Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Microsoft No-IP Takedown - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Microsoft No-IP Takedown

Microsoft obtained a court order allowing it to take over various domains owned by free dynamic DNS provider "No-IP" [1]. According to a statement from Microsoft, this was done to disrupt several botnets [2] . However, No-IP is crying foul, stating that Microsoft never contacted them to have the malicious domains blocked. Further, Microsoft is apparently not able to properly filter and support all queries for these seized domains, causing widespread disruption among legit no-ip customers. According to the court order, Microsoft is able to take over DNS for the affected domains, but because the legit domains far outnumber the malicious domains, Microsoft is only allowed to block requests for malicious domains.

Microsoft apparently overestimated the abilities of it's Azure cloud service to deal with these requests.

In the past, various networks blocked dynamic IP providers, and dynamic IP services have been abused by criminals for about as long as they exist. However, No-IP had an abuse handling system in place and took down malicious domains in the past. The real question is if No-IP's abuse handling worked "as advertised" or if No-IP ignored take down requests. I have yet to find the details to that in the law suit (it is pretty long...) and I am not sure what measure Microsoft used to proof that No-IP was negligent.

For example, a similar justification may be used to filter services like Amazon's (or Microsoft's?) cloud services which are often used to serve malware [4][5]. It should make users relying on these services think twice about the business continuity implications of legal actions against other customers of the same cloud service. There is also no clear established SLA for abuse handling, or what level of criminal activity constitutes abuse.


Johannes B. Ullrich, Ph.D.

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022


4473 Posts
ISC Handler
Jul 1st 2014
Kaspersky seem to think this has been effective:

10 Posts
I have been a loyal customer of NO-IP since 2003, and have used a variety of their service. I have NEVER had any issues with them, and their support is the best in the business (IMHO). I stand by them and believe them over Micro$oft any day!!

Their Formal Statement is from their site:

2 Posts
If you've ever tried to work thru one of these company's processes to address a fraudulent domain or hosted service, you might appreciate Microsoft's actions. While they are convenient, not sure they are entirely professional and often just protect the bad guys that are paying for their generic services.

135 Posts
Quoting Dean:If you've ever tried to work thru one of these company's processes to address a fraudulent domain or hosted service, you might appreciate Microsoft's actions.

Sorry, but I have to call BS on that. Microsoft takes weeks to follow through with Azure abuse complaints.
Considering they've disrupted dynamic DNS services Both Free and Paid-subscribers of NO-IP alike, for millions of legitimate users,
the claims within their order are rather infuriating.

"III. The Balance Of Hardships Tips Sharply In Microsoft’s Favor ....Cutting communications to No-IP sub-domains confirmed to be enabling
malware will prevent Malware Defendants from sending instructions or additional malware modules
to infected personal computers during that time and will preserve the evidence of the malwares’
operations and illegal activities. Defendant Vitalwerks will suffer no harm if a TRO and preliminary
injunction are issued because Defendant derives no known income form the operation of its free
Dynamic DNS service
If there is any legitimate activity carried out on the No-IP sub-domains, it will be allowed to proceed under the terms of the proposed order with no disruption.
Similarly, there will be only negligible impact on the third-party domain registries that will
need to implement part of the proposed order."

146 Posts
Doesn't it sound horribly Orwellian that Microsoft can present itself as an authority on Internet security, especially when the IT solutions being used (by NO-IP) are not at all related ? And what about the fact that a judge is willing to give them the credit ?

The only justification I see is that Windows machines are being compromised.

Still trying to find similarly disturbing analogy; vehicule or arms industry comes to mind right now...

14 Posts
There are several other domains that are run by that can be added for free. Someone using the website can create a new entry and select the domain and paste the IP that was previously functioning under as the address. That should restore operation and not be at risk for being taken over because the domains are 'new' according to no-ip support.

19 Posts
I don't understand why the court is giving Microsoft policing powers.
This is clearly a case that should have been handled by the FBI, and not the Microsoft Police.
Guess the court was fooled by Microsoft. The next thing we will see is, that that Kalashnikov wants to take over the factories of Colt, as their guns has been used to kill Americans. Then deliver only to the Military, and sell the rest to war mongers abroad.
Povl H.

79 Posts
Lots of people complaining about the evil Microsoft. But I haven't read anyone's opinion that offers a solution. Whether this action by Microsoft is fair or not, it has disruptive 25% of APT actors that were monitored by Kaspersky. I see that as a positive. If you disagree, what would you propose? Leave the malware in place because it's "fair" to the legit users of no-ip? Send an email to the "bad guys" and ask them to stop be naughty? File papers with the Russian, Chinese, Romanian etc. Courts? I'm just curious what alternatives you are proposing in this game?
Povl H.
2 Posts
Quoting Anonymous:Whether this action by Microsoft is fair or not, it has disruptive 25% of APT actors that were monitored by Kaspersky. I see that as a positive. If you disagree, what would you propose? Leave the malware in place because it's "fair" to the legit users of no-ip?

I propose banning the internet, and requiring that every single computer be powered off.

This will be much more effective at stopping APT than disrupting one internet service, as it will disconnect nearly 100% of the bad actors.

146 Posts
Not true...
If there is no Internet, the "bad actors" will just move to other opportunistic crimes. Will we still blame Microsoft (because it's popular to do so)?
2 Posts
One alternative might have been to get some sort of dialogue going with the admin folks at no-ip - some way to more efficiently deal with the issue than sending an email to their abuse desk which may or may not be addressed in a timely fashion. I've no idea if this was tried and failed (or not) or how responsive the abuse desk at no-ip is or not. I, for one, haven't even bothered to try. After the jillionth piece of malware/phish referring to a no-ip domain I got fed up with them and just dropped an RPZ rule in our server to block any of their sub-domains and then whitelisted the one legit no-ip domain I found one of my users querying for.

The problem with dealing with abuse desks is the lag. Assuming the email to the abuse desk doesn't just hit the bit-bucket as seems so often to be the case with most providers these days (ever try to report abuse to yahoo?) by the time they see and respond to the abuse report, it's too late - the damage is done - thousands of users have seen the phish and clicked on the link and turned over their computer to the bot-farmer.

One would hope that someone like no-ip would be willing to work directly with (at least some of the larger) players in the anti-botnet world so that they had a faster way of getting malicious domains term'd. I've heard providers gripe more 'n once about "why won't people report abuse to us before RBL'ing our IPs or blocking or domains" but the answer to that is simple - 99% of the abuse reports sent to most providers wind up in the trash and I suspect most admins have given up reporting abuse as a waste of time. I *try* to send abuse reports but most of the time I get an email back saying "we don't accept emailed abuse reports, jump through our 20 hoops to report it", or I get an auto-response followed 3 or 4 days later by an email saying "we don't have enough evidence to ...."

Which is why I rarely send abuse reports. And when I do it isn't "please enforce your AUP", my abuse reports are more along the lines of "I've blocked your <whatever> subnets. Sorry. Let me know if you do anything about it and I'll consider unblocking them". But in the case of dyn dns providers? It's like spammers setting up throw-away gmail/yahoo/hotmail accounts. It never ends. Reporting the abuse accomplishes precisely zero from my end because in the week it takes the provider to do anything, the damage is already done.

133 Posts
What if Microsoft spent this money on getting rid of all the shady activity on their own hosted networks instead?
And for the people that say this was an effective takedown because it reduced spam sites by xx% do think a step further.
If it took down that many spam sites how many legitimate services where affected?
I'm paying for no-ip's premium service and yet my domains no longer resolve!
And it's domains which have never been used for any illicit activity incase you wanna know!
I could reduce spam much more effectively, shut down the whole Azure & Amazon web hosting services instead!
Maybe I should file a complaint with my local Swedish court claiming rights to Azure because Microsoft have disrupted my services
(I'm sure I can find something in my firewall logs if I spend two seconds looking)

Then when I have taken over their whole DNS service it's not my fault that the raspberry pi I use for hosting their DNS is not able to handle the requests.
But I will have shut down maybe another 25% of spam sites.
Why does everything Microsoft touches lately turn to poo?
10 Posts
Quoting Anonymous:Why does everything Microsoft touches lately turn to poo?

Ummm, because it's easier for Microsoft to convince people to give 'em control of someone's domains ("Back off, man, we're Microsoft!") than to teach users they're not going to win the google millions give-away or get millions from their new friend in Nigeria if they just click on some link in some email or on some facebook page. "You can't patch stupid." (tm)

133 Posts
When I first started testing use of my own domain, I of course experimented with a free domain, which happened to be NO-IP.INFO. I stayed with NO-IP.INFO. While I always have concerns that my Internet connection will go down, or my ISP will start blocking port 25, it never occurred to me that a holier-than-thou company like Microsoft with the help of the Federal government could bring down the structure I took years to develop.

I have been a paying NO-IP customer (using their Enhanced DNS service), with 100's of legitimate references to my NO-IP.INFO subdomain. I daily receive important business and personal e-mail. I noticed by Monday 6/30/2014 evening that something was amiss. I ran tests. I spent large amounts of time convincing myself it must be my ISP -- they've started blocking port 25. While I was on hold with ISP Tech Support, I was browsing for information. I found NO-IP's "response blog." This is how I found out what was happening to my Internet presence, which just disappeared. Of course NO-IP couldn't tell me anything even if they were allowed to and wanted to: my e-mail address no longer worked.

I cannot tell you how much anxiety I've had over this mess. Not knowing who to contact (NO-IP was obviously no help), for ALMOST TWO DAYS I did nothing but deal with this in ways I thought was best. I shifted some 30 e-mail addresses (with more than 100 left to go, not to mention all the e-mail addresses people have saved in their Contacts) to a different NO-IP subdomain -- this time a NON-"free" subdomain.

I also grabbed a .COM and have it pointing (* CNAME) to my NO-IP dynamic address. Because I had never owned a .COM before, I went to the only name I could remember. (Since I don't know if I can mention the company's name in a negative light, I will just say it is not StopMommy.) I have received a good number of SPAM e-mail messages from companies wanting to sell me web-site setups, etc. Each of these senders are blocked by my e-mail server now. Wrestling with this (and the minor .COM expense) -- they never would've happened had it not been for Microsoft's (in my opinion -- bungled) takeover.

How long has it been since you changed an e-mail address? Wow! Each company is different. Some simply let you change it, with probably having to enter a password. Target's REDcard made me enter three "secret" pieces of information. (They're understandably paranoid.) Some send confirmation e-mails to the OLD address, which is offline due to the Microsoft-government action. Some send e-mails to the new address where you have to take a confirmation link. Some are just plain confusing. Most e-mails to NO-IP.INFO were ultimately delivered -- late of course. On one site (my newspaper) I spent a half-hour. It turns out that it takes time for its left hand to know what its right hand is doing, so testing whether my change "took" was a waste of time. But I didn't KNOW it would take time to filter to other functions inside the newspaper. Some sites say your e-mail address has changed, and the MAIN display of the web site still has your old e-mail address (even after refreshing). If I've learned one thing it is: WAIT for each site's right hand to catch up with its left hand. Trying to test if your change "took" can turn out to be a profitless waste of your time. Give it a day.

My level of anxiety has finally returned to a relatively restful state. I have many NO-IP.INFO e-mail addresses out there. I have some 30 with the new NO-IP subdomain. And I even have a few .COM because some sites changed their "parsing" and reject my new NO-IP e-mail address. One site (a bank) now only accepts X AT Y . COM format. Basically the order and consistency of my Internet presence is gone. My e-mail client -- "rules" that guided e-mails to appropriate folders -- they have to be tweaked or recreated for the new e-mail addresses.

I have been severely inconvenienced. The profitless hours I spent on this are irrecoverable. I'm no lawyer, but I'll be watching for a class-action lawsuit. If there is one, I will be in it. For a long time I have felt Microsoft is staffed with megalomaniacs in important, power-wielding positions. This Microsoft-government juggernaut was a perfect example. They should not be able to do this type of thing with impunity. As far as I can tell, Microsoft said the good guys would not be affected, and the government bought it. Minimally the next time Microsoft tries something like this, the government should make them PROVE they will do the right thing and ONLY the right thing.

FWIW, I did send Microsoft an e-mail Wednesday 7/2/2014 morning. I found three (3) abuse addresses for them potentially having to do with this (abuse AT, msndcc AT, IOC AT I don't know if that helped get my subdomain back EARLIER than others, but I do know I was back online when NO-IP was still saying its domains were being blocked. So maybe someone at Microsoft saw my e-mail and took a risk allowing my subdomain through. This is the only good thing I can see from this. Oh yeah, some bad guys will have to move their operation elsewhere, slowing them down a little bit. They're probably set up to do that. I wasn't set up to move more than 100 e-mail addresses with 100 companies!

If I had a nickel for every minute of my life that I'VE WASTED because of MICROSOFT I'd be a millionaire.

8 Posts
The domains have now been returned to No-IP's control:

31 Posts
A quick follow-up. (I don't know why I am listed as anonymous.) Today I received in the USPS Mail a printed copy of a credit-card statement as well as a cover letter. CHASE noted that the e-mail it tried to send to me ("my statement is ready to view online") was returned. It also said if it happens next month, it will de-enroll me from Paperless Statements. It's not just NO-IP customers being inconvenienced and actually paying for Microsoft's miscalculations. Kudos to CHASE for detecting and reacting reasonably to my plight.

I also read the EFF item from today's NewsBites. One thing it didn't mention (or I missed it): IF I KNEW I'd have my domain back in TWO DAYS, I probably would've just waited it out. But I did not know. And I didn't know what to do or whom to contact. So I did what I thought was best, and I am still recovering from that...I now have a mixture of old domains, new domains, and some .COM e-mail addresses.

8 Posts

Sign Up for Free or Log In to start participating in the conversation!