My next class:

Microsoft No-IP Takedown

Published: 2014-07-01. Last Updated: 2014-07-01 12:02:46 UTC
by Johannes Ullrich (Version: 1)
17 comment(s)

Microsoft obtained a court order allowing it to take over various domains owned by free dynamic DNS provider "No-IP" [1]. According to a statement from Microsoft, this was done to disrupt several botnets [2] . However, No-IP is crying foul, stating that Microsoft never contacted them to have the malicious domains blocked. Further, Microsoft is apparently not able to properly filter and support all queries for these seized domains, causing widespread disruption among legit no-ip customers. According to the court order, Microsoft is able to take over DNS for the affected domains, but because the legit domains far outnumber the malicious domains, Microsoft is only allowed to block requests for malicious domains.

Microsoft apparently overestimated the abilities of it's Azure cloud service to deal with these requests.

In the past, various networks blocked dynamic IP providers, and dynamic IP services have been abused by criminals for about as long as they exist. However, No-IP had an abuse handling system in place and took down malicious domains in the past. The real question is if No-IP's abuse handling worked "as advertised" or if No-IP ignored take down requests. I have yet to find the details to that in the law suit (it is pretty long...) and I am not sure what measure Microsoft used to proof that No-IP was negligent.

For example, a similar justification may be used to filter services like Amazon's (or Microsoft's?) cloud services which are often used to serve malware [4][5]. It should make users relying on these services think twice about the business continuity implications of legal actions against other customers of the same cloud service. There is also no clear established SLA for abuse handling, or what level of criminal activity constitutes abuse.

[1] http://www.noticeoflawsuit.com
[2] http://blogs.technet.com/b/microsoft_blog/archive/2014/06/30/microsoft-takes-on-global-cybercrime-epidemic-in-tenth-malware-disruption.aspx
[3] http://www.noip.com/blog/2014/06/30/ips-formal-statement-microsoft-takedown/?utm_source=email&utm_medium=notice&utm_campaign=takedown
[4] http://blog.malwarebytes.org/fraud-scam/2014/04/cyber-criminals-interested-in-microsoft-azure-too/
[5] http://www.washingtonpost.com/blogs/the-switch/wp/2014/01/16/amazon-is-a-hornets-nest-of-malware/

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords: microsoft noip
17 comment(s)
My next class:

Comments

Kaspersky seem to think this has been effective: http://www.securelist.com/en/blog/208214339/Microsoft_seizes_22_NO_IP_domains_disrupts_cybercriminal_and_nation_state_APT_malware_operations
I have been a loyal customer of NO-IP since 2003, and have used a variety of their service. I have NEVER had any issues with them, and their support is the best in the business (IMHO). I stand by them and believe them over Micro$oft any day!!

Their Formal Statement is from their site:

https://www.noip.com/blog/2014/06/30/ips-formal-statement-microsoft-takedown/
If you've ever tried to work thru one of these company's processes to address a fraudulent domain or hosted service, you might appreciate Microsoft's actions. While they are convenient, not sure they are entirely professional and often just protect the bad guys that are paying for their generic services.
[quote=comment#31335]If you've ever tried to work thru one of these company's processes to address a fraudulent domain or hosted service, you might appreciate Microsoft's actions.[/quote]

Sorry, but I have to call BS on that. Microsoft takes weeks to follow through with Azure abuse complaints.
Considering they've disrupted dynamic DNS services Both Free and Paid-subscribers of NO-IP alike, for millions of legitimate users,
the claims within their order are rather infuriating.

"III. The Balance Of Hardships Tips Sharply In Microsoft’s Favor ....Cutting communications to No-IP sub-domains confirmed to be enabling
malware will prevent Malware Defendants from sending instructions or additional malware modules
to infected personal computers during that time and will preserve the evidence of the malwares’
operations and illegal activities. Defendant Vitalwerks will suffer no harm if a TRO and preliminary
injunction are issued because Defendant derives no known income form the operation of its free
Dynamic DNS service
....
If there is any legitimate activity carried out on the No-IP sub-domains, it will be allowed to proceed under the terms of the proposed order with no disruption.
...
Similarly, there will be only negligible impact on the third-party domain registries that will
need to implement part of the proposed order."
Doesn't it sound horribly Orwellian that Microsoft can present itself as an authority on Internet security, especially when the IT solutions being used (by NO-IP) are not at all related ? And what about the fact that a judge is willing to give them the credit ?

The only justification I see is that Windows machines are being compromised.

Still trying to find similarly disturbing analogy; vehicule or arms industry comes to mind right now...
There are several other domains that are run by noip.com that can be added for free. Someone using the noip.com website can create a new entry and select the ddns.net domain and paste the IP that was previously functioning under no-ip.biz as the address. That should restore operation and not be at risk for being taken over because the domains are 'new' according to no-ip support.
I don't understand why the court is giving Microsoft policing powers.
This is clearly a case that should have been handled by the FBI, and not the Microsoft Police.
Guess the court was fooled by Microsoft. The next thing we will see is, that that Kalashnikov wants to take over the factories of Colt, as their guns has been used to kill Americans. Then deliver only to the Military, and sell the rest to war mongers abroad.
Lots of people complaining about the evil Microsoft. But I haven't read anyone's opinion that offers a solution. Whether this action by Microsoft is fair or not, it has disruptive 25% of APT actors that were monitored by Kaspersky. I see that as a positive. If you disagree, what would you propose? Leave the malware in place because it's "fair" to the legit users of no-ip? Send an email to the "bad guys" and ask them to stop be naughty? File papers with the Russian, Chinese, Romanian etc. Courts? I'm just curious what alternatives you are proposing in this game?
[quote=comment#31347]Whether this action by Microsoft is fair or not, it has disruptive 25% of APT actors that were monitored by Kaspersky. I see that as a positive. If you disagree, what would you propose? Leave the malware in place because it's "fair" to the legit users of no-ip?[/quote]

I propose banning the internet, and requiring that every single computer be powered off.

This will be much more effective at stopping APT than disrupting one internet service, as it will disconnect nearly 100% of the bad actors.

Diary Archives