Microsoft takes down No-IP DNS domains in cybercrime fight - right or wrong? [POLL]

Filed Under: Botnet, Featured, Law & order, Malware, Microsoft

noip-170Four days ago, Microsoft went to court in the USA.

As a result, the company succeed in grabbing temporary control of 23 internet domain names from a company called Vitalwerks Internet Solutions, based in Reno, Nevada.

Vitalwerks, which offers what are known as dynamic Domain Name System (DNS) services, is much better known by its trading name, no-ip.

You're probably thinking, "How can you have an internet connection with no IP number?", and, loosely speaking, you can't.

But many users don't have consistent IP numbers, those digital addresses that identify your computer, or at least your network, and look something like 198.51.100.75.

Many ISPs use what are called dynamic IP numbers, allocated to your computer (or your network router) when you connect to their service.

When your router reboots, or your 3G modem reconnects to the cellular network, you sometimes end up with a new IP number, handed out from a pool of avaialble numbers.

→ The purpose of dynamic IPs is to make IP numbers go further, and to allow ISPs to service more customers than they have IP numbers allocated to them. Otherwise, an ISP with 65,000 IP numbers at its disposal could never reliably sign up more than 65,000 customers, even if no more than half of those customers were ever connected at the same time.

Provided it doesn't change in the middle of an online transaction, exactly what IP number you have doesn't matter much.

At least, it doesn't matter for outbound traffic.

But if you want to run a server, or to let someone connect to you, then having a dynamic IP number, instead of a static one that survives router reboots and modem reconnects, is a real pain.

It's a bit like getting a new phone number: once every few years is OK, but twice a month would be far too often for convenience.

Dynamic DNS

What dynamic DNS services do is offer you a domain name service (more accurately, a subdomain name service ) that not only converts a human friendly name like visitme.duck.exmaple into an IP number, but also keeps that name-to-number mapping up to date whenever your IP number changes.

Best of all, at least for home users, is that many companies like no-ip offer a free version of their service, in the hope of attracting paying customers to their premium offerings.

That sounds like a win-win situation, but in the real world, it can end up a bit more of a win-win-lose.

That's because free dynamic DNS services are of special value to cybercriminals.

By signing up for thousands of free accounts, they get someone else to do the hard work of keeping a large and innocent-looking list of static computer names reliably hooked up to an ever-shifting raft of malware distribution servers.

If they hack into your network today so they can use it to serve up infectious webpages, the dynamic DNS service will happily point their victims at your server.

But if you spot the attack and clean up the server, it's a matter of moments for the crooks to get their dodgy hostname redirected to someone else's hacked server to keep the cyberscam alive.

That's because dynamic DNS services are designed to make it easy to update DNS records, and to tell the world quickly about the changes that just happened.

→ DNS replies include a number, expressed in seconds, called time-to-live (TTL), during which a computer should cache that reply to use again. Typical values are 300 (5 minutes), 1800 (half an hour) and 3600 (one hour). This reduces the load on the overall DNS infrastructure a lot, but a large TTL means that a change in your IP number can take a while to propagate. Dynamic DNS services often use a TTL of 60 (one minute) to improve switch-over times.

18,000 homes for cybercrime

Microsoft convinced the court that no-ip's free dynamic DNS domains were home to at least 18,000 servernames in active use by zombie malware, or bots.

Redmond even named two of the most common bots that allegedly use no-ip as part of their infrastructure, together with the men they claim run those bots.

Indeed, Naser al Mutairi, allegedly running the Bladabindi malware as a business out of Kuwait, and Mohamed Benabdellah, alleged author of the Jenxcus malware out of Algeria, are explicitly named as defendants in the court documents, along with Vitalwerks.

Longstoryshort, of course, is that temporarily taking over no-ip's free dynamic DNS domains didn't just nobble the 18,000 hostnames that helped Bladabindi (Sophos name: Troj/BBdindi-A) and Jenxcus (Sophos name: VBS/Autorun-CAI) do their dirty work.

Collateral damage

The takedown affected lots and lot of other users, who had the misfortune to use the same service for perfectly innocent purposes.

One school of thought is that 18,000 cybercrime domains on one provider's infrastructure goes beyond what is reasonable; indeed, the court repeatedly used the words negligent and negligence.

The collateral damage to legitimate users is regrettable, but a necessary and practical part of fighting cybercrime.

Another school of thought is that legitimate users should not be made to pay for the alleged crimes of Messrs Muatairi and Benadbella, especially if the collateral damage could potentially affect millions of users in return for stopping just 18,000 dodgy hostnames from working.

The collateral damage is out of scale to the benefits that it might bring in dealing with a tiny part of the cybercrime ecosystem.

Which side are you one? Vote in our poll...

NB. According to Ars Technica, Microsoft has now given up those 23 seized domains, of which 18 have already been restored to no-ip. Whether Microsoft already got far enough in its anti-cybercrime activities or decided that it should err on the side of public access (or both!) is not yet clear.

, , , , , , ,

You might like

30 Responses to Microsoft takes down No-IP DNS domains in cybercrime fight - right or wrong? [POLL]

  1. JamesUK · 27 days ago

    Seems like they are talking about proxy farms, so the ISP's have even more control over your data.

    • Vladimir · 27 days ago

      Microsoft went over the board, see details on no-ip's blog.

      They should have contacted no-ip and remove the offending 18,000 hostnames.

      Here is a quote from the Monday blog post on the No-Ip:

      "Unfortunately, Microsoft never contacted us or asked us to block any subdomains, even though we have an open line of communication with Microsoft corporate executives.

      We have been in contact with Microsoft today. They claim that their intent is to only filter out the known bad hostnames in each seized domain, while continuing to allow the good hostnames to resolve. However, this is not happening. Apparently, the Microsoft infrastructure is not able to handle the billions of queries from our customers. Millions of innocent users are experiencing outages to their services because of Microsoft’s attempt to remediate hostnames associated with a few bad actors."

      Apparently Microsoft failed to filter the offending host names, DNS resolution for the affected domains was down.

      I personally had to re provision two (2) VPN endpoints with a dynamic IP. Connectivity was interrupted for several hours as I needed somebody on site to enter the new hostname in the device. And I am a paying customer, just happened to chose one of the domains Microsoft decided to shut down.

  2. VL-S · 27 days ago

    Sorry Paul, I'm a little sleepy here. Are you saying the the 18,000 dodgy hostnames "mapped" into the 23 internet domain names?

    • Paul Ducklin · 26 days ago

      Yes. The way many free DNS hosting services work is that instead of giving you a free domain all of your own (you'd have to convert a lot of freebies to premium service for that :-), they register a bunch of cool-sounding domain names, e.g.

      findme.example

      and then let you have a subdomain of your choice off that, such as:

      duck.findme.example

      If you register as 1000 different people, you could quickly have 1000 different hostnames under "findme.example" (for example to use as URLs in spams to link your victims to malware sites), each with its own tweakable-at-will IP number.

      A previous example involving a Microsoft takedown was cz dot cc, owned by one Dominique Alexander Piatti, for being a "fraud-friendly" domain under which cybercrooks were registering loads of bogus subdomains to use in criminal activity:

      http://nakedsecurity.sophos.com/2011/09/29/microsofts-botnet-shutdown-wont-stop-mac-malware/

      Another was 3322 dot org, which was returned to its original owner after he agreed not to be sloppy about cybercrooks any more:

      http://nakedsecurity.sophos.com/2012/10/05/microsoft-settles-lawsuit-against-3322-dot-org/

      There were 23 such domains in the no-ip case, allegedly having provided more than 18,000 subdomain DNS entries for crooked sites. (Take a look at the court materials linked to in the article for more detail.)

  3. Walt · 27 days ago

    Impossible poll. Neither option appropriate.

    Option 3: Yes, but the problem needed to be addressed. The 18,000 zombie users are also victims (maybe more so) along with the "millions" of totally innocent users. This needed a sniper's tactics - not a nuclear bomb.

    In a total LEO-supervised lockdown (but NOT shutdown), the source perpetrators should have been arrested/detained/fined/jailed, the 18,000 zombie users should have been isolated from the millions of others who'd be left undisturbed, the zombie machines should have been repaired (in-house, remotely, new IP transfers with instructions & hotlines to remove the malware until all fixed - including refunds and credits).

