Takedown of No-IP by Microsoft impacts 1.8M customers

Microsoft's actions have had far-reaching repercussions, including service disruptions in the medical space

internet gavel keyboard

Note: This is an update to the original story, which can be seen here.

New details have emerged in the aftermath of Microsoft's actions against Vitalwerks - the company that operates No-IP (noip.com). At current count, 1,832,133 customers were impacted by Microsoft's takedown of No-IP, which directly translates to more than 4 million hostnames.

Redmond's actions are related to a court order that granted them control over 23 domains used by No-IP to offer dynamic DNS services, in order to redirect traffic on them and stop the NJrat and Jenxcus botnets.

The criminals responsible for those malware families were using No-IP as a means to ensure that infected hosts could always reach the Internet.

The aim was to sinkhole 18,472 domains using No-IP's DNS services. However, while Microsoft said that only malicious traffic would be blocked, legitimate traffic was blocked as well – leaving millions of innocent users caught in the crossfire.

On Tuesday, Microsoft said that the service outage was due to a "technical error" and said that service had been restored. However, No-IP customers dispute those claims, many of them reaching out to Salted Hash in order to vent their frustrations.

"Of course the problem caused by Microsoft has not yet been resolved, disrupting a service millions of legitimate users like me depend on. [Microsoft] might have had good intentions (of course I am in support of malware C&C servers control), but the implementation of [their] actions has been amateur," one reader vented via email.

Our reader isn't the only one impacted by the incident.

In a statement to Salted Hash, Natalie Goguen, marketig manager for No-IP, said the company has received many calls from customers who use No-IP's dynamic DNS services to monitor cameras for elderly relatives, small children and even pets. In each case, access to those functions have been restricted by Microsoft's actions.

"Let me clarify that this did not only impact free users, there are many, many paid users of No-IP that still use hostnames on our free domains. We have even had a customer from a medical dispatch company go down because of this. Over the past two days they have not been able to dispatch medics to elderly patients and it is very troubling to them," Goguen added.

By Wednesday morning, service was still unaviliable to many No-IP customers using one of the 23 domains controlled by Microsoft.

When asked if the company had lost customers over this incident, Goguen said that a majority of the support tickets the staff of 14 have had to contend with were positive and understanding.

"At this moment it is hard to say how many customers will decide to or have already decided to leave because of this unfortunate incident. A large majority of the phone calls, support tickets, comments and tweets online have been very PRO No-IP and anti-Microsoft," she said.

"Our users understand the industry and that this was completely out of our hands. They also understand that we are doing everything we can to resolve this, while fighting for them and our Internet freedom."

In court, Microsoft cited various research reports, from OpenDNS, Cisco, FireEye, General Dynamics, and Symantec, each one noting that No-IP is essentially a haven for criminals when it comes to malware.

"Our research revealed that out of all Dynamic DNS providers, No-IP domains are used 93 percent of the time for Bladabindi-Jenxcus infections, which are the most prevalent among the 245 different types of malware currently exploiting No-IP domains," Richard Domingues Boscovich, Assistant General Counsel for Microsoft Digital Crimes Unit, wrote recently, explaining the takedown action.

No-IP says that prior to Microsoft's legal manuvers, the only contact the company had with them was via the piracy department. In those instances, Microsoft's complaints were addressed within 24-hours.

"We did not receive any requests from Microsoft for any of the named hostnames in the court order," Goguen said.

In the security community, experts are concerned about Microsoft seemingly overhanded approach.

In comments made to Forbes, Andreas Lindh, a security analyst at I Secure Sweden AB, worried about Microsoft's role as arbiter when it comes to security.

"It's a crazy world where one corporation can decide that another one isn't doing its job good enough and then simply get legal backing for taking the services of that company down," Lindh said.

"If not being 'good enough' at security on some ad-hoc scale is enough for being taken down, lots of people should have been shut down a long time ago, including Microsoft back in the day."

The case has raised plenty of questions, some of them neatly summed up by Mike Masnick at Tech Dirt.

He notes that Microsoft was able to paint a picture that allowed a court to view No-IP as liable for the actions of its users, and did so in ex-parte proceedings – denying No-IP a chance to present their side of the story.

"This flies in the face of a variety of laws and caselaw on secondary liability, which protect the service provider from being held liable for abusive behavior by its users. Yet here, not only did the court ignore all of that, it simply flat out handed over to Microsoft a whole bunch of No-IP's domains (which, clearly, Microsoft was unable to handle), bringing down a big chunk of the web that relied on No-IP's dynamic DNS services.

"This seems like a tremendously dangerous move for the internet in a variety of ways. Microsoft needs to take some of the blame. Even if its goal was to stop malware proliferation, there are better ways to do that than to falsely blame No-IP, and to misleadingly represent the service to the court, allowing the domains to be seized and rerouted."

And yet, Microsoft's takedown of No-IP has caused some positive impacts, but it's unlikely they were expected.

According to Kaspersky, the No-IP outage has had an impact on APT operations and lawful intercept applicaions, such as those offered by Hacking Team. A full list of APT campaigns impacted by Microsoft's takedown can be seen here.

No-IP customers impacted by this outage are being encouraged to use a hostname that isn't controlled by Microsoft, a list of them has been provided on the company's blog.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.