OpenNap Community Disruption After Microsoft Seize 22 No-IP Domains

[GhostShip]

In a fast paced move to close off a source of malware Microsoft has seized control of a quantity of  No-IP domain names, many folks have been disrupted.

http://arstechnica.com/security/2014/06/millions-of-dymanic-dns-users-suffer-after-microsoft-seizes-no-ip-domains/

Millions of legitimate servers that rely on dynamic domain name services from No-IP.com suffered outages on Monday after Microsoft seized 22 domain names it said were being abused in malware-related crimes against Windows users.

In a complaint Microsoft filed under seal on June 19, Microsoft attorneys said No-IP is "functioning as a major hub for 245 different types of malware circulating on the Internet." The document said abuse of the service has been the subject of recent blog posts by both OpenDNS and Cisco Systems.

Dynamic DNS providers are popular because they allow people to obtain a free subdomain—such as dangoodin.no-ip.org—that automatically maps to whatever IP address the user's computer is using at the moment. The mapping changes each time the user's IP address is updated. Such services are especially loved by online gamers and Linux user group members.

In a statement that alleged damage to "millions of innocent users," company officials wrote:

We have been in contact with Microsoft today. They claim that their intent is to only filter out the known bad hostnames in each seized domain, while continuing to allow the good hostnames to resolve. However, this is not happening. Apparently, the Microsoft infrastructure is not able to handle the billions of queries from our customers.

Theres a decent discussion of this over at Slycks

http://www.slyck.com/forums/viewtopic.php?t=65733

I think its clear both MS and the operators of No-IP are to blame for not working together in resolving this, each side has chosen to portray the other as in the wrong and play the cheap blame game when in reality they should both have worked hard to identify those abusing the services operated by No-IP and notify the authorities with the information necessary to make some arrests, I can see the criminals walking away laughing after this fiasco.

[GhostShip]

Small update on this event.


https://www.noip.com/blog/2014/07/02/message-ceo-dan-durrer/

[GhostShip]

It looks like this has all been settled now but No-IP are still unhappy with Microsofts draconian seizing action and the subsequent DNS disaster they caused.

https://www.noip.com/blog/2014/07/10/microsoft-takedown-details-updates/

Earlier today, we released a joint statement with Microsoft announcing the settlement of the unprecedented and overreaching seizure of 23 of our domains. We are thrilled to announce the settlement of this dispute and are excited to return to work connecting our 18 million users to their website and devices.

How did this happen?
On Monday, June 30, 2014, Microsoft obtained a US court order to take control of our most popular domain names used by both our Free and Enhanced Dynamic DNS services. As a result, nearly 5 million hostnames went dark and 1.8 million customer websites and devices became unreachable.

Why did this happen?
Microsoft suspected some of our customers were abusing our service for malicious purposes. However, instead of reporting the malicious activity to our abuse department or law enforcement, Microsoft decided to secretly sue us in civil court.

By filing an ex parte temporary restraining order (TRO), No-IP was prevented from having any knowledge of the case or offering any support in stopping malicious activity. Had Microsoft submitted evidence of abuse at any time, No-IP would have taken swift action to validate the claims and ban any accounts that were proven to be malicious. Instead, Microsoft wasted many months while malicious activity continued.

To state this as emphatically as possible — this entire situation could have been avoided if only Microsoft had followed industry standards. A quick email or call to the No-IP abuse team would have removed the abusive hostnames from the No-IP network.

Microsoft cited 22,000 hostnames that were abusive. Out of those 22,000 seized hostnames, the No-IP abuse department found only a fraction of the hostnames to still be active, which means that many had already been banned through our existing abuse procedures.

Microsoft promised the judge they would only block the hostnames alleged to be malicious and would forward all the remaining traffic for the non-abusive hostnames on to No-IP. This did not happen. The Microsoft DNS servers were misconfigured and failed to respond to our usual volume of billions of queries a day.

I'm surprised the No-IP folks are not moving forward with a damages claim as MS simply didn't abide by the court order and instead caused carnage, lets hope MS learns to look before it leaps next time, there is a major difference between maliciously hosting a known malware control point and being un-aware of such activity and MS seems not to have made the effort to decide which was the case, epic fail all round MS