Microsoft Takes Down No-IP.com Domains

An anonymous reader writes For some reason that escapes me, a Judge has granted Microsoft permission to hijack NoIP's DNS. This is necessary according to Microsoft to thwart a "global cybercrime epidemic" being perpetrated by infected machines running Microsoft software. No-IP is a provider of dynamic DNS services (among other things). Many legitimate users were affected by the takedown: "This morning, Microsoft served a federal court order and seized 22 of our most commonly used domains because they claimed that some of the subdomains have been abused by creators of malware. We were very surprised by this. We have a long history of proactively working with other companies when cases of alleged malicious activity have been reported to us. Unfortunately, Microsoft never contacted us or asked us to block any subdomains, even though we have an open line of communication with Microsoft corporate executives. ... We have been in contact with Microsoft today. They claim that their intent is to only filter out the known bad hostnames in each seized domain, while continuing to allow the good hostnames to resolve. However, this is not happening."

Sue them for all they're worth

This is their business the court decided to hand over to Microsoft. Lawsuits should be flying in all directions.

Re:Sue them for all they're worth

[Sun]

Also, apparently No-ip didn't appear when summoned. Apparently, that's kinda of a big no-no. Maybe next time they will buy their domains somewhere with proper laws.

IANAL. All of this is from following legal procedures.

Not showing up is a big no-no. A judge can, usually, assume that the party not showing up has nothing to say in the matter, and just accept the petition as is. This is, however, not what happened here. From the first link:

On June 19, Microsoft filed for an ex parte temporary restraining order (TRO) from the U.S. District Court for Nevada against No-IP.

Emphasis mine.

An Ex-Parte petition is filed without the other side being given a chance to answer. This is outrageous act by Microsoft. You ask for an ex-part hearing when there is danger that the other side, if given prior warning of your requested subpoena, will destroy evidence. Since Microsoft is claiming that no-ip are unknowingly hosting malware, this simply wrong.

Before you go to blame the judge, however, please bear in mind that he can only rule based on the petitions before him. Presumably, a two-party hearing will be held soon, and then things can, and should, go differently. Also, the judge should have ordered Microsoft to place some money in escrow, which no-ip will automatically get in case the temporary restraining order is found to be unjustified.

What I'm saying is that we don't have enough information so far to conclude that the judge did anything wrong, but the first link, written by Microsoft, clearly shows MS to be douche bags in this case.

Shachar

Re:Sue them for all they're worth

[NotSanguine]

Emphasis mine.

An Ex-Parte petition is filed without the other side being given a chance to answer. This is outrageous act by Microsoft. You ask for an ex-part hearing when there is danger that the other side, if given prior warning of your requested subpoena, will destroy evidence. Since Microsoft is claiming that no-ip are unknowingly hosting malware, this simply wrong.

Before you go to blame the judge, however, please bear in mind that he can only rule based on the petitions before him. Presumably, a two-party hearing will be held soon, and then things can, and should, go differently. Also, the judge should have ordered Microsoft to place some money in escrow, which no-ip will automatically get in case the temporary restraining order is found to be unjustified.

What I'm saying is that we don't have enough information so far to conclude that the judge did anything wrong, but the first link, written by Microsoft, clearly shows MS to be douche bags in this case.

Shachar

According to the Microsoft blog post linked in TFS:

...In a civil case filed on June 19, Microsoft named two foreign nationals, Mohamed Benabdellah and Naser Al Mutairi, and a U.S. company, Vitalwerks Internet Solutions, LLC (doing business as No-IP.com), for their roles in creating, controlling, and assisting in infecting millions of computers with malicious software—harming Microsoft, its customers and the public at large. We’re taking No-IP to task as the owner of infrastructure frequently exploited by cybercriminals to infect innocent victims with the Bladabindi (NJrat) and Jenxcus (NJw0rm) family of malware. In the past, we’ve predominately seen botnets originating in Eastern Europe; however, the authors, owners and distributors of this malware are Kuwaiti and Algerian nationals. The social media-savvy cybercriminals have promoted their wares across the Internet, offering step-by-step instructions to completely control millions of unsuspecting victims’ computers to conduct illicit crimes—demonstrating that cybercrime is indeed a global epidemic.

And:

No-IP domains are used 93 percent of the time for Bladabindi-Jenxcus infections, which are the most prevalent among the 245 different types of malware currently exploiting No-IP domains.

[Emphasis Mine]

So, Microsoft is alleging that No-IP is assisting (presumably knowingly) in the distribution of malware and that 93% of No-IP's domains are vehicles for malware distribution. Is this true? I don't know, but I kind of doubt it.

What's next, a RICO prosecution for the owners of No-IP?

only an excerpt

[JoeJohnson2175]

If a judge granted permission, I have feeling that a domain name service provider may have been guilty of alerting their customers to legal intentions. Which gives credence to locking it down before a new sub-domain is created to deliver the same traffic. While I don't side based on a brief, I don't make adverse statements. I can only surmise.

Hotmail?

So after decades of the community putting Microsoft on notice that HotMail is abused by spammers, can I sieze the domain name?

Legal Precedent?

[wisnoskij]

What is the legal precedent for taking ownership of a company's assets (without apparently even informing them beforehand) and randomly giving them to some other company to use? How is that even a legal possibility?

Re:Legal Precedent?

No, they seized control of the entire business -- the top-level domains, the second-level domains engaging in criminal activity, and all of the second-level domains who were not engaging in criminal activity. The right way to do this is to get a court order to seize the infringing addresses and leave the millions of customers who did nothing wrong alone. This is like the FBI seizing an entire rack or datacenter from AWS because someone served child pornography from a t1.micro instance, and then letting the accusing party respond in any way they want to all of the non-criminal traffic for the next six weeks. The collateral damage is completely unacceptable.

No customer notification

[Stealth+Dave]

While I fully blame Microsoft for creating this mess, I'm somewhat dismayed that as a customer I'm finding out that my service is down from a news outlet rather than from noip themselves! I've been using their sub domain wildcard service for 7-8 years now and have just now found out that it's down. I'm none too happy about being thrown out with the bathwater!

Re:How about a home brew dynamic DNS system?

[Temkin]

I have a $10/mo VPS at a major datacenter with static IPv4 & IPv6 addresses that hosts the primary DNS server for my vanity domain. My house has plain old boring dynamic address DSL with filtered port 25, etc... I have a Raspberry Pi running light network services on the house net. It runs a cron job that runs pubkey ssh into a no-shell account on the VPS. When that happens, a script rips $SSH_CLIENT and does a quick compare to see if it changed. If it has, another cron job on the VPS fixes up a record in my vanity domain with a 60 second TTL.

OpenVPN gets me around the port 25 filter...

Why am I explaining this to a low four digit?

Well, fuck you very much

[FuzzNugget]

So *that's* why my DDNS suddenly went dark today, with no apparent explanation.

Port 80 forwarding to the right LAN IP. Server daemons are running. I can access all the services directly by WAN IP (not very useful). Updater client running just fine. No firewall configs in the way. No-IP reports the correct IP. No news posting on No-IP's website about any sort of outage or technical issues.

Well, I was lost -- that was everything. ... and that was all because of this horseshit? Guess what... I'm not even *in* the US, so now the US courts think they have jurisdiction over countries? (OK, that's not new)

Fuck all involved. Hope they get their asses sued to hell. And this judge canned for such a dumbass decision.

Take them to court over Windows

[future+assassin]

If it wasn't for the all the holes in WIndows then there's would't be as many people trying to distribute malware. MS themselves are the first in line as the root cause.

Taking over government functions

[AxeTheMax]

So MS has a 'Digital Crimes Unit' and the US courts allow it to carry out law enforcement duties. How long before they have their own policemen, courts and prisons? It goes together with the Microsoft tax I suppose.

Re:Malice? more like incompetence...

[DarkHelmet433]

I also suspect they've managed to botch the technical aspect of it as well.

Presumably the plan was to put their caching name servers in front of the real no-ip servers, and gather the mappings for the malware suspect sites and then blackhole them after getting what they want. The problem was that Microsoft's side appears to have melted down, thus taking everything down. They won't be getting logs, behavior analysis or anything, because its all a pile of wreckage in a crater. Meanwhile, all the "bad guys(TM)" have now had hours head start to delete their C&C node registrations while microsoft's servers are down. And now they've ticked off the no-ip folks, so I wouldn't expect them to be in a cooperative mood to try and help.

Bone headed all round. There's no other way to put it.

Re:WTF

And this is why we need Namecoin and other decentralized DNS solutions to take such matters out of the hands of the lawmakers.

http://namecoin.info/

Lawsuits will fly

IAAL (but this isn't legal advice). I noticed that it was an ex parte hearing, which is why this whole mess occurred. They're useful for preventing domestic violence, but ripe for abuse in all contexts. NO-IP should be moving for an emergency hearing and the whole issue should be resolved within hours. Beyond that, NO-IP should follow-up with a suit for damages (I suspect MS will pull the we-got-a-court-order card and NO-IP gets to respond back with you lied to the court. It all goes nowhere and they settle).

The more interesting aspect is the disrupted users. While MS moved against NO-IP ex parte, they apparently made assertions that they would keep the service functioning properly. They've failed there and suits are now possible for those failures. More interestingly, however, is whether MS was recording, manipulating, or in any other way playing with the traffic. If so, there are some excellent wiretap statutes waiting to be had.

I, sadly, didn't have an NO-IP account, but if I did, I'd be heading to the court house this afternoon. This is what happens when you skip due process, let a to-big-to-fail corporation do whatever it wants to private corporations through the guise of the courts. Corruption at it's finest. MS should be bludgeoned thoroughly enough to at least think twice before attempting it again.