order to route all of another entity's DNS traffic to their servers. Giving them the ability to route a metric crap-ton of private traffic through their data centers. For "security". I call shenanigans.

    I'm also assuming this is why my no-ip domain disappeared this morning, leaving me with no access to my home servers.

    Perhaps the linux on my servers is considered malware. It sure is malicious to Microsoft's bottom line. I kid, but only a little.

  • by pktgen on 6/30/14, 8:49 PM

    FWIW, in my experience, No-IP is very, very responsive and helpful to abuse complaints. Though that is the extent of my experience with them, I've never thought them to be actively harboring malicious activity (unlike, say, CloudFlare).

  • by nathanb on 6/30/14, 9:08 PM

    So let me get this straight...Microsoft took down a free provider of dynamic DNS services because people have used those services to distribute and control malware?

    Where is the due process? Where is the oversight in this? All I'm seeing is vigilanteism.

  • by gtirloni on 6/30/14, 11:16 PM

    1 - Court seems to quick to grant Microsoft control of the domains

    2 - No-IP statement that they have an open channel with Microsoft executives but never (never?) received a complain from MS about any malicious activity is doubtful (sure MS can produce evidence to the contrary)

    3 - What was the urgency and how was this presented to the judge? Personally I don't feel the urgency to use a takeover maneuver in this case, but is there information that shows the impact of not acting was too great?

    4 - Our governments are so inept at fighting cyber-crime that instead of sending the request to a govt-regulated cyber-security unit they had to trust Microsoft's with the enforcement? That's sad.

    Like others, I am uneasy but thankful to MS. Just wish more details would be shared.

  • by spion on 6/30/14, 10:40 PM

    This is quite outrageous. I've been using no-ip.com for very legitimate purposes and this will surely result with a lot of breakage. Thanks Microsoft. Thanks a lot.

  • by norswap on 6/30/14, 8:56 PM

    Just when you thought it had been a long time since Microsoft was last evil.

  • by saganus on 7/1/14, 2:49 AM

    What I don't understand and haven't seen anyone ask is, why Microsoft?

    I mean, obviously some shady legal tactics are at work here, but why did Microsoft got to control those domains instead of, Mozilla for example? or Google? even more so, why wasn't control transferred to ICE for example?

    Not saying it's a better alternative or even that I agree with it, but it's very VERY unsettling (and I'm not even American) that a corporation can basically say "dibs on this" backed up by a court order!

    I would understand if the procedure went some more like, MS cries wolf, a court order is issued and a gov agency takes temporary control. At least it's "the government" doing the policing (even if guided by a corporation or whatever).

    What's next now? Comcast and Verizon sending their IP Police to arrest you because they have a log showing piracy was downloaded at an IP owned by you? And they get to seize your stuff and now your house is a Comcast/Verizon store?

    Wtf is this? It's so unreal.

    Edit: typo

  • by noipcom on 6/30/14, 10:21 PM

    You can read No-IP's formal statement here: Thttps://www.noip.com/blog/2014/06/30/ips-formal-statement-mi...

  • by reality_czech on 7/1/14, 3:04 AM

    People were starting to forget why everyone hates Microsoft. Even on this site, I see a lot of comments about how Microsoft "isn't so bad" anymore. Hopefully this will lay that and similar naive comments to rest.

  • by moe on 6/30/14, 11:56 PM

    Wouldn't it make more sense to make Microsoft financially liable for damages caused by their continued [criminal?] negligence?

    [1] http://www.zdnet.com/after-seven-months-and-no-microsoft-pat...

    [2] http://www.microsoftproductreviews.com/microsoft-news/intern...