    Then the ISP & senior officers personally fined for all expenses of all involved/affected not covered by perpetrators for failure to detect & avoid the problem when the business model was a magnet for such activity - the ISP & officers forced into bankruptcy with non-disruptive sale of accounts to another responsible ISP with no negative impact on the customers.

    • Paul Ducklin · 26 days ago

      I'm intrigued that you talk about solving this with a sniper's bullet, not a nuclear bomb (careful with those analogies) and then go into detail about an operation on an even larger scale than what Microsoft proposed...in your scenario, you've got the entire ISP shut down, the owners forced into receivership, and the business disposed of to a competitor in a fire sale. Sure sounds a bit thermonuclear to me.

      So. In answer to the question, "Was Microsoft's takedown OTT?", are you saying "Yes" or "No"?

      • JR · 23 days ago

        Can someone explain how Microsoft has legal standing to take over another company's DNS. Sounds like Microsoft has the flaw that allows such nefarious activity to occur... instead of hiring more lawyers, maybe they should hire more programmers.

        • Paul Ducklin · 22 days ago

          I think you answered your own question, in part, with the adjective "nefarious." Blaming Microsoft for a DNS server SNAFU because it is possible to write malware for Windows seems a little far fetched. If you happen to live in a crime-ridden neighbourhood, and keep getting burgled, are you suddenly not the victim but the cause of the criminal activity?

          • JR · 16 days ago

            No. But if I -KNOW- there is an issue and I take no action of my own to remedy the problem (buy a dog, install a fence, get an alarm system, find a safer neighborhood, etc.), then I'm not being prudent. If all I do is rely on 911 to protect myself, I can only point the finger at myself.

  4. RobRoy · 27 days ago

    How does No-ip compare with aka-dns services which are/were used by large vendors like Microsift to automagically point to their own mirror sites depending fom where you are trying to reach (resolve) them? From memory most of these answers had very short TTL settings. Was that also to provide some network controlled load-balancing and/or redundnacy?

    • Paul Ducklin · 27 days ago

      Short TTLs are common on content delivery networks, too, as you point out, so that traffic can be bounced around more effectively under heavy load or spikes in traffic.

      I the difference here is that no-ip had a free version of its "move around rapidly on the internet service," and, in Microsoft's (and, apparently, the court's) opinion, didn't to enough to prevent abuse, either proactively or reactively.

  5. SumGuy · 27 days ago

    No wonder why my dvr is down. I use the service for my home security cam dvr box. My isp forbids the use of a home server. I use the service as a work around. I am not really running a server. I just want access to my cams on my phone and on a PC when I am not home for long periods.

    So rather than pay an extra 60 bucks a month for a static ip and a 2 year contract, I used this service. Now I have to find another. Messed up part is I had to find out this way.

    I am using the service legitimately

  6. Andrew Ludgate · 27 days ago

    I didn't end up voting, although I am one of those affected by Microsoft's action.

    I think Microsoft taking control of the domains to shut down the malware *could* have been the best move, but to me it is still unclear as to whether the way it was done was the best choice.

    No-IP alleges that they already have open lines of communication with Microsoft and that they had received no prior warning from Microsoft as to the proposed action, or indeed, the malware subdomains being hosted on their service.

    On the flip side, while No-IP has a number of systems in place to catch and drop malicious activity, these two botnets were obviously circumventing those systems -- and due to the number of systems involved, it should have been pretty obvious what was going on (new free subdomains suddenly spiking in lookups, then starting to be continuously reassigned to new IPs all over the world should be one of those cases immediately raising a red flag).

    At the end of the day, Microsoft's servers did not appear to be prepared for the kind of traffic they were hit with when they started handling the subdomain lookup and updating traffic, which caused loss of service for many. This could have been avoided had Microsoft moved a bit more slowly and worked with No-IP before taking control of the domains.

    But there could have been very good reasons for them to want to move quickly; we haven't heard from anyone yet in what motivated such quick action following what appears from the outside to be a very quickly processed suit and court order.

    Under the circumstances, the court's decision seems reasonable, but maybe such orders should carry a few more stipulations in the future to safeguard such processes.

    • Paul Ducklin · 27 days ago

      Points well made. To those who are saying, "But why didn't Microsoft just ask no-ip to sort this out?", the court documents certainly imply that this was beyond just asking nicely. The malware involved here has been around for months/years and the takeover involved a massive effort.

      When you look through the raft of information Microsoft had to prepare for the court, I think it is reasonable to infer that the folks at Redmond would have preferred to sort this out merely by asking...

      This sort of takedown is not new, so you can argue that no-ip ought to have been aware that the courts have certain expectations in respect of service providers making things tougher for cybercrooks, and ought to have been aware of the sort of problem that inaction against rampant abuse might cause for them and their users, e.g.

      http://nakedsecurity.sophos.com/2012/10/05/microsoft-settles-lawsuit-against-3322-dot-org/

  7. Farid · 27 days ago

    this dilemma is similar to situations where terrorists take refuge in populated areas and among civilians; any heavy handed response tends to cause more harm to innocent civilians than to terrorists. The difference is that in the case of DDNS abuse, it is much easier for the innocent to move to a safe place.

  8. Deramin · 27 days ago

    I think this particular take down did more harm than good. Microsoft should have taken that list to No-IP first, who by all accounts are responsive to take down requests. No-IP was only able to find 2,000 miscreant host names - a far cry from 18k, and a truly appalling amount of collateral damage - which calls into question how Microsoft calculates malicious hosts. This could damage future take down cases from Microsoft, making us all less secure. A reputation is a very hard thing to repair.

  9. Anonymous · 27 days ago

    the yes and no responses do not match the problem, the question is whether the response was accurate.

  10. If you look at the costs to someone that has a computer and wants friends and family to be able to have access to the devices, then the NO-IP option is a viable option as it's low costs makes it affordable to home users. When I checked this, it amounted to a 50% hike in costs to have a static IP address. Mine about doubles when requesting a static IP, because Cox considers it a commercial item, at least in their pricing structure.

    It also seems that there were a lot less than the 18,000 malware people when 18/23 (78.2%) were quickly released and how many of the remaining percent will be found not guilty or even involved? I hope you keep track and publish those results.

    All in all, it may be an easy way to deal with malware, if so it seems that the NO-IP people and others like them have done a pretty well in keeping large amount of the malware away from their sites. Especially if you look at all amounts of malware, in contrast.

    No matter what we think when a warrant is issued, we need to give the information to them in order to keep illegal actions in check. How many of you wined when they did large data sweeps? Is this another? The whole site was take down if I understand correctly.

    When judges OK warrants for computer areas, they need to restrict it to a small number, hopefully a warrant for every user, that would ensure grater control over the wide netting of data. Most of these appear to be fishing expeditions and this practice needs to be curbed. Unfortunately, Law Enforcement has a difficult time in keeping up to date. Since there is little monies for this compared to putting non-violent drug users away and seizing as much of their assets as possible.

    Of course this is an opinion, and like ......s we all have one...

    Jack

  11. Anonymous · 27 days ago

    Leave it to Microsoft to attack the technology rather than the criminals. Home servers are becoming more and more common for non-illegal activities. I use it myself (just not this particular company) to easily connect to my home resources from my office. Dynamic DNS is a convenience for home users who run their own servers. Shutting down DDNS providers will not prevent rogue servers with illegal intent. At best it will just slow them down as a stop-gap measure. It would be like deciding to shut down a major interstate because some bank robbers used it when they were escaping in a car - serious overkill inconveniencing thousands for only a band-aid fix.

    • Paul Ducklin · 27 days ago

      Your analogy is slightly flawed - a better one would be that it's like closing a major road (one you can detour from if you want to, unlike a freeway) because there's some trouble going on ahead right now. That's actually quite common in many countries - for example, if there's a multi-car pile up, and the authorities want to make it easier for emergency services to access the collision site, the road is closed off to regular traffic.

      To all the people inconvenienced, the unspoken message is, "Be thankful you're not in the pile up, and remember that if you were, other people would be made to wait so that you could be helped."

      As for this not being a true solution, I think all of us at Naked Security agree that getting rid of the infected zombie computers in the first place is the best way!

      Nevertheless, not taking action merely because the crooks will just find somewhere else to hang out is a bit of a cop out.

      The question does remain whether Microsoft's claimed 18,000+ infectious hosts served by no-ip (not all of which seem to have been active when the takeover happened) is a fair balance for the 18,000,000+ users claimed worldwide by no-ip (not all of whom were affected by the takeover).

      How bad should a dynamic DNS service provider let things get before getting proactive against abuse? (See @Andrew Ludgate's well-argued earlier comment on that issue.)

  12. Grant · 27 days ago

    This should come as no surprise. Anyone remember mikerowsoft.com?

    https://en.wikipedia.org/wiki/Microsoft_vs._MikeRoweSoft

    • Paul Ducklin · 27 days ago

      Bit of a long bow, don't you think, to compare those two cases? You could easily and consistently be in favour of Microsoft in one case and not in the other.

  13. Theodore Cheeze · 27 days ago

    I see both sides of your argument; however, there is one little thing that tilts the scale to Microsoft's side, the ability to be anonymous. I realize the company also offers paid services, but they apparently provide the FREE service with complete anonymity. You get what you pay for. I get similar service from a different company but they at least require users to provide verifiable contact information. Their terms require you to verify your contact info via an emailed verification link at least once a month. This has probably kept out most unwanted cyber criminals. They even offer a more enhanced free service if your are willing to verify your identity, which also stops the monthly verification process. If your willing to be truthful about who you are they're willing to give you some additional features and stop nagging you.

    • Paul Ducklin · 27 days ago

      Most "click here to stay opted-in" emails are (in my experience) fairly easy to process and this "verify" automatically. All they really do is verify that the email address you gave can receive emails that someone, or some computer, will react to.

      If I were a free DNS provider, the reason I'd want a 30-day "reconfirm" email is so that people who weren't serious about the service could be removed from my DNS database, just to keep things neat and tidy, mainly for performance reasons. I don't think I'd want to claim that reconfirm emails formed any sort of effort at "know your customer".

      I used to use a free DNS provider that treated an IP number change as an automatic reconfirmation, so merely forcing my server to reboot every 28th day did the trick :-)

    • Deramin · 26 days ago

      One issue major issue in this case was that the crooks were only targeting the free service, but members of the paying service also got knocked offline. They have far more reasons to be furious (probably at both sides) over what happened.

      • Paul Ducklin · 26 days ago

        True. Though, knowing that the freebie domains might become polluted much more easily than the paid ones, perhaps no-ip might have kept the two parts apart, if you get my drift? (With the DNS infrastructure split in half, it might have been possible for the court to give control of the allegedly risky half to someone else, dividing up the operation by DNS server, not by domain name...)

  14. Niall · 27 days ago

    The answers in your poll are no good. While I can understand no-IP being considered negligent, there is no justification for Microsoft getting control. The crime, if any, was not a crime against them. It's like me personally suing a bank for their negligent investments and taking control of the entire thing. It's well out of proportion.

    • Paul Ducklin · 27 days ago

      I hear you...

      ...but who should take temporary control if something is to be done? And who would fund it? Microsoft, bless 'em, did offer to do both :-)

      I think a better analogy would be that if a company owed you loads of money and wasn't getting it together to pay you, you might apply to have the company put into administration (is that "Chapter 11 protection" in the USA?) in the hope that the administrators might trade the company back into safety, save some jobs, and end up being able to pay off its debts more honourably and completely that if you applied to the court to pull the plug and put into receivership. (Is that "Chapter 7" in the USA?)

      It certainly sounds as though (see @Vladimir's comment) that Microsoft (the "administrators") were ready to put up the time, the effort, and the services to filter out dodgy DNS requests that the court thought no-ip ought to have done itself...but that it all went pear-shaped and, loosely speaking, caused a DoS.

      So, I stand by the answers in the poll, because they are pretty straightforward. The question is, "Was this over the top, or not?" Answer "Yes", or "No." You sound like a "Yes" to me. Not sure what other answers there could possibly be, except for "Maybe," which always seems a rather limp option in a poll.

  15. roy jones jr · 24 days ago

    They're on the fence Paul, and upset because they couldn't get on Hulu for a while. smh
    And while I feel for those that actually needed their internet (for actual business) taking the network down for a while? that was needing to be done. Read that again people; needing to be done. And in the IT world, there isn't always a "proper workaround". If people had to be down for a time, then so be it.

  16. In 2005 I used this service for a legitimate business as we had a dynamic IP and didn't want to pay the additional cost per month for a static?

    I still don't get what NO-IP did wrong?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog