I haven't seen heavy technical details on what the seizure involved, but if in theory they got a hold of some control domains they could have sent out kill commands to stop the malware from working or alternatively sent them to a static "do nothing" host.
>However since hackers add new domain names every hour, 100+ new hostnames need to be blocked. I’ve sent a few updates to both services, but they haven’t yet responded and I guess we’ll need to wait until Monday when they get back to work.
Is there a reason why they are relying on DDNS to resolve IP addresses, instead of simply using the resulting IP addresses themselves? It seems like relying on No-IP here was a clear weak point in the design of this malware.
How do you distribute the new IP address to members of the botnet even in the face of an unclean disconnection of a current C&C server?
You could maintain a list of backup C&C servers on every node and see what happens, but you risk a netsplit causing your botnet to fragment.
Or, you just have a centralized place to list the authoritative address of the current master.
But you don't want to host that yourself - that's a link back to you.
Another commenter mentioned the botnet was creating hundreds of new subdomains every hour. Obviously they had found a way to automatically register new accounts, and they had tens or hundreds of thousands of IP addresses to register from... By hosting it on a well-known and well-used service, they created a situation where someone is basically forced to take the entire service offline or take other drastic measures in order to counter-act them.
Good point. I just figured they might have preferred to run their own DDNS service, or use p2p, since as we've seen, a service as large as No-IP can be completely shut down in a situation like this.
It can be shutdown, but with a lot more difficulty than just getting some random server somewhere used only for the botnet pulled offline, which was probably the point, really.
If I were a malware author I would never have assumed anyone could have gotten a court order to take an entire service offline.
Microsoft seized the domains in order to discover command-and-control servers of a few botnets.
Now... whether or not Microsoft seizing another legitimate company's property without any notice is legal/ethical is another question (one that probably should get more attention).
What is the justification of this post being pretty severely downvoted? It's not intemperate or off-topic as far as I can tell.
Go ahead and downvote me too for metacommenting but it seems like slaps being handed out so freely just degrades community by making people reluctant to comment.
"M$" is a shorthand for "Microsoft" - is not just shorthand, it's a sophomoric statement with commentary. If you don't know that, use words and phrases you understand.
Yes, the question was along the lines of, why is Microsoft seizing other company's property, even with a court order... sounds to me like Law Enforcement should have done the actual seizure, even if Microsoft is consulting for them.
And there was no prior warning to noip.com -- they woke up one day and their domains were seized. They only found out why after the fact -- and, given the nature of free Dynamic DNS services, it's very unlikely noip.com was even aware that a botnet was using their services (the justification for the seizure).
And, I can't help but feel Microsoft could have obtained the same data by politely asking noip.com -- nobody likes to harbor botnets (and we have no reason to suspect noip.com of trying to do so). Seems domain seizure was heavy-handed at best.
The big question is how the court could rule in a dispute between two US companies, by seizing the defendants domains without even hearing the defendant.
How is that possible in a state of justice? How anyone dares to run a company in a state where you are not allowed to defend yourself in court escapes me.
I can not believe this is the normal legal process. There must have been some extraordinary circumstances that I am not aware of. I would be very interested to hear what they are.
(Given that Microsoft probably hasn't got more legal rights than anyone else, could No-IP do the same to Microsoft? Surely Azure is the host of a few of them C&C servers.)
> I can not believe this is the normal legal process.
It's not.
> There must have been some extraordinary circumstances that I am not aware of.
Possible, but so far, the case is mostly sealed (refer to the above statement). From what we know, Microsoft identified some botnet(s) using noip's service as part of their infrastructure. Nothing points to noip knowing about the botnet, so we must assume until we know otherwise that they had no knowledge. This leaves us with a US company waking up one day to find their property seized by another US company, supposedly with the backing of a US court.
> Given that Microsoft probably hasn't got more legal rights than anyone else, could No-IP do the same to Microsoft?
Probably not -- Microsoft has a history of helping Law Enforcement track down botnets -- in the past they have literally marched into data centers and seized all the servers from a company without their knowledge (they even did this overseas outside of the US once). It's unlikely if noip were to bring suit against Microsoft, that it would go anywhere.
(It's as scary as it sounds when a private company is leading Law Enforcement, instead of the other way around).
Considering how little the public knows about this case, I wouldn't be surprised to find out that no-IP refused to respond to the court process, so the court simply ruled against them. Just as with lavabit, a petulant refusal to respond to legal process does not result in good outcomes. Instead it results in the forfeiture of your rights within the process.
However, given the tone of noip's public statement regarding this issue -- there seems to be no indication they had any forewarning, be it refused court order or not.
Since we know very little at the moment -- it has to remain a possibility that the other happened -- we are left in the dark on purpose due to the nature of the event... and possibly some favorism from the court (citing Microsoft's past aid to law enforcement)
Not really. We've got the text of the actual restraining order under which the domains were seized, and it's quite clear on the fact that No-IP wouldn't get advance notice of the fact that Microsoft were trying to seize their domains or a chance to challenge it:
"Microsoft’s request for this emergency ex parte
relief is not the result of any lack of diligence on Microsoft’s part, but instead based upon the nature of Defendants’ unlawful conduct. Therefore, in accordance with Federal Rule of Civil Procedure 65(b) and Civil Local Rule 7-5, good cause and the interest of justice require that this Order be Granted without prior notice to Defendants, and accordingly, Microsoft is relieved of the duty to provide Defendants with prior notice of Microsoft’s motion." (Microsoft's motion in question being their attempt to seize the domains.)
The basis for this was "unlawful and/or negligent conduct". Basically, Microsoft managed to convince the courts that because in their eyes No-IP weren't policing their services well enough, Microsoft had the right to seize all their domains and shut them down without giving them the opportunity to challenge this in court first.
I seem to remember the massive DDoS Microsoft enacted against the blackhole servers of the RFC1918 in-addr.arpa zones for example, that was borderline criminal. I could probably think of a dozen other occasions, including the contant stream of spam that was Hotmail for quite some time after the takeover. Could I have had windowsupdate.com or hotmail.com seized then? I strongly doubt it.
> And there was no prior warning to noip.com -- they woke up one day and their domains were seized. They only found out why after the fact -- and, given the nature of free Dynamic DNS services, it's very unlikely noip.com was even aware that a botnet was using their services (the justification for the seizure).
No-ip was DEFINITELY aware of it. OpenDNS published an article in April 2013 identifying no-ip as the top used provider for malicious use [1] and a representative from no-ip posted a comment on that article which proves that no-ip was aware of it.
Cisco published a similar article on February 11, 2014 [2]. We know that no-ip was aware of this because they posted a comment in response, and posted a blog entry about it at their site [3].
They (noip.com) had zero pre-warning of a domain seizure. Regardless of any literature you dig up from years ago that states some botnets use Dynamic DNS services such as noip.com, it does not mean they had warning they were about to be seized. Others have commented that the court order forbid anyone, including Microsoft, from informing noip.com prior to the seizure.
It should be noted, that most/all "cloud" services likely have some sort of illicit behavior being conducted through them... Ec2, Azure even, etc. Botnet's use the same services me and you do... that does not for even a second make noip.com responsible for the botnet's actions.
"We would like to be on the record to state that at No-IP, we have a very strict abuse policy. Our abuse team is constantly working to keep the No-IP system domains free of spam and malicious activity...We provide a valuable service for free, but because of this, it is common for users to abuse our service. Our abuse team is amazing and they are usually pretty quick to shut them down, but sometimes a few can slip through the cracks".
No-ip was aware of the potential and had an abuse team to deal with such cases. They were also aware of other experts finding their abuse team wanting. But that doesn't seem to be enough evidence to suggest they were partly culpable in any particular case. Perhaps there were examples of particularly galling incompetence in their abuse team, or the abuse team tipping off fraudsters but otherwise informing them seems to be the most reasonable and responsible action.
Every domain provider must have an abuse team or at least an address to send abuse notices too [http://who.is/whois/cloudapp.net/], that PR statement from No-IP states no facts or figures of many abuse notices they combat - which I would cite if my abuse team actually did stuff "look how amazing our team is - we had x,000's requests and took down x00 of malicious hosts just last month."
"The report noted many domains that the Cisco Security Team thought were abusive. We have not received any report from Cisco about any domains, or any supporting information. If Cisco wished to report abuse, they could have easily contacted our Abuse Team at abuse@no-ip.com."
It seems odd that people aren't reporting this there, or if they are reporting it there, are not documenting that.
According to No-IP's previous official statement, the order was served without prior notice: http://www.noip.com/blog/2014/06/30/ips-formal-statement-mic.... Courts do not have carte blanche - they have laws that govern the bounds of their authority. The implication of the parent comment is that even if Microsoft was given a court order, it wasn't necessarily legal for the court to do so.
(Obviously not legal advice. Not a lawyer qualified in that jurisdiction. General discussion.)
Ex parte literally means "without notice". It's what you use when it's an emergency - there's no time to explain! - or if you served the other party they'd cover something up or do something nasty (say, a domestic violence case, or child abduction).
It is, shall we say, not a good match for a dispute like this. This round is over now (judge is already declaring it moot, although I don't know why, did they just let a temporary order expire? There's not a lot readable on the docket yet).
Importantly, No-IP now may have a clear shot at a pretty vicious countersuit, because what MS requested in their TRO (which has not been continued ahead of the hearing on... Thursday? I can't read US dates well...) caused them, and their customers and the internet at large, damages - serious, huge, actual reputational damages with people moving away from their service which thrives on high uptime and reliability. They had no opportunity to answer the case against them - the action MS requested the court make against them was unilateral, which is... unusual.
MS will probably try to climb down in the most graceful manner they can, and settle out of court. However, No-IP will not want to accept a token settlement for MS destroying their business: on the face of it, they have a very strong case and I doubt MS will be able to offer enough to compensate their ire, so we'll probably see a countersuit instead, and - speculation - it'll probably not go well for MS at all, unless they have hard evidence that No-IP were actively complicit in abusive activity, which seems to have been what they (mis?)represented to the court in their TRO application (but we're missing that particular piece of the jigsaw, because it was sealed; and again, it shouldn't have been sealed). If MS had that, however, I speculate they wouldn't have dropped the TRO ahead of the hearing, and that prospect, shall we say, seems unlikely overall compared to the prospect of them making a huge mistake.
Huge company attacking small business - that's a powerful angle. They might even be competitors of No-IP, thanks to Azure (and the gimped version they used to host these domains clearly couldn't hold a candle to No-IP, because all the domains were down). If I ate popcorn, I'd be getting a bag, but don't expect Thursday to be fireworks. I actually expect it to be de-listed as moot and the action dropped until No-IP countersue, and they could take their time on that - in fact, they might want statistics of how many of their customers jumped ship on having their domains down for several days at MS's whim. And they might want another jurisdiction, 'cause I gather jurisdiction shopping is a thing over there?
MS might've got lucky with the judge. They're not necessarily going to keep being lucky.
I don't understand why everyone thinks MS should have given the notice, then noIP would have sent emails to all their customers "MS is about to take all our domains down" and the C&C's would have had time to reconfigure or transfer domains etc.
Speed and silence were key to the botnets being taken down.
Also it is very naive to think noIP doesn't know that it makes a lot of it's money from botnet hosters - according to previous discussions the abuse@ address does not respond and they don't take action against malicious hosts.
Probably, but in this case, somehow Microsoft discovered they were using the noip.com's Dynamic DNS service... perhaps the Control servers "floated" around on the net and Dynamic DNS discovery was the best option?
The entire purpose of no-ip is so a server can keep the same domain easily while their IP changes (Dynamic DNS). I'm guessing that these servers were either rapidly changing IP addresses or being brought online/offline quickly and Microsoft wanted to locate them by hijacking no-ip so those servers told Microsoft directly when they were changing IP address.
It's not like they had much of a reputation with the tech savvy crowd to begin with, with their frivolous patent litigation and business practices. The kind of crowd that uses a service like no-ip is the kind of crowd that likely isn't a big microsoft customer.
The typical computer user will be ignorant to this and enterprise users don't care. The only way they'll really lose from this fiasco is if no-ip sues and wins in court.
ICANN is not "in charge of DNS". IANA, part of ICANN, manages the root zone. That's it.
The top level domains are delegated to their respective organization. IANA could, in theory, re-delegate an entire top level domain, but everyone would notice and route around the problem.
"The contract was eventually awarded to doMEn, d.o.o., a Montenegrin joint venture (doing business as .Me Registry), whose partners include Afilias Limited, GoDaddy.com, Inc., and ME-net d.o.o."
51 comments
[ 2.9 ms ] story [ 121 ms ] threadhttp://blog.unmaskparasites.com/2009/09/11/dynamic-dns-and-b...
>However since hackers add new domain names every hour, 100+ new hostnames need to be blocked. I’ve sent a few updates to both services, but they haven’t yet responded and I guess we’ll need to wait until Monday when they get back to work.
You could maintain a list of backup C&C servers on every node and see what happens, but you risk a netsplit causing your botnet to fragment.
Or, you just have a centralized place to list the authoritative address of the current master.
But you don't want to host that yourself - that's a link back to you.
Another commenter mentioned the botnet was creating hundreds of new subdomains every hour. Obviously they had found a way to automatically register new accounts, and they had tens or hundreds of thousands of IP addresses to register from... By hosting it on a well-known and well-used service, they created a situation where someone is basically forced to take the entire service offline or take other drastic measures in order to counter-act them.
If I were a malware author I would never have assumed anyone could have gotten a court order to take an entire service offline.
Now... whether or not Microsoft seizing another legitimate company's property without any notice is legal/ethical is another question (one that probably should get more attention).
Go ahead and downvote me too for metacommenting but it seems like slaps being handed out so freely just degrades community by making people reluctant to comment.
Edit: They then replied to your post with "I was wondering the same thing", before reading my post and deleting that comment.
And there was no prior warning to noip.com -- they woke up one day and their domains were seized. They only found out why after the fact -- and, given the nature of free Dynamic DNS services, it's very unlikely noip.com was even aware that a botnet was using their services (the justification for the seizure).
And, I can't help but feel Microsoft could have obtained the same data by politely asking noip.com -- nobody likes to harbor botnets (and we have no reason to suspect noip.com of trying to do so). Seems domain seizure was heavy-handed at best.
How is that possible in a state of justice? How anyone dares to run a company in a state where you are not allowed to defend yourself in court escapes me.
I can not believe this is the normal legal process. There must have been some extraordinary circumstances that I am not aware of. I would be very interested to hear what they are.
(Given that Microsoft probably hasn't got more legal rights than anyone else, could No-IP do the same to Microsoft? Surely Azure is the host of a few of them C&C servers.)
It's not.
> There must have been some extraordinary circumstances that I am not aware of.
Possible, but so far, the case is mostly sealed (refer to the above statement). From what we know, Microsoft identified some botnet(s) using noip's service as part of their infrastructure. Nothing points to noip knowing about the botnet, so we must assume until we know otherwise that they had no knowledge. This leaves us with a US company waking up one day to find their property seized by another US company, supposedly with the backing of a US court.
> Given that Microsoft probably hasn't got more legal rights than anyone else, could No-IP do the same to Microsoft?
Probably not -- Microsoft has a history of helping Law Enforcement track down botnets -- in the past they have literally marched into data centers and seized all the servers from a company without their knowledge (they even did this overseas outside of the US once). It's unlikely if noip were to bring suit against Microsoft, that it would go anywhere.
(It's as scary as it sounds when a private company is leading Law Enforcement, instead of the other way around).
However, given the tone of noip's public statement regarding this issue -- there seems to be no indication they had any forewarning, be it refused court order or not.
Since we know very little at the moment -- it has to remain a possibility that the other happened -- we are left in the dark on purpose due to the nature of the event... and possibly some favorism from the court (citing Microsoft's past aid to law enforcement)
"Microsoft’s request for this emergency ex parte relief is not the result of any lack of diligence on Microsoft’s part, but instead based upon the nature of Defendants’ unlawful conduct. Therefore, in accordance with Federal Rule of Civil Procedure 65(b) and Civil Local Rule 7-5, good cause and the interest of justice require that this Order be Granted without prior notice to Defendants, and accordingly, Microsoft is relieved of the duty to provide Defendants with prior notice of Microsoft’s motion." (Microsoft's motion in question being their attempt to seize the domains.)
The basis for this was "unlawful and/or negligent conduct". Basically, Microsoft managed to convince the courts that because in their eyes No-IP weren't policing their services well enough, Microsoft had the right to seize all their domains and shut them down without giving them the opportunity to challenge this in court first.
No-ip was DEFINITELY aware of it. OpenDNS published an article in April 2013 identifying no-ip as the top used provider for malicious use [1] and a representative from no-ip posted a comment on that article which proves that no-ip was aware of it.
Cisco published a similar article on February 11, 2014 [2]. We know that no-ip was aware of this because they posted a comment in response, and posted a blog entry about it at their site [3].
[1] http://labs.opendns.com/2013/04/15/on-the-trail-of-malicious...
[2] http://blogs.cisco.com/security/dynamic-detection-of-malicio...
[3] http://www.noip.com/blog/2014/02/12/cisco-malware-report/
They (noip.com) had zero pre-warning of a domain seizure. Regardless of any literature you dig up from years ago that states some botnets use Dynamic DNS services such as noip.com, it does not mean they had warning they were about to be seized. Others have commented that the court order forbid anyone, including Microsoft, from informing noip.com prior to the seizure.
It should be noted, that most/all "cloud" services likely have some sort of illicit behavior being conducted through them... Ec2, Azure even, etc. Botnet's use the same services me and you do... that does not for even a second make noip.com responsible for the botnet's actions.
The links I cited show that this is incorrect. No-ip was aware.
No-ip was aware of the potential and had an abuse team to deal with such cases. They were also aware of other experts finding their abuse team wanting. But that doesn't seem to be enough evidence to suggest they were partly culpable in any particular case. Perhaps there were examples of particularly galling incompetence in their abuse team, or the abuse team tipping off fraudsters but otherwise informing them seems to be the most reasonable and responsible action.
Every domain provider must have an abuse team or at least an address to send abuse notices too [http://who.is/whois/cloudapp.net/], that PR statement from No-IP states no facts or figures of many abuse notices they combat - which I would cite if my abuse team actually did stuff "look how amazing our team is - we had x,000's requests and took down x00 of malicious hosts just last month."
It seems odd that people aren't reporting this there, or if they are reporting it there, are not documenting that.
Ex parte literally means "without notice". It's what you use when it's an emergency - there's no time to explain! - or if you served the other party they'd cover something up or do something nasty (say, a domestic violence case, or child abduction).
It is, shall we say, not a good match for a dispute like this. This round is over now (judge is already declaring it moot, although I don't know why, did they just let a temporary order expire? There's not a lot readable on the docket yet).
Importantly, No-IP now may have a clear shot at a pretty vicious countersuit, because what MS requested in their TRO (which has not been continued ahead of the hearing on... Thursday? I can't read US dates well...) caused them, and their customers and the internet at large, damages - serious, huge, actual reputational damages with people moving away from their service which thrives on high uptime and reliability. They had no opportunity to answer the case against them - the action MS requested the court make against them was unilateral, which is... unusual.
MS will probably try to climb down in the most graceful manner they can, and settle out of court. However, No-IP will not want to accept a token settlement for MS destroying their business: on the face of it, they have a very strong case and I doubt MS will be able to offer enough to compensate their ire, so we'll probably see a countersuit instead, and - speculation - it'll probably not go well for MS at all, unless they have hard evidence that No-IP were actively complicit in abusive activity, which seems to have been what they (mis?)represented to the court in their TRO application (but we're missing that particular piece of the jigsaw, because it was sealed; and again, it shouldn't have been sealed). If MS had that, however, I speculate they wouldn't have dropped the TRO ahead of the hearing, and that prospect, shall we say, seems unlikely overall compared to the prospect of them making a huge mistake.
Huge company attacking small business - that's a powerful angle. They might even be competitors of No-IP, thanks to Azure (and the gimped version they used to host these domains clearly couldn't hold a candle to No-IP, because all the domains were down). If I ate popcorn, I'd be getting a bag, but don't expect Thursday to be fireworks. I actually expect it to be de-listed as moot and the action dropped until No-IP countersue, and they could take their time on that - in fact, they might want statistics of how many of their customers jumped ship on having their domains down for several days at MS's whim. And they might want another jurisdiction, 'cause I gather jurisdiction shopping is a thing over there?
MS might've got lucky with the judge. They're not necessarily going to keep being lucky.
I don't understand why everyone thinks MS should have given the notice, then noIP would have sent emails to all their customers "MS is about to take all our domains down" and the C&C's would have had time to reconfigure or transfer domains etc.
Speed and silence were key to the botnets being taken down.
Also it is very naive to think noIP doesn't know that it makes a lot of it's money from botnet hosters - according to previous discussions the abuse@ address does not respond and they don't take action against malicious hosts.
Just a guess.
The typical computer user will be ignorant to this and enterprise users don't care. The only way they'll really lose from this fiasco is if no-ip sues and wins in court.
Looks like there was a stipulation filed on July 1 to transfer the domains back to No-IP, although the actual document isn't accessible in PACER.
http://www.scribd.com/doc/232961396/MSFT-Temporary-Restraini...
How did this happen? Since when did Montenegro fall under U.S. jurisdiction?
I thought my personal domain (andrewkelley.me) was safe, but now I'm not so sure.
The top level domains are delegated to their respective organization. IANA could, in theory, re-delegate an entire top level domain, but everyone would notice and route around the problem.
It's operated by two US based companies.