  • by mschuster91 on 6/30/14, 9:31 PM

    Just ran a dig +trace on no-ip.biz. Just... wtf. Who had acted upon that court order?! I thought that the days the US had full control over the internet were LONG past. `

        biz.                    172800  IN      NS      a.gtld.biz.
    biz.                    172800  IN      NS      b.gtld.biz.
    biz.                    172800  IN      NS      c.gtld.biz.
    biz.                    172800  IN      NS      e.gtld.biz.
    biz.                    172800  IN      NS      f.gtld.biz.
    biz.                    172800  IN      NS      k.gtld.biz.
    ;; Received 308 bytes from 192.203.230.10#53(192.203.230.10) in 526 ms

    no-ip.biz.              7200    IN      NS      NS7.MICROSOFTINTERNETSAFETY.NET.
    no-ip.biz.              7200    IN      NS      NS8.MICROSOFTINTERNETSAFETY.NET.
    ;; Received 90 bytes from 209.173.58.66#53(209.173.58.66) in 150 ms

    no-ip.biz.              76834   IN      NS      nf5.no-ip.com.
    no-ip.biz.              76834   IN      NS      nf2.no-ip.com.
    no-ip.biz.              76834   IN      NS      nf4.no-ip.com.
    no-ip.biz.              76834   IN      NS      nf3.no-ip.com.
    no-ip.biz.              76834   IN      NS      nf1.no-ip.com.
    ;; Received 206 bytes from 157.56.78.73#53(157.56.78.73) in 344 ms

  • by rblatz on 6/30/14, 9:50 PM

    Their status twitter is interesting, they aren't going into any details as to why their service stopped working, and they haven't made any statements about the accusations against them.

    https://twitter.com/NoIPStatus

  • by motters on 7/1/14, 11:33 AM

    So if I declare that the Bing web crawler is ignoring robots.txt and DDoSing my server then I can take over microsoft.com to "clean" out the bad stuff and redirect all traffic to zombo.com?

  • by xxdesmus on 6/30/14, 11:05 PM

    So based on Microsoft's ingenious logic someone could get a court order and take over part of their business because they have so many infected Windows XP machines out there. Right?

  • by rippa242 on 7/1/14, 12:17 AM

    I'm wondering how Microsoft managed to take down the noip.me base domain, since the court stated (footnote 1 on page 5 of the 2nd amended TRO, 2:14-cv-00987-GMN-GWF-019) that the noip.me domain is controlled by the country of Montenegro and outside US legal system control. While there are noip.me 3rd level domains in Appendix A of the TRO, mine were NOT listed and yet I'm being sinkholed by Microsoft.

  • by tokenizerrr on 6/30/14, 8:56 PM

    So does this mean no-ip.com is no more, or only a subset of their domains?

  • by sanbor on 7/1/14, 3:05 AM

    If the way to prevent malware is by blocking domains (which only prevent a few of them), with the same logic another great solution would be blocking Microsoft's operating systems (which would prevent most of them).

    Ubuntu should ask the government the same power and show how little malware Ubuntu users has and how much Windows users has to suffer.

  • by vfclists on 7/2/14, 3:27 PM

    When are a group of no-ip customers going to file a class action suit against Microsoft?

    Just because an ignorant judge gave them access to some no-ip domains did not give them the right bite more then they could che and fsck it up.

    The whole thing is just bizarre, WTF were they trying to accomplish? ie they took over the business of providing name service to over 4 million hosts, way bigger more than most large service providers with the intention of traffic to and from the C & C servers, or identify which of the computers were infected and inform their owners?

    Why didn't they simply set up some monitoring devices and get the judges or the FBI to compel no-ip to allow them to plug it into their network so they could monitor what they wanted without disrupting the service?

    If the no-ip owners were directly involved in the scam then why didn't the hand the evidence to the law enforcement authorities and let them carry on from there?

  • by kqr2 on 6/30/14, 8:54 PM

    Any alternatives for free dynamic DNS?

  • by ars on 6/30/14, 8:59 PM

    Wait what?

    If I have a domain with no-ip.com will it continue to work? Does Microsoft effectively own them now?

  • by hd502 on 7/1/14, 6:22 PM

    Complete BS. They claimed they were just going to stop bad traffic. But they can't handle the overall traffic load and so NO traffic is getting through. I was using the service to provide access to an API server in-house. A very simple server, nothing but JSON requests in-and-out. Absolutely NO malware. But since MS takeover - no traffic has gotten through.

    I pay for my noip account, so I'm happy to join any lawsuits against MS for this action. Personally, I see a class action suit being VERY viable.

    I also have issue with the courts even allowing this. Did they do ANY research on what is actually going on? I can't see how they could let this happen.

    I feel violated!

  • by dimman on 7/1/14, 8:41 AM

    Do they want a thank you? So sad really because lately they've shown some small steps in what I thought was the right direction. Ignorance is bliss.

  • by jajaja2014 on 6/30/14, 11:00 PM

    microsoft now spying legitimate no-ip trafic based on non applicable us laws?

    fuck you microsoft!

  • by Labrynth2014 on 7/1/14, 8:31 PM

    I would just add @andor, that the Police DO NOT own enough tools and equipment to do this. The Private sector has to, for better or for worse.

    I have domains with NO-IP and I've had no problem with them. It would all have been better had Microsoft made a statement about seizing the DNS but I respect the DON'T TELL THE ENEMY WE'RE COMING AND ON TO THEM !

  • by imrehg on 7/1/14, 3:58 PM

    We are using a no-ip.biz address for the Taipei Hackerspace website (because need DynamicDNS due to stupid settings of our network provider). After the whole day it was still working, I thought we will be not affected. No such luck, microsoftinternetsafety.net took our address as well, and the website + all services associated is inaccessible.

    Thanks a lot, M$!

  • by jrs235 on 7/1/14, 1:16 AM

    So on a different side topic, if the service was free and I assume the TOS from noip didn't guarantee an SLA, does this mean all the end users are basically out of Luke suing Microsoft for failure to properly resolve their domains?

    If the cliche isn't true, then I guess the next/new one is, if its free you're SOL.

  • by bobloblawblah on 7/1/14, 7:07 AM

    I use no-ip in conjunction with my phone. I get within 200m of home and my home computer gets wakeonlan'ed.

    Today that didn't happen.

    I had originally blamed no-ip for this...

    To me, Microsoft seems to be the bully and is now actually guilty of conduct No-IP was only peripherally involved in.

  • by Geiko on 7/1/14, 9:07 PM

    So shouldn't Spamcop.net (or anyone else) be able to seize microsoft.com, outlook.com and hotmail.com. They have been blocking those email servers for years due to spam sent from their domains and email servers.

  • by sakawa on 6/30/14, 9:16 PM

    I guess this is a shortcut to solve some problems. No-IP domains are used only by who hasn't a good infrastructure to support his infected network.

    And especially, why don't Microsoft take care of making his OS more secure?

  • by deniska on 6/30/14, 9:44 PM

    And I was wondering, why did my no-ip.biz subdomain stop working…

  • by davidu on 6/30/14, 9:18 PM

    This is an incredible action by Microsoft, and the courts.

  • by andmarios on 6/30/14, 9:28 PM

    Which dynamic DNS service will be next?

    But I have a better idea. Windows are an easy target for cybercriminals; maybe someone should step up and take Microsoft down.

  • by teddyh on 7/1/14, 7:46 AM

    I suddenly feel a lot better for having set up my own dynamic DNS solution. (Using plain Dynamic DNS and nsupdate(1) on the clients.)

  • by marcelocamanho on 6/30/14, 11:27 PM

    Oh.. That explains the issues we were having today. This seems to be affecting our no-ip even when we have no malware or threat.

  • by kurenyen on 7/2/14, 4:27 AM

    I've spent years of efforts on my site, people like it, now it's unreachable, fuck you Microsoft...

  • by johnnyxp64 on 7/1/14, 9:31 AM

    what the fuck is wrong with the world this days!!!??? are you all in prison because few morons stole something??? wtf Microsoft is wrong with you and you damn courts!???? i will sue you bastards because i am loosing money due to your stupid actions!!!!

  • by bluejellybean on 6/30/14, 11:28 PM

    Holy fuck... if this doesn't get solved my company is dead in the water...

  • by Nanzikambe on 7/1/14, 10:42 AM

    There are serious problems with this, firstly that it's technically impossible to implement effectively, beyond that it's extremely impractical. Any benefit will be so so transient as to render the entire exercise pointless.

    For the moment, let us ignore the scary implications of the court's part in this and consider this from a technical perspective in a logical manner:

    The hypothetical sub-domain abc.no-ip.org resolves to 1.2.3.4, a host somewhere that contains malicious payloads, is botnet C&C or is a member of a botnet. In any case, he's the bad guy - one of the people Microsoft are looking to exclude from the Internet.

    So how can this be accomplished? Let's ignore for the moment that the bad guys are free to use any other dyndns service they please and assume that no-ip is the only one.

    Approach 1

    ----------

    Every time a host connects to no-ip to update its IP, Microsoft scans tcp & udp ports of the host looking for known C&C services, scans hosted data (public web or ftp). This will simply result in the bad guys hiding all of this in an undetectable manner, many bot-nets already use either Tor or SSH for C&C - without authentication it will be impossible to differentiate Joe Average with an SSH or Tor exit from the "targets".

    As for scanning for content, this is possible assuming the content has to be public (ie. malicious payload) but even then, it's not practical - payloads can be hidden in anything and obfuscated beyond detection. Essentially all that's accomplished is another arms race based around signature detection for malicious content, with the disadvantage that unlike AV solutions this scanning is conducted remotely and the scan source is known. So the malicious guy with 2 or three lines just uses a stateful firewall to point microsoft's "scanning service" to good content, everyone else to the bad.

    So what other options are there? A blacklist of IPs? Well, they're dynamic IPs, sooner or later you'll end up with every dynamic IP in the entire ipv4 range blacklisted as the bad dudes just release/renew.

    Then there's banning the sub-domains/users! Also impractical because for each user and domain you ban, another will emerge.

    Approach 2

    ----------

    Microsoft resolves every request for abc.no-ip.org to their own service, all the time, this service performs stateful packet analysis before forwarding it on to the destination host. Impractical because you're essentially routing all no-ip traffic via Microsoft and once again you can only filter what you can detect -- and once the requests themselves are encrypted, that becomes impossible. This is effectively a MITM attack.

    All the while we've assumed no-ip is the only alternative, it's not - and many others are beyond Microsoft and the courts jurisdiction. So ultimately the only way this "approach" could be temporarily feasible is if all Internet traffic were routed through Microsoft's service. So effectively you need to give control of every domain, TLD, ipv4 and ipv6 range to Microsoft. Not workable.

    Someone is bound to point out that Microsoft's approach in this may be distributed, agents running on installs of their operating system which does address some aspects of my points above, but once again -- if Microsoft is capable of implementing effective detection on the workstation, remind me again why any of this is needed?

    I must be missing something fundamental.

  • by sadfaceunread on 6/30/14, 10:21 PM

    Anyone got a link to the TRO? Is this part of the public record?

  • by notsoMicrosoft on 6/30/14, 11:01 PM

    Appears as though Level 3's dns servers are still pointing where they should.

    4.2.2.2

    4.2.2.3

    4.2.2.4

  • by vfclists on 6/30/14, 9:05 PM

    Loads of self-congratulating tripe. Microsoft why don't you simply provide free OS upgrades or fixes for the millions of XP computers out there? They are not going anywhere soon.

    Next thing we know your lawyers and lobbyists are going to come up with some legislative wheeze and you will be running the biggest botnet in the world. You created the problem so fix it yourself.

  • by moblahbl4hblah on 7/1/14, 10:50 AM

    All of you pant-shiting bitches...Oh Noes! MS took down a botnet...what's to stop the court from giving my TF2 hosting domain?

    Grow up. You guys bitch about malware. You bitch about MS. Mainly you just bitch...and talk about Haskell.

    It's boring.