back to article Sorry, chaps! We didn't mean to steamroller legit No-IP users – Microsoft

Microsoft has admitted that it did disrupt a significant number of legitimate users of No-IP's dynamic DNS service, but says the problem is now sorted out. "Yesterday morning, Microsoft took steps to disrupt a cyber-attack that surreptitiously installed malware on millions of devices without their owners' knowledge through the …

  1. Anonymous Coward
    Anonymous Coward

    "The injunction was granted because the Microsoft security team showed evidence that malware writers were using No-IP's services to sell and control nearly 250 types of malware, and in particular the Windows-targeted trojans Bladabindi and Jenxcus."

    I have seen portscans coming from Azure servers; would Microsoft like for someone to seek a temporary injunction knocking Azure off the map until it is resolved?

    Maybe No-IP should seek a temporary injunction against Microsoft because Microsoft products are being sold and used as zombies. Get rid of them being able to sell their software which is used in this fashion and in a decade or so, the issue is resolved.

    1. eulampios

      exactly

      because Microsoft products are being sold and used as zombies

      That is the gist of this issue! Sorry, can't upvote you more than once.

      As per David Finn, associate general counsel of Redmond's Digital Crimes Unit : "..surreptitiously installed malware on millions of devices without their owners' knowledge..." Some kind of injunction on those malware-loving devices would be very logical.

  2. PJD

    I'm going to have to call bullshit on this one - it's 4pm Pacific time and the no-ip address I had still isn't resolving to anything. On the other hand, no-ip's website seems to be back up.

    1. Anonymous Coward
      Anonymous Coward

      I'm going to have to call bullshit on this one

      Same here. And no, it's not a caching problem, not on a recursive server whose cache I just cleared.

      1. NP-Hardass

        Same here

        See title.

    2. Just a geek

      Still not working for me either.

      1. Aqua Marina

        nor mine

        nor mine

        1. Captain Hogwash

          Re: nor mine

          Fine and dandy it most certainly is not at 12:46BST.

  3. Richard Boyce
    Unhappy

    Crossfire

    Now that DynDNS has ceased its free service, I expect we'll see more battles like this between the free providers, business interests, criminal interests and perhaps political interests of one sort or another.

    Roll on IPv6 when everyone can have a static IP address for every device, and end users can then perhaps avoid getting caught in some of the crossfire.

    1. Anonymous Coward
      Anonymous Coward

      Re: Crossfire

      Hey Stephen Fry... How does having a static IP even if its a v6 IP, mitigate the requirement for DNS servers???

      1. intlabs

        Re: Crossfire

        Hey chump,

        Cause if you have a static ip then if you need dns you can use a normal service, like everyone else - the need for dynamic dns services will not be there anymore. (Or at least vastly reduced).

        Maybe think before getting excited.

  4. Trigun
    FAIL

    meh

    Fortunately, I've got my own domain name registered and coupled to my no-ip account, but my free no-ip domain name is definitely not working.

    I won't go to town (yet) on Microsoft for doing what they did as I don't know all of the details. However, their continued incompetence with regard to blocking legitimate users' domain names beggars belief and they need to pull their collective finger out and fix it.

    Also, although in a way it makes sense that Microsoft be the ones to do this "filtering", it seems odd for a non-government agency to be handed what is effectively seized assets from another company. In no other industry that I can think of would this happen.

    1. Yet Another Anonymous coward Silver badge

      Re: meh

      >it seems odd for a non-government agency to be handed what is effectively seized assets from another company.

      Why, we've given corporations entire countries in similar deals - and Microsoft is worth a lot more than a fruit or rubber company

    2. Arctic fox
      Headmaster

      @Trigun Re: "meh" Whilst I entirely agree that Redmond do not seem to be handling.....

      ..........the technical side of this action very well I did feel that the following from the ISP's spokeswoman was more than a bit cheeky.

      "At 6am, they seemed to make a change to forward on the good traffic, but it didn’t do anything. Although they seem to be trying to take corrective measures, DNS is hard, and they don’t seem to be very good at it."

      I am sorely tempted to paraphrase her remarks in the following fashion:

      "Although No-IP claimed to be taking corrective measures to prevent their service being misused by malware bandits, secure Internet service provision is hard, and they don't seem to be very good at it."

      1. Tom 38

        Re: @Trigun "meh" Whilst I entirely agree that Redmond do not seem to be handling.....

        You've mis-read the article - the "ISP" referred to is No-IP, she is complaining that MS are clueless when it comes to DNS.

        1. John Gamble
          Headmaster

          Re: @Trigun "meh" Whilst I entirely agree that Redmond do not seem to be handling.....

          You've mis-read the article ...

          No, they didn't. You do seem to have mis-read the comment though.

  5. Mikel

    The scale of it

    250 different -types- of botnet comprises only 25% of the malicious activity Microsoft is tracking. And one botnet of one type can consist of tens of millions of machines. How many Windows boxes are compromised? All of them?

    1. Anonymous Coward
      Anonymous Coward

      Re: The scale of it

      Yep. Several times over. Sometimes in the thousands on the same machine.

  6. barnabas1969

    What lies!

    It's 8:03pm EDT (5:03pm PDT). I still cannot access most of the services I have forwarded on my home router using the no-ip domain. Microsoft most certainly has NOT fixed the problem!

    I received an e-mail from no-ip telling me that I should setup a new host using new primary domains that they created after this fiasco began... but the no-ip.com website is not responding (presumably because so many people are trying to setup new host names).

    Microsoft claims that 93% of no-ip hosts were participating in malware. I find this to be completely unbelievable.

    I switched to a different DDNS provider, and I'm sure many other people will too. No-IP should sue Microsoft.

    1. RMycroft
      Trollface

      Re: What lies!

      What Microsoft claimed was that 93% of the malware that uses DNS uses No-IP. They forgot to mention that 100% of the malware uses Windows.

      1. Anonymous Coward
        Anonymous Coward

        Re: What lies!

        "They forgot to mention that 100% of the malware uses Windows"

        Erm no. They are blocking the C&C servers - the vast majority of which are exploited Linux based systems.

    2. Anonymous Coward
      Anonymous Coward

      Re: What lies!

      As for me, I CAN'T change the name because it's used in a VPN certificate (and VPN certificates are domain-name-specific).

  7. ben edwards

    If No-IP had been pro-active instead of re-active, MS wouldn't have had to take them to court in the first place. Those guys aren't innocent in all of this, remember.

    1. Anonymous Coward
      Anonymous Coward

      > If No-IP had been pro-active instead of re-active, MS wouldn't have had to take them to court in the first place. Those guys aren't innocent in all of this, remember.

      Jesus, they are a DNS service for Christ's sake. Do we sue Yellow pages for all the criminal organisations that happen to put an entry in the book? Engage some fucking brain cells.

      1. Anonymous Coward
        Anonymous Coward

        Also the need for engaging some brain cells here...

        "Microsoft's takeover of No-IP's domains may have pissed off the DNS firm's customers, but the security industry has rallied around the move. Kaspersky Lab expert Costin Raiu said the power grab has crippled command-and-control systems for many malware operators."

        Switching off the fucking internet would achieve the same. Not exactly productive though is it? Before anyone states it was just no-ip I say that's just the starting point. They have won a case now watch them march on from here.

      2. Asylum Sam

        If you had a list with proof of companies selling drugs via yellow rages, wouldn't you expect them to be more than happy to help remove the listings?

        1. localzuk Silver badge

          If you had a list of companies selling drugs, and you approached the company first you mean? Sure. If they had the list, bypassed the company and went to a judge to get this year's books confiscated before they're distributed so you can drop them in a big vat of black ink before distributing them, then no...

    2. I. Aproveofitspendingonspecificprojects

      So you see; it is OK really

      Really?

    3. RMycroft

      Do you have anything other than the word of David "Pinocchio" Finn that No-IP hasn't been pro-active?

      As I recall, No-IP was always quick to pull the plug on spammers who abused their service. I don't see why they wouldn't be consistent against malware too.

      Also, Microsoft didn't "take them to court". That would involve exchanging legal letters and finally having lawyers for No-IP present in the court room to argue their side. Microsoft did the exact opposite of taking them to court: Microsoft apparently engaged in a legal sneak-attack.

      1. localzuk Silver badge

        According to No-IP, Microsoft didn't even contact them about the problem first... So, it looks remarkably like Microsoft simply took it upon themselves to do whatever they wanted, and found a random judge that would side with them to do it.

        If I were No-IP, I'd be pursuing it through the courts, as Microsoft seem to have failed to do any pre-injunction legwork to try and remedy the issue, which is usually required in order to get such an injunction. Not to mention, does a Judge have the right to hand over the assets from one company to another without that company having any legal representation or redress?

  8. Just a geek

    A thought just crossed my mind

    If Microsoft cannot handle the DNS requests for No-ip can they not scale them out to Azure and if not, is Azure not fit for purpose?

    This little cock up should come back and bite them hard.

    1. Anonymous Coward
      Anonymous Coward

      Re: A thought just crossed my mind

      It seems rather unlikely that scalability is the issue. Microsoft's DNS infrastructure routinely handles millions of requests, and it wouldn't be hard for them to add additional hardware. Most likely they simply screwed up the config - which presumably wouldn't have been possible to test in advance...

      1. Maventi

        Re: A thought just crossed my mind

        "It seems rather unlikely that scalability is the issue. ... Most likely they simply screwed up the config..."

        That's entirely possible, but no matter which of those is true Microsoft have demonstrated a significant lack of competence and caused a lot of disruption as a result. Even if they couldn't test it in advance the time it took to sort things out shows that they were really struggling to figure this out.

        No matter how you look at it this was very poorly executed and they deserve the hit in reputation they have received.

        1. Anonymous Coward
          Anonymous Coward

          Re: A thought just crossed my mind

          Microsoft on occasion makes IBM look competent by comparison....

  9. startstuff

    I am one of those infected.

    I have a paid account with noip.com and all my hosts suddenly disappeared (home security cameras and computers, friends and clients). I didn't know what happened until I read the news.

    I found out that all my hosts were infected by malware mainly windows 7 and internet explorer.

    Poor microsoft they can't help it they were born with a virus up their butts. It is like confiscating all GM cars because someone used an Chevrolet Impala to commit a crime, smart very smart.

    Looking forward for compensation in the form of a class action lawsuit.

    1. Alan Brown Silver badge

      Re: I am one of those infected.

      "I have a paid account with noip.com and all my hosts suddenly disappeared (home security cameras and computers, friends and clients). I didn't know what happened until I read the news."

      I suspect the words that various noip customers are looking for is "tortuious interference with contracts"

      If MS really shot first and asked questions later, they (and the judge) are going to be facing a LOT of hurt. How many people can join a class-action in the USA alone?

      As for "DNS is hard and MS isn't doing it very well", the exact same statements can be made about their webservice and email offerings, but they didn't get a judge to arbitrarily shift service provision to them without the original service provider or end users being consulted.

  10. Goat Jam

    "legitimate subdomains resolve as expected"

    So, how does that work then? How does my noip client update my IP? I'm pretty sure Microshit haven't implemented the "dynamic" part of the noip service.

    MS need to be taken behind the shed and shot (NADT). The world would be a better place without them.

    1. Jamie Jones Silver badge

      " So, how does that work then? How does my noip client update my IP? I'm pretty sure Microshit haven't implemented the "dynamic" part of the noip service."

      They are forwarding the lookup back to the original no-ip servers, so they are sort of acting like a man-in-the-middle.

      However they've screwed up the way they've done it.. See my more detailed post below

  11. frank ly

    They lie

    I try an ftp connection, via cable internet and by mobile internet:

    "Status: Connection attempt failed with "EAI_NONAME - Neither nodename nor servname provided, or not known".

    Error: Could not connect to server"

  12. Sebastian A

    Guess Microsoft can't make an omelet

    without killing everyone's chickens.

  13. slack

    They haven't unborked anything yet from where I am sitting. Does anybody know where we can send a strongly worded email to voice our displeasure?

    "legitimate subdomains resolve as expected"

    So MS thinks that my little host serving up pics to family and stuff is somehow illegitimate? Is it because I won't let their poxy software run on it and I don't bother writing kludges into css files to work around their shitty browser?

  14. RMycroft

    This may have temporarily disrupted some botnets, but it won't last. There are many different ways to connect and control a botnet, no-ip was just an easy one. Odds are, the malware writers are already rolling out their own Patch Tuesday.

  15. Jamie Jones Silver badge
    Boffin

    This is where they've gone wrong (You'd think they'd know how DNS works....)

    They are 'honouring' updates to the users dynamic addresses, but in a horrible and incorrect way:

    The authoritative nameservers are configured as recursive for *ALL* domains (yuck)

    They have configured an override to divert forwarding requests for these affected domains to the no-ip (original) authoritative nameservers. (i.e. they've statically added NS records for the affected domains pointing to the no-ip servers)

    They therefore reply to the client with the correct IP address.

    This would be fine for a recursive nameserver, but these servers are configured as *authoritative* nameservers for these domains - and are accessed as such, but they are returning the result as non-authoritative.

    Basically, this creates the following process (Example uses the no-ip.org domain, but the same applies to the others. Some irrelevent steps skipped/simplified) :

    1) User requests the IP for some-subdomain.no-ip.org

    2) Users local nameserver (usually belonging to their ISP) checks the .org servers and is told that the 2 microsoft nameservers are responsible for this domain.

    3) Users local nameserver ask the microsoft servers for the authoritative ip address of the subdomain, only to be given an unauthoritative result, along with the message 'if you want an authoritative result, go here' which points BACK to the same microsoft nameservers.

    4) Users local nameserver replies with SERVFAIL because the nameserver that is meant to be authoritative is not returning an authoritative response.

    Whichever bozo claimed everything is working presumably just did a 'raw' nslookup, saw the response, and didn't think (or know) about authoritative/non-authoritative results.

    Or maybe MS nameservers don't handle authoritative/non-authoritative results correctly, so things 'work' if your ISP uses a microsoft nameserver product?? I don't know, just a guess...

    Anyway, MS, I think this post is worth many thousands of your MS dollars!

    By way of an example, here's a session capture using a jo-ip.org domain chosen at random:

    4:37 [2] (1) "~" jamie@lapcat% nslookup

    > server a.root-servers.net.

    Default server: a.root-servers.net.

    Address: 2001:503:ba3e::2:30#53

    Default server: a.root-servers.net.

    Address: 198.41.0.4#53

    >

    > home.no-ip.org.

    Server: a.root-servers.net.

    Address: 2001:503:ba3e::2:30#53

    Non-authoritative answer:

    *** Can't find home.no-ip.org.: No answer

    > set q=ns

    > home.no-ip.org.

    Server: a.root-servers.net.

    Address: 2001:503:ba3e::2:30#53

    Non-authoritative answer:

    *** Can't find home.no-ip.org.: No answer

    Authoritative answers can be found from:

    org nameserver = a0.org.afilias-nst.info.

    org nameserver = a2.org.afilias-nst.info.

    org nameserver = b0.org.afilias-nst.org.

    org nameserver = b2.org.afilias-nst.org.

    org nameserver = c0.org.afilias-nst.info.

    org nameserver = d0.org.afilias-nst.org.

    a0.org.afilias-nst.info internet address = 199.19.56.1

    a2.org.afilias-nst.info internet address = 199.249.112.1

    b0.org.afilias-nst.org internet address = 199.19.54.1

    b2.org.afilias-nst.org internet address = 199.249.120.1

    c0.org.afilias-nst.info internet address = 199.19.53.1

    d0.org.afilias-nst.org internet address = 199.19.57.1

    a0.org.afilias-nst.info has AAAA address 2001:500:e::1

    a2.org.afilias-nst.info has AAAA address 2001:500:40::1

    b0.org.afilias-nst.org has AAAA address 2001:500:c::1

    b2.org.afilias-nst.org has AAAA address 2001:500:48::1

    c0.org.afilias-nst.info has AAAA address 2001:500:b::1

    d0.org.afilias-nst.org has AAAA address 2001:500:f::1

    >

    > server 199.19.56.1

    Default server: 199.19.56.1

    Address: 199.19.56.1#53

    > home.no-ip.org.

    Server: 199.19.56.1

    Address: 199.19.56.1#53

    Non-authoritative answer:

    *** Can't find home.no-ip.org.: No answer

    Authoritative answers can be found from:

    no-ip.org nameserver = ns7.microsoftinternetsafety.net.

    no-ip.org nameserver = ns8.microsoftinternetsafety.net.

    > server ns7.microsoftinternetsafety.net

    Default server: ns7.microsoftinternetsafety.net

    Address: 157.56.78.73#53

    > home.no-ip.org.

    Server: ns7.microsoftinternetsafety.net

    Address: 157.56.78.73#53

    Non-authoritative answer:

    home.no-ip.org nameserver = ns7.microsoftinternetsafety.net.

    home.no-ip.org nameserver = ns8.microsoftinternetsafety.net.

    Authoritative answers can be found from:

    > set q=a

    > home.no-ip.org.

    Server: ns7.microsoftinternetsafety.net

    Address: 157.56.78.73#53

    Non-authoritative answer:

    Name: home.no-ip.org

    Address: 85.241.47.150

  16. hayzoos

    Microsoft is to dynamic or agile or responsive

    as

    Military is to intelligence

  17. herman

    Non-authoritative

    I have seen that issue many times in the past. MS uses a BSD name server, with a GUI on top. Down below, is a config file, same as in UNIX. To fix the problem you got to run Wordpad and edit the config file by hand to change the authoritative setting - the GUI cannot do it. If you use Notepad, then it will screw up the config file with carriage returns, causing the name server to barf.

    1. Anonymous Coward
      Anonymous Coward

      Re: Non-authoritative

      "MS uses a BSD name server, with a GUI on top."

      Not as far as I have ever seen. All of Microsoft's DNS Servers run Windows based DNS - which is nothing like the BSD implimentation.

      "Down below, is a config file, same as in UNIX"

      That is technically possible, but very unusual. Normally Active Directory is 'down below'.

      "edit the config file by hand to change the authoritative setting - the GUI cannot do it"

      Utter rubbish. http://technet.microsoft.com/en-us/library/cc739089(v=ws.10).aspx

    2. Jamie Jones Silver badge
      Flame

      Re: Non-authoritative

      It's always harder trying to work out exactly was has been setup incorrectly with just the results to go on... A bit like reverse engineering in a way.

      I don't have the inside knowledge that you have, but I tried to explain similar in my incoherent post above (which deserved down-voting for the formatting alone!)

      However, I'm wary about your solution - assuming their configs are pretty much 'stock', simply changing the zones to authoritative will mean the servers will not look elsewhere for the data, but will expect it to live locally. - of course, the zone data isn't local to microsoft, due to their kludgy solution (which can be made to work, but errrr. not like that)

      As you are aware, but I'll try to clarify for anyone else who maybe confused (I'm looking at you, Microsoft!), the difference between authoritative/non-authoritative is as follows: (and to the techie pedants, I'm purposefully leaving out some stuff not relevant to the situation)

      Basically, there are 2 separate functions performed by nameservers. Generally these days, nameservers are configured to do one or the other.

      However, nameserver software can perform both roles simultaneously, and in the past, they usually did, adding to some peoples confusion.

      These 2 functions are:

      1) "Lookup addresses for people" - These are the nameservers you configure in your home systems, usually the nameservers of your ISP or googleDNS or opendns. These are known as 'recursive' - they probe the various servers in the chain until they find the answer you're looking for, and then return it to you as a 'non-authoritative' - this means the nameserver you queried doesn't "own" that answer. It got it from elsewhere.

      2) "Host and supply the actual data being looked up for a zone" - These are 'authoritative' nameservers. Different domains are assigned to specific sets of authoritative nameservers. These are the servers your ISP's nameserver finally contact to get the info you require.

      For example, the authoritative nameservers for theregister.co.uk hold in a file (db/text/etc.) a record containing the address 92.52.96.89 which is returned when someone queries www.the.register.co.uk -- Change this data held on the authoritative nameservers, and the change will propagate across the whole internet.

      If you talk direct to an authoritative nameserver, and query a host in a domain it is authoritative for,it will return the *authoritative* (straight from the horses mouth) results. If it doesn't have a match for your query, you are authoritatively told 'not found'. There is no forwarding to other servers. It's own decision is final.

      Additionally, if you ask an authoritative nameserver for an address that isn't in a domain it's configured to be authoritative for, then you get a null result (except in the case I mentioned above where some authoritative nameservers are also configured as recursive nameservers...)

      ----

      How this applies to this case:

      By taking over the domains, microsofts nameservers are now considered authoritative. The internet-wide nameservers are being told this.

      Now, Microsoft needs to configure their nameserver to say 'I'm authoritative for no-ip.org - and the info for the hosts contained within that domain is held in file xxxxxxx.zzz'

      The 'gotcha' in this case is that MS doesn't have the no-ip database! Even if they did, the host address updates from users wouldn't happen unless they also took over the whole update infrastructure (which is actually done under a domain no-ip still control)

      Their solution? Even though 'the internet' considers their servers authoritative, they've specifically not set them to be - instead configuring them as recursive nameservers that lookup the results elsewhere.

      Of course, following the normal path, they'd look up the nameserver responsible and forward the request there. Of course, the nameserver they would lookup is their own, so it wouldn't work - so they've set in their config files the original no-ip servers as an override..... A bit like how some of you edit your hosts file to override an IP address, they've editted their config to override the whole domains nameserver for these domains they've stolen.

      So, their nameservers basically behave as recursive nameservers, just as your ISPs nameserver does for you. The only difference is they've been hardcoded with the original no-ip dns info instead of using what everyone else is supplied, so the requests go to the right place, and the results retrieved, and replied with... HOWEVER, ISPs nameservers expect an authoritative response. microsofts servers are configured to relay the request to no-ip and then return it as *non-authoritative* (i.e. 'here is the information you wanted... but i got it from elsewhere)

      At this point, all sane resolvers reject the data. They expected authoritative data and they damnwell better get it!

      So, if microsoft simply configure their nameservers to be authoritative as they should be, then they will no longer get the data from no-ip.

      What they NEED to do is kludge it so that internally it looksup the data as a recursive nameserver, but when it presents this info, it needs to present it as authoritative.

      I'm afraid this sort of hack is beyond simple nameserver configs, and as we see, beyond microsoft engineers, who seem not only to not understand the concept/reasons for authoritative/non-authoritative, but are willing to foist their ignorance onto millions, using a power received under dubious circumstances in the first place...

      Now...... Where's my money? :-)

      1. Anonymous Coward
        Anonymous Coward

        Re: Non-authoritative

        NO money, I am afraid but you certainly get my upvote !

        Once again, MS engineers have proven they don't understand networking. As for the rest of it... don't go there.

        1. Jamie Jones Silver badge
          Happy

          Re: Non-authoritative

          "NO money, I am afraid but you certainly get my upvote !"

          Thanks!

          (but I prefer money! )

      2. Anonymous Coward
        Anonymous Coward

        Re: Non-authoritative

        Great explanation, thanks and upvoted!

  18. MrDamage Silver badge

    Countersuit potential.

    Now that Microsoft has set the precedent ni gaining control over items which they do not own due to security concerns, perhaps No-IP can now launch a legal battle to gain control over all Microsoft products, as it can be shown that the majority of malware and virii attack Windows systems due to Microsofts inability to write secure and stable code.

  19. James 100

    Alarming

    I'm all in favour of taking down spammers and botnets - but when Microsoft can use that as a pretext for seizing a third party's domain name, just because another third party happens to be their customer?! Something's very, very wrong there.

    Time someone put a botnet C&C on Azure, to see Microsoft's whole cloud taken offline for a few days on the same basis. After all, they don't get special treatment compared to other service providers ... right?

    1. Anonymous Coward
      Anonymous Coward

      Re: Alarming

      "Time someone put a botnet C&C on Azure, to see Microsoft's whole cloud taken offline for a few days on the same basis."

      Microsoft would shut you down well before that happened.

      1. ModFodder

        Re: Alarming

        "Microsoft would shut you down well before that happened."

        The Microsoft upon who's sloppy code a multi billion dollar security industry has grown protecting people from M$'s neglect and ineptitude?

        I suspect that you might be able to leave an elephant in the lobby and nobody would notice it provided that it was a reasonably quiet elephant.

  20. Anonymous Coward
    Anonymous Coward

    Microsoft are like the annoying brat at football...

    ... who shouts 'pass to me, to me' but then trips over the ball and then takes it home in a huff when everyone points and laughs at them

  21. chr0m4t1c

    Everything OK now, you say?

    ::checks VPN access using DDNS::

    Nope, still not working, 09.20 BST.

    I see the MS helpdesk still operates on the same principal of telling you something is fixed so that you have to go away for a bit to try it and find that it isn't.

    1. SimonB

      Re: Everything OK now, you say?

      Yup, still busted for me too.

  22. Slik Fandango
    Flame

    They got me too...

    Well I run a tiny little Mac Mini running OSX Mavericks Server... just for use by my colleagues, an agency and me. Wiki and calendar access.

    At first thought it was Virgin resetting my modem again (has happened where they cleared out my port redirects), then found I could access via IP address. Check No-IP site and GREAT - THANKS MS!

    Was running perfectly, secure and no issues.

    Apparently I can get a new host name... but I liked my old one. Going to pull a right hissy fit now!

  23. Matt Bryant Silver badge
    Pirate

    Why this will not hurt M$.

    It won't, and here's why. The majority of No-IP's customers/users were small businesses at best, mainly individuals, and criminals. Microsoft probably makes very little money from the those small businesses, probably next to none form the individuals (and going by the posts here many seem just happy to shriek at MS whatever they do), and so doesn't really care too much if they get their panties in a bunch. However, they do make an awful lot of money of from bigger businesses, and what those bigger businesses see is MS pro-actively spending money and resources to kill botnets. No amount of freetards whining is going to counter that positive PR.

    1. Dr U Mour

      Re: Why this will not hurt M$.

      Okay, Matt, I'll bite this time. Yes using your posited world view this will have little impact. However your posited world view maintains its dominance, as any other, by consent. Every episode like this diminishes that consent. Oh and stating the obviousness of how little others matter in you glorification of your dominance helps too...Thank you.

      1. Matt Bryant Silver badge

        Re: Dr U Mour Re: Why this will not hurt M$.

        ".....However your posited world view maintains its dominance, as any other, by consent...." Que? MS retains their 'dominant position' by sharp business practices tied to a massive money-making machine, backed up by a well-funded legal arm. You and I may think that stinks, that there are better alternatives to a lot of their products and services elsewhere, but a lot of paying business customers seem to think otherwise.

        ".....Every episode like this diminishes that consent...." Apart from the idea that every such episode sends warm feelings through the business types, you also have to look at the message it sends to those smaller customers that paid for the NoIP service - big service providers are better, they don't get legally mugged as easily as small ones do. And who is a big service provider? Why, that would be MS.

        ".....glorification of your dominance ....." Nothing to do with me, thanks. I've spent over a decade working Linux into data enters, the difference between me and a lot of the Penguinistas is I'm not blind to either the benefits of MS's products or the might of the MS PR/marketing machine. Despite what a lot of the haters want to think, MS does employ a lot of very smart people.

        1. Jamie Jones Silver badge

          Re: Dr U Mour Why this will not hurt M$.

          Noooooo! I've just upvoted Matt again! :-)

          I fear he's right though - MS will bask in the glory of being seen to be policing the internet - however misguided this may seem to us lot.

          And yeah, mega-corp won't give a crap about any outage that doesn't affect them

  24. Anonymous Coward
    Anonymous Coward

    Weird Microsoft logic: kill the messenger

    So instead of issuing patches for the malware, they just prefer to own a few domains? Absurd logic, and one that some day could see a judge allowing someone to grab Azure domains because someone is running a C&C botnet on them? Ah well, if they are using XP there are no patches any more...

    1. Anonymous Coward
      Anonymous Coward

      Re: Weird Microsoft logic: kill the messenger

      "So instead of issuing patches for the malware"

      How are Microsoft going to patch hacked Linux servers on which most of the targetted C&C servers reside?

      1. Anonymous Coward
        Anonymous Coward

        Re: Weird Microsoft logic: kill the messenger

        "How are Microsoft going to patch hacked Linux servers on which most of the targetted C&C servers reside?"

        Did you read the article at all? Do you understand how DNS works? Do you understand how a botnet works? Do you understand that your comment reveals that you don't?

        1. Anonymous Coward
          Anonymous Coward

          Re: Weird Microsoft logic: kill the messenger

          "Did you read the article at all? Do you understand how DNS works? Do you understand how a botnet works? Do you understand that your comment reveals that you don't?"

          Clearly you didn't read it: "Kaspersky Lab expert Costin Raiu said the power grab has crippled command-and-control systems for many malware operators."

          The vast majority of this type of C&C infrastructure is indeed on hacked / exploited Linux based systems.

          1. Anonymous Coward
            Anonymous Coward

            Re: Weird Microsoft logic: kill the messenger

            "Kaspersky Lab expert Costin Raiu said the power grab has crippled command-and-control systems for many malware operators."

            Your show an epic degree of confusion. No-ip and similar services are used by these crooks for the same function everyone uses DNS: so that they can avoid hard coding raw IP addresses of the C&C server and use a set of names instead. That way if your C&C machine is seized you can simply change the DNS records at no-ip.org and bring up another one somewhere else.

            What Microsoft has done is obtained the power to modify the resolution of these names. So if your bot is trying to contact "ownedmachinemaster.no-ip.org" to get commands, it ends up resolving on an IP address belonging to Microsoft's safety infrastructure.

            "The vast majority of this type of C&C infrastructure is indeed on hacked / exploited Linux based systems."

            You're again confusing things. The C&C master is a computer using an IRC server as a transport for its communication with the bots. But you don't need to hack anything do to that. They use Linux because the people doing these kind of things usually don't like to have conversations about their Windows licensing status with their hosting service providers or with Microsoft. But "hacked"? Not in any way, it is not necessary to hack anything.

            Being able to use an IRC client on a Linux machine to control a botnet and saying that the machine is "hacked" is the same level of "hacked" as if someone tells you a password for a Facebook acccount and you use it to log in from a Windows machine. Does not mean the Windows machine you use is "hacked" in any way.

            Now I can only hope that you are not a "security consultant" I'm not and I can grasp the basics of all this.

  25. b166er

    Until yesterday we were using the admittedly, free, No-IP service for redirecting to our webcam. We probably would never have become a paying customer, so it's probably no great loss that I added an A record at our domain for the (now) static IP hosting the webcam and we no longer need the No-IP account.

    To some small degree, that has affected No-IP's business (though god knows how if we weren't paying them a bean) and it must have had worse repercussions elsewhere with paying customers.

    I hope Microsoft's apology includes some kind of financial compensation.

    Perhaps Microsoft could set up and police their own DDNS service.

    1. Anonymous Coward
      Anonymous Coward

      Perhaps Microsoft could set up and police their own DDNS service.

      oh, no, please, don't give them ideas. I don't want to end up having to own a Windows license to update a DNS record. Or having a live.com account. Or any of the multiple bad ideas they can come up to strengthen the Windows franchise.

  26. Anonymous Coward
    Anonymous Coward

    Just a thought

    Since we actually get our DNS resolution from our broadband provider would complaining to them about the loss of DNS service be worthwhile? In a retail situation the problem is between the customer & the retailer, might that be the case here?

    BTW my webcam is still not accessible & I've notified M$ I'll be charging them 50p a day plus interest. They haven't objected so obviously they accept the charge.

  27. damian fell

    I think MS have just shot no-ip in the back of the head.

    Last night after a few hours frantic troubleshooting and cursing, I moved all my Dynamic DNS services to another provider (I even had to drive across the county to reconfigure one device whose IP address I didn't have due to no-ip's web servers being down last night).

    I suspect I'm not the only one who will be jumping ship after the service disruption, if enough people (paid and free users) do something similar then no-ip's business model will be shot.

  28. Stephen 2

    Have I understood this correctly?

    Some abusive people were using the no-ip service to do nefarious things. Microsoft went to a judge and somehow got control of the no-ip domains and took control? So a judge took something belonging to one private company and gave it to another. wtf?

    I could maybe understand, if MS could show no-ip were aware and ignoring the issue, that the judge may have the domains temporarily disabled, but to give control to MS??

    1. Anonymous Coward
      Anonymous Coward

      Re: Have I understood this correctly?

      At first glance, it would seem neither MS nor the judge thought this through very well.

      Although NO-IPs DNS database were neither physical property or assets (in the strictest sense), unless some kind of injunction or forfeiture act was handed down by a court, I would say MS is sailing in some very murky legal waters. More details and information needed. Even if the takedown was caused by incompetence, at the very least there is a case for negligence.

      Hopefully NO-ip will get some decent representation and press a case. Denial of service, misuse or misappropriation of computer assets, etc. were all pretty serious offenses, the last time I looked.

      I suppose a parallel would be a neighbor's stereo is playing too loud and causing a nuisance. The cops come and seize everybody's stereo in the building, "just in case". It gets rid of the noise, but also cuts off a lot of people's access to music.

      Another poster mentioned (can't remember if it was here, probably not) that in North Korea, the security forces have been known to shut the power off in an entire building before doing physical searches, just to check out what DVDs are locked inside people's players.

      1. Charles 9

        Re: Have I understood this correctly?

        "Another poster mentioned (can't remember if it was here, probably not) that in North Korea, the security forces have been known to shut the power off in an entire building before doing physical searches, just to check out what DVDs are locked inside people's players."

        Did they remember to outlaw the use of top-loading players which can still be opened with the lights out? Or front-loaders with the paper-clip manual opening hole?

  29. Steve 13

    Not fixed

    It's most definitely not fixed, I still can't access my no-ip address.

    1. Steve 13

      Re: Not fixed - Intermittent

      Well, a few refreshes later and I do have access, but nslookup can't resolve the address from the command line.

      So it appears to be intermittently resolving now!

  30. Anonymous Coward
    Anonymous Coward

    Don't blame MS - blame the court

    I don't think you can really blame MS for trying to grab control of something that was negatively impacting them and their customers. The court decided to grant MS control so really responsibility lies there - the more relevant question would be if an SLA was put in place by the court for MS to be bound to so that service is ensured.

    Although I really don't like MS, I hate malware and botnets more.

  31. SliMat

    WTF

    Microsoft have just demonstrated that they actually dont know evrything about everything.

    This fiasco is like coming out in the morning getting in your BMW and finding it wont start, then learning that Esso had noticed that some criminals are using BMWs for their activity - so Esso had removed all the fuel from your car overnight, without telling you, to stop the activity happening - the upshot is that a lot of legitimate businesses have been crippled too!!!!

    David Finn has the front to say that they are sorry for the inconvenience to legitimate No-IP clients, of which I am a paying one, rather tahn a freebie one, and that they have resolved the issues and everything is OK. What f'ing planet is this guy on? He should check the facts before making such a stupid statement...

    The first I knew of this was when my FTP server didnt get any datafeeds from suppliers which impacts my business - also my emails stopped working. I couldnt RDP onto my remote Exchange server to see what was going on... it was only when I realised that 3 servers couldnt have all simultaneuosly failed that I started looking at DNS and then saw what David Finn had done to me.

    So two days later, contrary to MS's spokes person insisting all is dandy, I still have no routing via No-IP services.

    So I have had to set up new DNS forwarding, using a new company, notify 22 suppliers that they need to update my stock feed FTP address, reset MX records for mail and wait 24 hours for the whole thing to propogate.

    In short with time and expense this has probably cost me £500 - not a great deal, but multiply this by 4 million - the cost of this cock up could be millions and millions of pounds globally. Whats the address for us all to join a global law suit for compensation?

    At this moment mine is still not working and I have had to write to No-IP asking for a refund as I cant see an end to this and have had to move away from them and switching back will mean another 24-48 hours of downtime.

    I feel really sorry for the guys at No-IP as I have used them for over 7 years and they have always been great - but I reckon bully boy tactics from MS might be the end of them :(

    1. Anonymous Coward
      Anonymous Coward

      Re: WTF

      Hmmm...... all of this discussion caused some disturbing parallels to come a creepin', so I decided to look further and found this:

      http://www.tomsguide.com/us/microsoft-no-ip-malware-hunt,news-19087.html

      where I read this:

      "Microsoft filed a complaint June 19 against two men it believed responsible for the malware: a Kuwaiti named Naser Al Mutairi and an Algerian named Mohamed Benabdellah."

      Since these guys are obviously terrorists, everything will be OK. Just carry on... sorry about your lolcats... we'll fix it soon.

      AC for the obvious reasons.....

    2. TheTor

      Re: WTF

      To save yourself a bit of hassle in future should something similar happen again, and do the following:

      Register your own domain (or use one you already have), and create a sub-domain that is a CNAME to your no-ip/dyndns etc domain. Set the TTL to an hour. That sub-domain is what you give out to your suppliers.

      Next time the service goes tits up, simply register with another dynamic DNS provider, update your sub-domain, and within an hour service is restored.

      1. SliMat

        Re: WTF

        "Register your own domain (or use one you already have), and create a sub-domain that is a CNAME to your no-ip/dyndns etc domain. Set the TTL to an hour. That sub-domain is what you give out to your suppliers."

        Thanks - I already have several domain names and funnily enought just yesterday created CNAME records for ftp. mail. etc for just that reason ;-)

        Good advice for anyone else caught out.

        Thanks

  32. Harris-ment and bullying by microsoft

    Action against microsoft?

    Can we please have a list of the executive directors email addresses so that I can contact them and demand that my selected domain name (which is a word I made up so that it's unique on the net) be removed from their sh1te filter?

    As I (as well as others) have been "selected" by microsoft as being part of a spam problem - without evidence - I feel that we have justification to sue microsoft for slandering my (our) names by taking this form of action. Personally, I use the domain name to monitor my house cameras and those of my parents when away on holiday. Having microsoft block this has caused both myself and my elderly parents much stress.

    Maybe a group legal proceeding by all us affected?

  33. Uncle Ron

    Clean Hands?

    It appears as though "No-IP" (which I never heard of until this came up) is the sort of company that turns it's head on what it's customers are doing in order to make money. If true, I'd like to see -all- it's "legitimate" users of "No-IP" turn their heads to some other provider. If I -know- a gun buyer is going to use his purchase to commit a crime, then the responsible thing for me to do is -not- sell him the gun, right?

    From what I read, "No-IP" -knew- some of it's customers were using it's data-center to store and forward malware and for command and control of criminal botnets. To the tune of TWENTY-FIVE PERCENT of world-wide traffic! They -knew- it.

    I read somewhere that 24% of world-wide internet traffic is criminal activity. ISP's and other service providers who turn a blind-eye on this activity for their own gain should be hung out to dry--or worse.

    Huh?

    1. Gonzo_the_Geek

      Re: Clean Hands?

      Go back to sleep Uncle Ron and let the adults talk.

      If you've never heard of them before, I think you're unable to make any kind of reasoned judgement on the company and it's business practices based solely on some news stories with less than the entire facts in them.

      Microsoft screwed up by flailing the ban hammer around without concern for how it would affect innocent customers, and then lied/bungled the response to an extent which makes them look incompetent at best, and downright malicious at worst.

    2. Anonymous Coward
      Anonymous Coward

      Re: Clean Hands?

      Hmmm...... all of this discussion caused some disturbing parallels to come a creepin', so I decided to look further and found this:

      http://www.tomsguide.com/us/microsoft-no-ip-malware-hunt,news-19087.html

      where I read this:

      "Microsoft filed a complaint June 19 against two men it believed responsible for the malware: a Kuwaiti named Naser Al Mutairi and an Algerian named Mohamed Benabdellah."

      As soon as I read the names I immediately stopped worrying. Everything will be OK. We must carry on... dreadfully sorry about your lolcats and we will fix this soon.

    3. gnarlymarley

      Re: Clean Hands?

      Uncle Ron, everyone knows that the winner of every battle rewrites history. It appears that Microsoft with its big bucks has already tried to rewrite it. No-Ip.com is actually more strict on their policies then Microsoft would want you to believe.

      Oh, and the gun buyer knows that if you know that he is going to use it for a crime and maybe not get the gun, HE is not going to tell you. This means that you did not stop the crime, but were not an accessory.

      As for the domains, I hear some of these botnets might be using some sort of distributed communication, so now, the terrorists could just change to a new domain with seconds. Once the terrorists move on, it is pointless to hold the domains hostage unless you think they are going to move back.

  34. Anonymous Coward
    Anonymous Coward

    Was this necessary?

    I mean, why run to a (clueless?) judge asking for a restraining order instead of approaching No-IP in the first place. That way, they could not only have squashed the current botnets, but prevented the problem from re-occurring in the future. It's probably cheaper to provide No-IP with the required knowledge and resources than to take charge yourself anyway (except by the looks of it they didn't take charge, they just essentially shut the thing down through Microsoftian carelessness and incompetence).

    I would be all for a Kickstarter fund to sue the fuckers.

    1. Anonymous Coward
      Anonymous Coward

      Re: Was this necessary?

      "I would be all for a Kickstarter fund to sue the fuckers."

      Me too - I am still down and have no idea when services will come back... let me know the email addresses of the executives at M$ and I'll gladly bombard them with requests when my domains will be back.

      Why the hell do they think my RDP link to my house is a global threat?

      W**kers!!

    2. gnarlymarley

      Re: Was this necessary?

      Microsoft ran to a clueless judge because they VitalWerks was one of the terrorists. Therefore per the judges paperwork, VitalWerks had no prior knowledge of the seizure.

    3. Alan Brown Silver badge

      Re: Was this necessary?

      "I mean, why run to a (clueless?) judge "

      Because a clueless judge will do anything he's asked to do.

      One would hope that the levels of sanctions applied to this level of stupidity is enough to persuade judges in these kinds of cases to take their jurisprudence requirements seriously.

  35. John Brown (no body) Silver badge
    WTF?

    a Nevada judge

    No judges in Redmond, WA any more then? Where did they all go?

    1. Charles 9

      Re: a Nevada judge

      A judgment in Redmond would not affect the operations of No-IP, which is based in Nevada.

  36. greenwoodma

    I don't care what MS says it still isn't working for me. Strangely this morning it was working fine, it only went off sometime after lunch, and yes I've checked that it isn't my end

  37. Martin Yirrell

    Of course we could all start to ask questions on M$ tech advice site

  38. FatPenguin
    Windows

    Interesting...

    My no-ip.biz domain is now resolving again.

    There are no Microsoft DNS in the way any more (according to "dig +trace"). I am no DNS expert (I'm not even "competent" - so there'll be a job at Microsoft for me somewhere then) but earlier today it was hitting the Microsoft DNS then immediately being bounced back "up" the chain and dig gave up because "loop".

    So, have Microsoft realised they have dropped a big one here and handed the domains back to noip?

    Will be interested to see what's going on now. As with most things in life, I tend to favour the view that it's "cockup" rather than "conspiracy". Microsoft have clearly shown that they couldn't "conspire" to run a DNS service in a month of Sundays.

    Icon for my suggested "next job" for all Microsoft execs involved in this utter pile of arse of an attempt to "do something". Wankers. The lot of 'em.

    1. diodesign (Written by Reg staff) Silver badge

      Re: Interesting...

      "So, have Microsoft realised they have dropped a big one here and handed the domains back to noip?"

      That appears to be the case - we're following this story up.

      C.

      1. Anonymous Coward
        Anonymous Coward

        Re: Interesting...

        I'm still not seeing my cameras, even after forcing an update.

        1. gnarlymarley

          Re: Interesting...

          microsoft in their stupidity used an unusually high TTL of 48 hours when they did their junk. My TTL still has 23 hours left until it drop out of the dns servers around the world, You can check your remaining TTL by the following command, if you have dig.

          dig any +norecurse mydomain.no-ip.com

          I am sure you can do it with nslookup, but not sure how at this time.

    2. Bill Cumming
      Trollface

      Re: Interesting...

      Quote:

      "I am no DNS expert (I'm not even "competent" - so there'll be a job at Microsoft for me somewhere then)"

      Nope no job for my laddie!!

      You can Spell DNS, that makes you too overqualified for the job...

  39. Martin Yirrell

    It's working!

    It's working at last! Anyone know what's happened?

  40. ModFodder

    *I think it may be time to speak with an attorney

    So... anyone else seeing anything actually fixed?

    Perhaps my 1990s text MUD looks like malware to them, because the packets are all clear text and easily human readable.

    If the only accounts that are supposed to be nerfed right now are criminal accounts then Microsoft is basically calling me a criminal.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like