back to article Sorry, chaps! We didn't mean to steamroller legit No-IP users – Microsoft

Microsoft has admitted that it did disrupt a significant number of legitimate users of No-IP's dynamic DNS service, but says the problem is now sorted out. "Yesterday morning, Microsoft took steps to disrupt a cyber-attack that surreptitiously installed malware on millions of devices without their owners' knowledge through the …

Anonymous Coward

"The injunction was granted because the Microsoft security team showed evidence that malware writers were using No-IP's services to sell and control nearly 250 types of malware, and in particular the Windows-targeted trojans Bladabindi and Jenxcus."

I have seen portscans coming from Azure servers; would Microsoft like for someone to seek a temporary injunction knocking Azure off the map until it is resolved?

Maybe No-IP should seek a temporary injunction against Microsoft because Microsoft products are being sold and used as zombies. Get rid of them being able to sell their software which is used in this fashion and in a decade or so, the issue is resolved.

63
5
Bronze badge

exactly

because Microsoft products are being sold and used as zombies

That is the gist of this issue! Sorry, can't upvote you more than once.

As per David Finn, associate general counsel of Redmond's Digital Crimes Unit : "..surreptitiously installed malware on millions of devices without their owners' knowledge..." Some kind of injunction on those malware-loving devices would be very logical.

25
4
PJD

I'm going to have to call bullshit on this one - it's 4pm Pacific time and the no-ip address I had still isn't resolving to anything. On the other hand, no-ip's website seems to be back up.

8
0
Anonymous Coward

I'm going to have to call bullshit on this one

Same here. And no, it's not a caching problem, not on a recursive server whose cache I just cleared.

9
0

Same here

See title.

7
0

Still not working for me either.

2
0

nor mine

nor mine

3
0
Bronze badge

Re: nor mine

Fine and dandy it most certainly is not at 12:46BST.

2
0
Unhappy

Crossfire

Now that DynDNS has ceased its free service, I expect we'll see more battles like this between the free providers, business interests, criminal interests and perhaps political interests of one sort or another.

Roll on IPv6 when everyone can have a static IP address for every device, and end users can then perhaps avoid getting caught in some of the crossfire.

6
3
Anonymous Coward

Re: Crossfire

Hey Stephen Fry... How does having a static IP even if its a v6 IP, mitigate the requirement for DNS servers???

4
3

Re: Crossfire

Hey chump,

Cause if you have a static ip then if you need dns you can use a normal service, like everyone else - the need for dynamic dns services will not be there anymore. (Or at least vastly reduced).

Maybe think before getting excited.

1
1
FAIL

meh

Fortunately, I've got my own domain name registered and coupled to my no-ip account, but my free no-ip domain name is definitely not working.

I won't go to town (yet) on Microsoft for doing what they did as I don't know all of the details. However, their continued incompetence with regard to blocking legitimate users' domain names beggars belief and they need to pull their collective finger out and fix it.

Also, although in a way it makes sense that Microsoft be the ones to do this "filtering", it seems odd for a non-government agency to be handed what is effectively seized assets from another company. In no other industry that I can think of would this happen.

13
1
Silver badge

Re: meh

>it seems odd for a non-government agency to be handed what is effectively seized assets from another company.

Why, we've given corporations entire countries in similar deals - and Microsoft is worth a lot more than a fruit or rubber company

3
0
Silver badge
Headmaster

@Trigun Re: "meh" Whilst I entirely agree that Redmond do not seem to be handling.....

..........the technical side of this action very well I did feel that the following from the ISP's spokeswoman was more than a bit cheeky.

"At 6am, they seemed to make a change to forward on the good traffic, but it didn’t do anything. Although they seem to be trying to take corrective measures, DNS is hard, and they don’t seem to be very good at it."

I am sorely tempted to paraphrase her remarks in the following fashion:

"Although No-IP claimed to be taking corrective measures to prevent their service being misused by malware bandits, secure Internet service provision is hard, and they don't seem to be very good at it."

9
9
Silver badge

Re: @Trigun "meh" Whilst I entirely agree that Redmond do not seem to be handling.....

You've mis-read the article - the "ISP" referred to is No-IP, she is complaining that MS are clueless when it comes to DNS.

3
3
Bronze badge
Headmaster

Re: @Trigun "meh" Whilst I entirely agree that Redmond do not seem to be handling.....

You've mis-read the article ...

No, they didn't. You do seem to have mis-read the comment though.

2
1
Silver badge

The scale of it

250 different -types- of botnet comprises only 25% of the malicious activity Microsoft is tracking. And one botnet of one type can consist of tens of millions of machines. How many Windows boxes are compromised? All of them?

16
0
Anonymous Coward

Re: The scale of it

Yep. Several times over. Sometimes in the thousands on the same machine.

2
1

What lies!

It's 8:03pm EDT (5:03pm PDT). I still cannot access most of the services I have forwarded on my home router using the no-ip domain. Microsoft most certainly has NOT fixed the problem!

I received an e-mail from no-ip telling me that I should setup a new host using new primary domains that they created after this fiasco began... but the no-ip.com website is not responding (presumably because so many people are trying to setup new host names).

Microsoft claims that 93% of no-ip hosts were participating in malware. I find this to be completely unbelievable.

I switched to a different DDNS provider, and I'm sure many other people will too. No-IP should sue Microsoft.

13
2
Trollface

Re: What lies!

What Microsoft claimed was that 93% of the malware that uses DNS uses No-IP. They forgot to mention that 100% of the malware uses Windows.

29
8
Anonymous Coward

Re: What lies!

"They forgot to mention that 100% of the malware uses Windows"

Erm no. They are blocking the C&C servers - the vast majority of which are exploited Linux based systems.

1
2
Anonymous Coward

Re: What lies!

As for me, I CAN'T change the name because it's used in a VPN certificate (and VPN certificates are domain-name-specific).

0
0

If No-IP had been pro-active instead of re-active, MS wouldn't have had to take them to court in the first place. Those guys aren't innocent in all of this, remember.

10
30
Silver badge

> If No-IP had been pro-active instead of re-active, MS wouldn't have had to take them to court in the first place. Those guys aren't innocent in all of this, remember.

Jesus, they are a DNS service for Christ's sake. Do we sue Yellow pages for all the criminal organisations that happen to put an entry in the book? Engage some fucking brain cells.

35
4
Bronze badge

So you see; it is OK really

Really?

1
1

Do you have anything other than the word of David "Pinocchio" Finn that No-IP hasn't been pro-active?

As I recall, No-IP was always quick to pull the plug on spammers who abused their service. I don't see why they wouldn't be consistent against malware too.

Also, Microsoft didn't "take them to court". That would involve exchanging legal letters and finally having lawyers for No-IP present in the court room to argue their side. Microsoft did the exact opposite of taking them to court: Microsoft apparently engaged in a legal sneak-attack.

13
2
Silver badge

According to No-IP, Microsoft didn't even contact them about the problem first... So, it looks remarkably like Microsoft simply took it upon themselves to do whatever they wanted, and found a random judge that would side with them to do it.

If I were No-IP, I'd be pursuing it through the courts, as Microsoft seem to have failed to do any pre-injunction legwork to try and remedy the issue, which is usually required in order to get such an injunction. Not to mention, does a Judge have the right to hand over the assets from one company to another without that company having any legal representation or redress?

17
1
Anonymous Coward

Also the need for engaging some brain cells here...

"Microsoft's takeover of No-IP's domains may have pissed off the DNS firm's customers, but the security industry has rallied around the move. Kaspersky Lab expert Costin Raiu said the power grab has crippled command-and-control systems for many malware operators."

Switching off the fucking internet would achieve the same. Not exactly productive though is it? Before anyone states it was just no-ip I say that's just the starting point. They have won a case now watch them march on from here.

2
1

If you had a list with proof of companies selling drugs via yellow rages, wouldn't you expect them to be more than happy to help remove the listings?

2
0
Silver badge

If you had a list of companies selling drugs, and you approached the company first you mean? Sure. If they had the list, bypassed the company and went to a judge to get this year's books confiscated before they're distributed so you can drop them in a big vat of black ink before distributing them, then no...

0
0

A thought just crossed my mind

If Microsoft cannot handle the DNS requests for No-ip can they not scale them out to Azure and if not, is Azure not fit for purpose?

This little cock up should come back and bite them hard.

13
4
Anonymous Coward

Re: A thought just crossed my mind

It seems rather unlikely that scalability is the issue. Microsoft's DNS infrastructure routinely handles millions of requests, and it wouldn't be hard for them to add additional hardware. Most likely they simply screwed up the config - which presumably wouldn't have been possible to test in advance...

2
4

Re: A thought just crossed my mind

"It seems rather unlikely that scalability is the issue. ... Most likely they simply screwed up the config..."

That's entirely possible, but no matter which of those is true Microsoft have demonstrated a significant lack of competence and caused a lot of disruption as a result. Even if they couldn't test it in advance the time it took to sort things out shows that they were really struggling to figure this out.

No matter how you look at it this was very poorly executed and they deserve the hit in reputation they have received.

1
0
Anonymous Coward

Re: A thought just crossed my mind

Microsoft on occasion makes IBM look competent by comparison....

0
0

I am one of those infected.

I have a paid account with noip.com and all my hosts suddenly disappeared (home security cameras and computers, friends and clients). I didn't know what happened until I read the news.

I found out that all my hosts were infected by malware mainly windows 7 and internet explorer.

Poor microsoft they can't help it they were born with a virus up their butts. It is like confiscating all GM cars because someone used an Chevrolet Impala to commit a crime, smart very smart.

Looking forward for compensation in the form of a class action lawsuit.

11
5
Silver badge

Re: I am one of those infected.

"I have a paid account with noip.com and all my hosts suddenly disappeared (home security cameras and computers, friends and clients). I didn't know what happened until I read the news."

I suspect the words that various noip customers are looking for is "tortuious interference with contracts"

If MS really shot first and asked questions later, they (and the judge) are going to be facing a LOT of hurt. How many people can join a class-action in the USA alone?

As for "DNS is hard and MS isn't doing it very well", the exact same statements can be made about their webservice and email offerings, but they didn't get a judge to arbitrarily shift service provision to them without the original service provider or end users being consulted.

0
0
Silver badge

"legitimate subdomains resolve as expected"

So, how does that work then? How does my noip client update my IP? I'm pretty sure Microshit haven't implemented the "dynamic" part of the noip service.

MS need to be taken behind the shed and shot (NADT). The world would be a better place without them.

9
3
Silver badge

" So, how does that work then? How does my noip client update my IP? I'm pretty sure Microshit haven't implemented the "dynamic" part of the noip service."

They are forwarding the lookup back to the original no-ip servers, so they are sort of acting like a man-in-the-middle.

However they've screwed up the way they've done it.. See my more detailed post below

1
0
Silver badge

They lie

I try an ftp connection, via cable internet and by mobile internet:

"Status: Connection attempt failed with "EAI_NONAME - Neither nodename nor servname provided, or not known".

Error: Could not connect to server"

3
0

Guess Microsoft can't make an omelet

without killing everyone's chickens.

10
2

They haven't unborked anything yet from where I am sitting. Does anybody know where we can send a strongly worded email to voice our displeasure?

"legitimate subdomains resolve as expected"

So MS thinks that my little host serving up pics to family and stuff is somehow illegitimate? Is it because I won't let their poxy software run on it and I don't bother writing kludges into css files to work around their shitty browser?

6
2

This may have temporarily disrupted some botnets, but it won't last. There are many different ways to connect and control a botnet, no-ip was just an easy one. Odds are, the malware writers are already rolling out their own Patch Tuesday.

2
1
Silver badge
Boffin

This is where they've gone wrong (You'd think they'd know how DNS works....)

They are 'honouring' updates to the users dynamic addresses, but in a horrible and incorrect way:

The authoritative nameservers are configured as recursive for *ALL* domains (yuck)

They have configured an override to divert forwarding requests for these affected domains to the no-ip (original) authoritative nameservers. (i.e. they've statically added NS records for the affected domains pointing to the no-ip servers)

They therefore reply to the client with the correct IP address.

This would be fine for a recursive nameserver, but these servers are configured as *authoritative* nameservers for these domains - and are accessed as such, but they are returning the result as non-authoritative.

Basically, this creates the following process (Example uses the no-ip.org domain, but the same applies to the others. Some irrelevent steps skipped/simplified) :

1) User requests the IP for some-subdomain.no-ip.org

2) Users local nameserver (usually belonging to their ISP) checks the .org servers and is told that the 2 microsoft nameservers are responsible for this domain.

3) Users local nameserver ask the microsoft servers for the authoritative ip address of the subdomain, only to be given an unauthoritative result, along with the message 'if you want an authoritative result, go here' which points BACK to the same microsoft nameservers.

4) Users local nameserver replies with SERVFAIL because the nameserver that is meant to be authoritative is not returning an authoritative response.

Whichever bozo claimed everything is working presumably just did a 'raw' nslookup, saw the response, and didn't think (or know) about authoritative/non-authoritative results.

Or maybe MS nameservers don't handle authoritative/non-authoritative results correctly, so things 'work' if your ISP uses a microsoft nameserver product?? I don't know, just a guess...

Anyway, MS, I think this post is worth many thousands of your MS dollars!

By way of an example, here's a session capture using a jo-ip.org domain chosen at random:

4:37 [2] (1) "~" jamie@lapcat% nslookup

> server a.root-servers.net.

Default server: a.root-servers.net.

Address: 2001:503:ba3e::2:30#53

Default server: a.root-servers.net.

Address: 198.41.0.4#53

>

> home.no-ip.org.

Server: a.root-servers.net.

Address: 2001:503:ba3e::2:30#53

Non-authoritative answer:

*** Can't find home.no-ip.org.: No answer

> set q=ns

> home.no-ip.org.

Server: a.root-servers.net.

Address: 2001:503:ba3e::2:30#53

Non-authoritative answer:

*** Can't find home.no-ip.org.: No answer

Authoritative answers can be found from:

org nameserver = a0.org.afilias-nst.info.

org nameserver = a2.org.afilias-nst.info.

org nameserver = b0.org.afilias-nst.org.

org nameserver = b2.org.afilias-nst.org.

org nameserver = c0.org.afilias-nst.info.

org nameserver = d0.org.afilias-nst.org.

a0.org.afilias-nst.info internet address = 199.19.56.1

a2.org.afilias-nst.info internet address = 199.249.112.1

b0.org.afilias-nst.org internet address = 199.19.54.1

b2.org.afilias-nst.org internet address = 199.249.120.1

c0.org.afilias-nst.info internet address = 199.19.53.1

d0.org.afilias-nst.org internet address = 199.19.57.1

a0.org.afilias-nst.info has AAAA address 2001:500:e::1

a2.org.afilias-nst.info has AAAA address 2001:500:40::1

b0.org.afilias-nst.org has AAAA address 2001:500:c::1

b2.org.afilias-nst.org has AAAA address 2001:500:48::1

c0.org.afilias-nst.info has AAAA address 2001:500:b::1

d0.org.afilias-nst.org has AAAA address 2001:500:f::1

>

> server 199.19.56.1

Default server: 199.19.56.1

Address: 199.19.56.1#53

> home.no-ip.org.

Server: 199.19.56.1

Address: 199.19.56.1#53

Non-authoritative answer:

*** Can't find home.no-ip.org.: No answer

Authoritative answers can be found from:

no-ip.org nameserver = ns7.microsoftinternetsafety.net.

no-ip.org nameserver = ns8.microsoftinternetsafety.net.

> server ns7.microsoftinternetsafety.net

Default server: ns7.microsoftinternetsafety.net

Address: 157.56.78.73#53

> home.no-ip.org.

Server: ns7.microsoftinternetsafety.net

Address: 157.56.78.73#53

Non-authoritative answer:

home.no-ip.org nameserver = ns7.microsoftinternetsafety.net.

home.no-ip.org nameserver = ns8.microsoftinternetsafety.net.

Authoritative answers can be found from:

> set q=a

> home.no-ip.org.

Server: ns7.microsoftinternetsafety.net

Address: 157.56.78.73#53

Non-authoritative answer:

Name: home.no-ip.org

Address: 85.241.47.150

38
0

Microsoft is to dynamic or agile or responsive

as

Military is to intelligence

11
3

Non-authoritative

I have seen that issue many times in the past. MS uses a BSD name server, with a GUI on top. Down below, is a config file, same as in UNIX. To fix the problem you got to run Wordpad and edit the config file by hand to change the authoritative setting - the GUI cannot do it. If you use Notepad, then it will screw up the config file with carriage returns, causing the name server to barf.

10
4
Anonymous Coward

Re: Non-authoritative

"MS uses a BSD name server, with a GUI on top."

Not as far as I have ever seen. All of Microsoft's DNS Servers run Windows based DNS - which is nothing like the BSD implimentation.

"Down below, is a config file, same as in UNIX"

That is technically possible, but very unusual. Normally Active Directory is 'down below'.

"edit the config file by hand to change the authoritative setting - the GUI cannot do it"

Utter rubbish. http://technet.microsoft.com/en-us/library/cc739089(v=ws.10).aspx

5
3
Silver badge
Flame

Re: Non-authoritative

It's always harder trying to work out exactly was has been setup incorrectly with just the results to go on... A bit like reverse engineering in a way.

I don't have the inside knowledge that you have, but I tried to explain similar in my incoherent post above (which deserved down-voting for the formatting alone!)

However, I'm wary about your solution - assuming their configs are pretty much 'stock', simply changing the zones to authoritative will mean the servers will not look elsewhere for the data, but will expect it to live locally. - of course, the zone data isn't local to microsoft, due to their kludgy solution (which can be made to work, but errrr. not like that)

As you are aware, but I'll try to clarify for anyone else who maybe confused (I'm looking at you, Microsoft!), the difference between authoritative/non-authoritative is as follows: (and to the techie pedants, I'm purposefully leaving out some stuff not relevant to the situation)

Basically, there are 2 separate functions performed by nameservers. Generally these days, nameservers are configured to do one or the other.

However, nameserver software can perform both roles simultaneously, and in the past, they usually did, adding to some peoples confusion.

These 2 functions are:

1) "Lookup addresses for people" - These are the nameservers you configure in your home systems, usually the nameservers of your ISP or googleDNS or opendns. These are known as 'recursive' - they probe the various servers in the chain until they find the answer you're looking for, and then return it to you as a 'non-authoritative' - this means the nameserver you queried doesn't "own" that answer. It got it from elsewhere.

2) "Host and supply the actual data being looked up for a zone" - These are 'authoritative' nameservers. Different domains are assigned to specific sets of authoritative nameservers. These are the servers your ISP's nameserver finally contact to get the info you require.

For example, the authoritative nameservers for theregister.co.uk hold in a file (db/text/etc.) a record containing the address 92.52.96.89 which is returned when someone queries www.the.register.co.uk -- Change this data held on the authoritative nameservers, and the change will propagate across the whole internet.

If you talk direct to an authoritative nameserver, and query a host in a domain it is authoritative for,it will return the *authoritative* (straight from the horses mouth) results. If it doesn't have a match for your query, you are authoritatively told 'not found'. There is no forwarding to other servers. It's own decision is final.

Additionally, if you ask an authoritative nameserver for an address that isn't in a domain it's configured to be authoritative for, then you get a null result (except in the case I mentioned above where some authoritative nameservers are also configured as recursive nameservers...)

----

How this applies to this case:

By taking over the domains, microsofts nameservers are now considered authoritative. The internet-wide nameservers are being told this.

Now, Microsoft needs to configure their nameserver to say 'I'm authoritative for no-ip.org - and the info for the hosts contained within that domain is held in file xxxxxxx.zzz'

The 'gotcha' in this case is that MS doesn't have the no-ip database! Even if they did, the host address updates from users wouldn't happen unless they also took over the whole update infrastructure (which is actually done under a domain no-ip still control)

Their solution? Even though 'the internet' considers their servers authoritative, they've specifically not set them to be - instead configuring them as recursive nameservers that lookup the results elsewhere.

Of course, following the normal path, they'd look up the nameserver responsible and forward the request there. Of course, the nameserver they would lookup is their own, so it wouldn't work - so they've set in their config files the original no-ip servers as an override..... A bit like how some of you edit your hosts file to override an IP address, they've editted their config to override the whole domains nameserver for these domains they've stolen.

So, their nameservers basically behave as recursive nameservers, just as your ISPs nameserver does for you. The only difference is they've been hardcoded with the original no-ip dns info instead of using what everyone else is supplied, so the requests go to the right place, and the results retrieved, and replied with... HOWEVER, ISPs nameservers expect an authoritative response. microsofts servers are configured to relay the request to no-ip and then return it as *non-authoritative* (i.e. 'here is the information you wanted... but i got it from elsewhere)

At this point, all sane resolvers reject the data. They expected authoritative data and they damnwell better get it!

So, if microsoft simply configure their nameservers to be authoritative as they should be, then they will no longer get the data from no-ip.

What they NEED to do is kludge it so that internally it looksup the data as a recursive nameserver, but when it presents this info, it needs to present it as authoritative.

I'm afraid this sort of hack is beyond simple nameserver configs, and as we see, beyond microsoft engineers, who seem not only to not understand the concept/reasons for authoritative/non-authoritative, but are willing to foist their ignorance onto millions, using a power received under dubious circumstances in the first place...

Now...... Where's my money? :-)

25
0
Anonymous Coward

Re: Non-authoritative

NO money, I am afraid but you certainly get my upvote !

Once again, MS engineers have proven they don't understand networking. As for the rest of it... don't go there.

6
0
Silver badge
Happy

Re: Non-authoritative

"NO money, I am afraid but you certainly get my upvote !"

Thanks!

(but I prefer money! )

1
0
Anonymous Coward

Re: Non-authoritative

Great explanation, thanks and upvoted!

1
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums