updated 11:05 am EDT, Tue July 1, 2014
No-ip.com domains seized ostensibly to prevent malware spread
Updated with more testing Early Monday morning, Microsoft announced that had seized, by court order, 23 domains used by dynamic IP company no-ip.com. Seeing a preponderance of malware hosts using these domains, the company then routed all "known bad traffic" through Microsoft filters, in order to classify the identified threats. The move was not without innocent victims, however, as users who use the affected domains -- including paid users for legitimate VPN purposes and one MacNN employee -- are this morning unable to connect through the redirect, at least in part.
Home connections often have dynamic IP addresses from their Internet provider. These addresses shift at some time interval, with some ISPs rotating IP addresses as often as once per hour. This allows ISPs to have fewer IP addresses allocated to them, preventing ISP from having to purchase one IP per customer, and saving some money for the company. This has the side effect of effectively preventing users without dynamic IP redirect services, like those provided by No-IP, from running servers or VPN services with any regularity.
Microsoft claims in a blog post trumpeting the seizure that "No-IP domains are used 93 percent of the time for Bladabindi-Jenxcus infections, which are the most prevalent among the 245 different types of malware currently exploiting No-IP domains. Microsoft has seen more than 7.4 million Bladabindi-Jenxcus detections over the past 12 months."
No-IP is aware of the problems being foisted upon legitimate users by Microsoft's action. Company officials wrote of the seizure and filtering, saying that "[Microsoft] claims that its intent is to only filter out the known bad hostnames in each seized domain, while continuing to allow the good hostnames to resolve. However, this is not happening. Apparently, the Microsoft infrastructure is not able to handle the billions of queries from our customers. Millions of innocent users are experiencing outages to their services because of Microsoft's attempt to remediate hostnames associated with a few bad actors."
Microsoft told the Nevada court that awarded it the DNS authority for the No-IP domains that it would allow the non-malware traffic to flow unimpeded. Microsoft claims 18,000 malicious hostnames were in use. No-IP claims that more than four million sites and other similar connections have been knocked offline by Microsoft's action.
The company's first communication from Microsoft regarding the issue was a court order served to the CEO early in the morning of June 30. "We work with law enforcement all the time, and our abuse department responds to abuse requests within 24 hours," No-IP representative Natalie Goguen said. "It's pretty sad that Microsoft had to take such extreme measures to go about this."
Electronista and MacNN tested a subscription this morning (that had been in use for nearly a decade) and found the same problem as reported by No-IP. A connection attempt simply times out, with a VPN connection not negotiated between a remote computer and a No-IP linked network. Interestingly, using depreciated OS X networking tool Sharetool to connect a remote computer to an AppleTalk network, the connection was made, and data was exchanged with no issue, including iTunes music streaming and Apple Screen Sharing features.
Update": Further testing has been performed, moving VPN services to non-standard ports. The Microsoft filter software still blocks all the VPN solutions we tried. Moving Sharetool and other services to known malware vector ports has no effect on the communications, further lending credence to Microsoft intentionally blocking most VPN communications.
The only conclusion to make from our tests is that Microsoft's filters do work, contrary to No-IP's claim, but possibly not in the way that Microsoft intended. Microsoft's filter software has decided that some vanilla VPN connections are illegitimate, hazardous, and users need to be protected from them, whether they want to be or not. The haphazard nature of the block also questions the efficacy of the malware prevention from miscreant sites -- if a relatively unknown connection like Sharetool can make it through the Microsoft blockade, what else can?