No-IP says Microsoft was "heavy-handed" with their domain takeover

No-IP has released an official statement in regards to the service outages that their customers saw on their domains early yesterday. Despite many people believing that it was a technical issue with their servers, it turns out that Microsoft served a federal court order and took control of 22 commonly used domains because they believed that some of the No-IP subdomains had been abused by “creators of malware.”

No-IP lost control of around 23 of their domains, with Microsoft redirecting traffic in hopes to stop the spread of the Bladabindi (NJrat) and Jenxcus (NJw0rm) malware.

No-IP stated that after getting into contact with Microsoft, the company said that their “intent is to only filter out the known bad hostnames in each seized domain, while continuing to allow the good hostnames to resolve.” No-IP says, however, that this hasn’t been the case, saying that Microsoft’s servers haven’t been able to handle all of the queries that customers have been sending in, resulting in millions of users being unable to access their services.

The company said that if Microsoft had been in contact with them before the takeover took place, they would have taken swift action to remove the offending sub-domains. Instead they decided to be “heavy-handed” and went ahead and stopped access for millions of innocent users.

Source: No-IP

Report a problem with article
Previous Story

Security consultant condemns hotel booking site for "appalling" data leak

Next Story

GTA V trailer gets real-world remake as 'GTA Madrid'

35 Comments

Commenting is disabled on this article.

I hate to say it, but I actually agree with what Microsoft did

If Microsoft identified malware, but didn't no-ip? sorry, but if your heads in the sand you deserve to get your ass pumped

I hear everyone saying that Microsoft was in the right, but now how would a dynamic DNS provider have ANY control over the software running on a users PC?

How does no-ip differ from any of the other free dynamic DNS companies? It doesn't. This is only the first on Microsoft's chopping block. I have used no-ip for over a decade for legitimate uses. (Accessing my home security camera's, streaming music from my house, downloading files that I need for clients, etc) I also have over 100 clients setup with this for remote desktop access to their workstations, servers, and point of sale systems where static IP addresses are either not available, would hurt security, or are not financially feasible).

By the same right of "spreading malware", microsoft should have every one of their e-mail services shut down, everyone one of their Operating systems disabled (Windows is BY FAR the highest host for malware now isn't it?), every web server shut down (after all, they're running some variant of windows), and skype shut down (I've seen viral infections pushed through the service previously).

Microsoft is no long arm of the law, if they wanted the service shut down, they should have gone through the proper proceedings. Not only does this make Microsoft look bad, but the US also.

If you read through the wording of the law suite against No-IP, Microsoft is going to get their asses handed to them, so this will only be a mere inconvenience for the malware writers, and a major inconvenience for people that depend on no-ip's services for day to day operations.

MS should have contacted them first. Maybe they did not know of the malware or what was going on. You hear things like that all the time. Malware sometimes is not the easier thing to detect and no matter what you do, it finds a way in. A lot of times by a dumb user.

They did contact them first- they were ignored. along with ignoring other Security companys.

"Despite numerous reports by the security community on No-IP domain abuse, the company has not taken sufficient steps to correct, remedy, prevent or control the abuse or help keep its domains safe from malicious activity."

Microsoft is part of the security community

well just woke up this morning to find that several sites and services were down so i figure it had to be something related to DNS (then i went into no-ip site and found out the notice); also some routers only support DynDNS and no-ip, nothing more, so this is a problem if you wanted free DDNS.

this is affecting legit costumers and while MS did a takeover, i find no-ip to be covering their asses right now by blaming MS. I somehow doubt that they didn't know anything about this until now (not even the requests MS most likely did for taking care of the malicious websites?).

Tell me about it...

I use no-ip for a simple redirect to my dynamic IP address so my friends can connect to my servers (mumble, games etc).

Now I need to look at alternatives to no-ip.

The courts allowed MS to take down a business because of flaws in MS's software? Instead, how about they patch the OS so that the worms can't infect? For people who don't update -- it's your own fault.

Why even bother if people are stupid enough to download malware they deserve to get it. It isn't hard to avoid this stuff. Don't go to sketchy sites and you wont have problems.

Microsoft just went ahead and slightly irritated malware authors, in the mean time a crapton of legitimate users have been 'dealt with'. I've spent an hour trying to find my IP in some log to remotely connect to my stuff. Many people will have similar issues. It seems just like the US justice system has just gone and decided that admittedly hard to measure economic damage on a large scale should be ignored entirely. It has clearly been decided a good idea to hire Microsoft to fire a cannon at a mosquito. Granted, a very nefarious disease-carrying-mosquito-of-evil-hell, but that is besides the point. They were always going to miss the mosquito and ofcourse have hit and damaged all the other things...

Everybody must got at least 3 warning. Before taking other action. This is not fair. No IP must protest it

utomo said,
Everybody must got at least 3 warning. Before taking other action. This is not fair. No IP must protest it

So we should let thieves get three warnings? Should we give someone that siphons out your bank account three tries? Should we allow 3 warnings for drunk drunk drivers? Should we allow then to infect our PC 3 times and say hey please don't do it again because we asked nicely three other times and being the law abiding citizens that you malware people are I am sure you can understand and comply.

Not to mention it's pretty easy to do a search and find that other companies have listed no-ip domains as hosting malware for at least the last 6 or so months, and probably longer if I'd be willing to go back a few pages in search results. While I will reserve judgement on anything prior to all of the facts being presented, I do agree with other posters that it's hard to believe the company behind no-ip had no idea it's servers were being used to host redirects to malware hosters. It would be interesting to know what they were doing about it, or weren't, that caused Microsoft to have to take the legal route to take these domains down.

I'll repeat what I said in the other topic about this issue. " I find it veeeery hard to believe that no-ip woke up one morning and came into the office to discover that the domains were taken." :huh:

xrobwx said,
I'll repeat what I said in the other topic about this issue. " I find it veeeery hard to believe that no-ip woke up one morning and came into the office to discover that the domains were taken." :huh:

That's exactly what happens when sting operations are used. It's a shock and ore surprise that doesn't give the bad guys a chance to react.
Unfortunately for no-ip, the bad guys were using their service, on the domains owned by them.

The bad guys were on their service. Unfortunately? Maybe. But there is a REALLY good chance that no-ip knew the people using their service were shady in the first place. I've found that these things usually don't happen by accident.

What a load of nonsense, it took me 5 minutes to bypass the problem (once I knew what it was). I'm sure any malware distributers would do the same.

Meanwhile there are millions of legitimate users who can't access their domains/email etc etc.

I personally lost 55 emails (according to the DMARC RUA report seent to me) due to Microsoft incompetence and taking down no-ip.

xrobwx said,
II find it veeeery hard to believe that no-ip woke up one morning and came into the office to discover that the domains were taken." :huh:

Microsoft's actions are tantamount to criminal. They have taken down millions of legitimate hosts. The courts of the USA should be ashamed of themselves and taken to task for even entertaining such a ludicrous request.

NO-IP and their clients are the victims here, in case you don't get it, victims have no prior knowledge about the crime or attack that they are about to befall, otherwise they WOULD be able to take counter actions to avoid them.

18 hours later my original no-ip hostname is still "not found"
Criminal Microsoft, CRIMINAL!

dvb2000 said,

Microsoft's actions are tantamount to criminal. They have taken down millions of legitimate hosts. The courts of the USA should be ashamed of themselves and taken to task for even entertaining such a ludicrous request.

NO-IP and their clients are the victims here, in case you don't get it, victims have no prior knowledge about the crime or attack that they are about to befall, otherwise they WOULD be able to take counter actions to avoid them.

18 hours later my original no-ip hostname is still "not found"
Criminal Microsoft, CRIMINAL!

"On June 19, Microsoft filed for an ex parte temporary restraining order (TRO) from the U.S. District Court for Nevada against No-IP. On June 26, the court granted our request and made Microsoft the DNS authority for the company's 23 free No-IP domains, allowing us to identify and route all known bad traffic to the Microsoft sinkhole and classify the identified threats."
http://blogs.technet.com/b/mic...nth-malware-disruption.aspx
I don't think Microsoft's actions could really be classified as criminal.

Additionally, I'd hope that as part of the court process for this, they would have had to demonstrate that existing anti-abuse processes are not suitably effective. I agree that the inconvenience for users is pretty severe, but the statement on the No-IP website is worded such to try and shift blame to Microsoft. Without the details of communications that went on prior to the seizure, no-one can really lay the blame accurately.

"The company said that if Microsoft had been in contact with them before the takeover took place, they would have taken swift action to remove the offending sub-domains." // Right. That's why they didn't do anything with it before Microsoft stepped in.

Dot Matrix said,
"The company said that if Microsoft had been in contact with them before the takeover took place, they would have taken swift action to remove the offending sub-domains." // Right. That's why they didn't do anything with it before Microsoft stepped in.

What MS did was rude.

Next, i will put a malware site on MicrosoftOnline.com, then i will demand to take over those sites. And finally, i will own MicrosoftOnline.com for free.

Brony said,

What MS did was rude.

Next, i will put a malware site on MicrosoftOnline.com, then i will demand to take over those sites. And finally, i will own MicrosoftOnline.com for free.

The problem comes when Microsoft tells no-ip that they're planning on taking down the majority of control points for the malware, and no-ip decides to turn off the sub domains and issues a warning to the account holder.

The malware owners will know something is a foot and possibly update their zombies before Microsoft has chance to cut all their connections to gain control over the malware/botnet etc.

Because all no-ip users use a subdomain is hard for Microsoft to do anything other then being overly heavy handed as their subdomain records are not just on internic root DNS server, but rather in-house on no-ip's DNS servers and by that extension what ever no-ip accounting service machines they've setup to automatically manage the no-ip subdomains with said accounts.

So sometimes, certainly in examples like this, it's hard for Microsoft to work with law enforcement agency and the these companies who're offering a service using these domains when the malware creators are quite advanced now.

I wouldn't be surprised if the malware control points were on other services as well as no-ips that have been taken down as well. Maybe like the free domains from cu.cc, but they won't affect other users other then the malware since the domain take down only affects the one domain name owned by the malware.

If I was creating malware where I needed to ensure I kept control, I'd certainly have multiple control points over several different services. I'm sure we've seen zombies on IRC as a control point, dns as a control point, payloads via services such as no-ip as control points etc.

seems a bit idiotic on your part. What MS did was the correct thing to do, if a provider can not take care of security on their own and turn a blind eye to it and it starts to affect MS customers and or services then MS has every right to go in there and shut them down. If more companies were this responsible would have half the ###### floating around just waiting to cause a disaster. WELL DONE MS.

Plenty of spam/viruses/malware originates from hotmail and outlook email addresses.

Think I'll apply for a court order to transfer them to myself. Wouldn't impact much would it? - only the hundreds of spammers and malware emails going around!