Printed from http://www.electronista.com

MacNN testing: Microsoft domain seizure blocks VPN, allows odd traffic

updated 11:05 am EDT, Tue July 1, 2014

No-ip.com domains seized ostensibly to prevent malware spread

Updated with more testing Early Monday morning, Microsoft announced that had seized, by court order, 23 domains used by dynamic IP company no-ip.com. Seeing a preponderance of malware hosts using these domains, the company then routed all "known bad traffic" through Microsoft filters, in order to classify the identified threats. The move was not without innocent victims, however, as users who use the affected domains -- including paid users for legitimate VPN purposes and one MacNN employee -- are this morning unable to connect through the redirect, at least in part.

Home connections often have dynamic IP addresses from their Internet provider. These addresses shift at some time interval, with some ISPs rotating IP addresses as often as once per hour. This allows ISPs to have fewer IP addresses allocated to them, preventing ISP from having to purchase one IP per customer, and saving some money for the company. This has the side effect of effectively preventing users without dynamic IP redirect services, like those provided by No-IP, from running servers or VPN services with any regularity.

Microsoft claims in a blog post trumpeting the seizure that "No-IP domains are used 93 percent of the time for Bladabindi-Jenxcus infections, which are the most prevalent among the 245 different types of malware currently exploiting No-IP domains. Microsoft has seen more than 7.4 million Bladabindi-Jenxcus detections over the past 12 months."

No-IP is aware of the problems being foisted upon legitimate users by Microsoft's action. Company officials wrote of the seizure and filtering, saying that "[Microsoft] claims that its intent is to only filter out the known bad hostnames in each seized domain, while continuing to allow the good hostnames to resolve. However, this is not happening. Apparently, the Microsoft infrastructure is not able to handle the billions of queries from our customers. Millions of innocent users are experiencing outages to their services because of Microsoft's attempt to remediate hostnames associated with a few bad actors."

Microsoft told the Nevada court that awarded it the DNS authority for the No-IP domains that it would allow the non-malware traffic to flow unimpeded. Microsoft claims 18,000 malicious hostnames were in use. No-IP claims that more than four million sites and other similar connections have been knocked offline by Microsoft's action.

The company's first communication from Microsoft regarding the issue was a court order served to the CEO early in the morning of June 30. "We work with law enforcement all the time, and our abuse department responds to abuse requests within 24 hours," No-IP representative Natalie Goguen said. "It's pretty sad that Microsoft had to take such extreme measures to go about this."

Electronista and MacNN tested a subscription this morning (that had been in use for nearly a decade) and found the same problem as reported by No-IP. A connection attempt simply times out, with a VPN connection not negotiated between a remote computer and a No-IP linked network. Interestingly, using depreciated OS X networking tool Sharetool to connect a remote computer to an AppleTalk network, the connection was made, and data was exchanged with no issue, including iTunes music streaming and Apple Screen Sharing features.

Update": Further testing has been performed, moving VPN services to non-standard ports. The Microsoft filter software still blocks all the VPN solutions we tried. Moving Sharetool and other services to known malware vector ports has no effect on the communications, further lending credence to Microsoft intentionally blocking most VPN communications.

The only conclusion to make from our tests is that Microsoft's filters do work, contrary to No-IP's claim, but possibly not in the way that Microsoft intended. Microsoft's filter software has decided that some vanilla VPN connections are illegitimate, hazardous, and users need to be protected from them, whether they want to be or not. The haphazard nature of the block also questions the efficacy of the malware prevention from miscreant sites -- if a relatively unknown connection like Sharetool can make it through the Microsoft blockade, what else can?



By Electronista Staff
toggle

Comments

  1. cashxx

    Fresh-Faced Recruit

    Joined: 04-13-09

    My home cameras and security is down because of this. Everyone should sue Microsoft for not going about this properly and taking down systems.

  1. LenE

    Fresh-Faced Recruit

    Joined: 05-19-04

    My home domains are out, too. I can't use Indigo to check on my house, and my websites are all down.

    I did not see this coming, and certainly wasn't notified about this in advance, or since.

  1. LenE

    Fresh-Faced Recruit

    Joined: 05-19-04

    What I don't understand here is that Microsoft says the court order is for 23 of the free domains from no-ip. I pay for my domains. They are not part of those 23 domains. They should not be touched by this.

    A single Mac OS X server is the only outside visible host on my domain. I am certainly not involved with the windows-specific malware that they say they are trying to stomp out.

    It seems that MS took down all of no-ip's managed domains, which is outside the scope of the court order. I would think that the no-ip database could be copied, and then the specified domains could be split and pruned out by a few SQL statements. Everything else would continue without problems.

    The fact that Microsoft is using this as a marketing opportunity for their Azure cloud, does not build much confidence for that service.

  1. Mike Wuerthele

    Managing Editor

    Joined: 07-19-12

    Our testing is continuing on this issue. Have a tale of woe about No-Ip's domain seizure and how if affects you? Post it here!

  1. shawnde

    Fresh-Faced Recruit

    Joined: 04-01-08

    @LenE

    "It seems that MS took down all of no-ip's managed domains, which is outside the scope of the court order. I would think that the no-ip database could be copied, and then the specified domains could be split and pruned out by a few SQL statements. Everything else would continue without problems."


    But you don't expect Microsoft engineers to have that kind of skill, do you? Besides, why don't they just fix their software, instead of carpet bombing the internet??

  1. LenE

    Fresh-Faced Recruit

    Joined: 05-19-04

    I hate to say it, but this may be an incompetent and ham-fisted attempt at marketing their Azure services. People using no-ip are hosting their own servers in their homes and businesses. This is antithetical to the cloud, which they are trying to find new clients for.

    Clobber a dynamic dns provider, and a lot of potential customers re-enter the market. Why deal with the threat of jumping on another service, that may get clobbered next. Just go with a cloud-based hosting service, like Microsoft Azure...

  1. LenE

    Fresh-Faced Recruit

    Joined: 05-19-04

    My servers are still unreachable. Because my server hosts multiple sites, none are reachable with the IP address work-around. I haven't tweaked my router and server settings to work around this yet. I shouldn't have to.

    What I do not understand now, is why my stuff is still unreachable. When I do a nslookup on my windows machine at work, I get the proper IP address returned. I do a traceroute on the host name, and that shows the correct result. I can reach it with pings, still, nothing works. My websites time-out. My Indigo server is unreachable.

    How is Microsoft doing this?

  1. Mike Wuerthele

    Managing Editor

    Joined: 07-19-12

    Originally Posted by LenEView Post

    What I do not understand now, is why my stuff is still unreachable. When I do a nslookup on my windows machine at work, I get the proper IP address returned. I do a traceroute on the host name, and that shows the correct result. I can reach it with pings, still, nothing works. My websites time-out. My Indigo server is unreachable.

    How is Microsoft doing this?



    Man in the middle. I suspect Microsoft is sniffing traffic. It didn't know what the traffic for Sharetool was, so it let it go.

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

Sponsor

Recent Reviews

IDrive cloud backup and sync service

There are a lot of cloud services out there, and nearly all of them can be used for backing up key files and folders. A few dedicated ...

Asus Chromebook C300

When Chromebooks hit the market back in 2011, consumers didn't know what to do with them. The low-cost laptops, powered by Google's Ch ...

Plantronics BackBeat Pro Bluetooth headphones

Looking for a pair of headphones that can do everything a user requires is a task that can take some study. Trying to decide on in-ear ...

Sponsor

toggle

Most Commented

 
toggle

Popular News