The majority of the abuse requests we receive are DMCA requests, but we get other reports as well. Dealing with these requests is a hard problem because a large number of the abuse requests we receive turn out to be attackers trying to get the origin IP in order to circumvent our protection. As I've blogged about before (http://blog.cloudflare.com/thoughts-on-abuse), we've designed an abuse system that attempts to act as a proxy: passing abuse requests to the customer and their host without exposing the customer's origin to attack.
Malware is one of the situations where we'll actually take content down because it is, per se, harmful. However, we also don't think terminating the customer who has malware hosted on their site is a good solution. Since we're a proxy, terminating the customer doesn't remove the malware from the Internet but instead just kicks the problem down the road to the host. Instead, we developed a system that replaces the infected URLs with a warning page to protect users. This has the ancillary benefit when a site is being used for botnet command and control of allowing us to gather data on machines that make up the botnet. This data is fed back into our system in order to better protect our customers and we're talking other organizations about a way of responsibly sharing this data.
Our Trust & Safety team works with trusted malware reporters regularly, including the team at Microsoft that handled the no-ip.com takedown. We will continue to adjust our process to walk the careful line between ensuring our network isn't causing per se harm while, at the same time, avoiding the risk of becoming a censor.
Matthew Prince / Co-founder & CEO, CloudFlare
As much as I love your services, it's not possible to use them here, and ministry of communication even issued a recomendation not to use your services due to your unresponsiveness about takedown requests.
granted, i'm not familiar with the matter. but I know what I would answer. also, removing noip or noip enabling whatever microsoft was bullying them to implement, would just delay it a few days until the worm creators rolled out their own service. heck that can even motivate them to get creative and encode IPs in a obfuscated pastebin, or stenographed in cat pictures in reddit, or noise mp3 in soundcloud... maybe having them rely on noip was good....
but again, i have no knowledge of the matter. maybe noip was being paid even after knowing it was for worms. who knows?
(Free speech vs. keeping the overall network safe is a hard decision. I think all pro-privacy and pro-liberty services have had to answer this question -- same thing happened with cypherpunks list, HavenCo, Freenet, various payment systems, etc.)
Care to elaborate?
They will do everything to keep bad sites up, even flat out lying. Here's Matt Prince, their CEO, claiming that Malwarebytes was blocking their CDN because of "political" reasons, even though we had emailed him actual PCAP files showing that their network was distributing malware-
https://forums.malwarebytes.org/index.php?/topic/108447-my-s...
Despite the fact that Malwarebytes actively engages with communities and groups that teach people who to manage malware removal, and have always stood for free speech and only removes harmful software, Matt Prince tried to deflect front the truth of the situation by claiming this was about censorship. Really all it was about was that multiple clients of theirs were hosting pages that were actively infecting thousands of computers.
To make matters worse they put these customers who are hosting active exploits and malware right next to their small business customers, so any time someone threatens to block them they hide behind the innocent victims who are caught in the cross fire.
I should point out that I no longer work at Malwarebytes, and this all took place several years ago. I am only speaking about the portions of this that were public, and you can find all of that in the Malwarebytes forums and other places online.
The most they'll do is give you the name of the hosting company, and even then getting that is like pulling a tooth. And of course, once you contact the hosting company, it can become like a chicken-and-egg problem "you'll need to contact the DNS provider so I know what server this is being hosted on." A hosting provider that issues thousands of VPSs and has a big IP space may not be able to find the offending user just given a domain name.
On the plus side, I use Cloudflare on many of my sites for the free DDoS protection, IP anonymizing, and anti-bot features. So far it's been great.
http://www.webhostingtalk.com/showthread.php?t=1235995
http://www.organicweb.com.au/17240/internet/cloudflare-secur...
http://krebsonsecurity.com/2014/02/the-new-normal-200-400-gb...
Something about this bothers me. So the courts granted MS the rights to essentially take over No-IP's DNS in order to "identify" ... "bad traffic?"
The implications of this are... chilling. As much as I want to reserve judgement, this makes me uneasy (malware aside).
"Today, Sony Pictures has upped the ante against global cybercrime, taking legal action to clean up piracy... We're taking YouTube to task as the owner of infrastructure frequently exploited by cybercriminals to infringe copyrights by uploading unauthorized movie clips... On June 26, the court granted our request and made Sony the DNS authority for youtube.com, allowing us to identify and route all known infringing traffic to the Sony sinkhole and identify users who posted unauthorized content."
I doubt No-IP will settle out of court. They'll probably countersue - they have nothing to lose, and that sounds like a company lawyering up and getting ready to kick ass - and I'd expect they'd ask for very big, even punitive damages. The $200k bond isn't even two orders of magnitude enough to hedge against MS literally destroying their business, in what may have been an ultimately well-intentioned, but spectacularly reckless, action.
How long until MS reverse the DNS changes, I wonder, especially given they can't keep up and they're all effectively down? 12 hours? 24?
It's no surprise, btw, that domains in US jurisdiction are under US jurisdiction.
We could use some more TLDs that aren't, I think, and I've held for some time that the root DNS should be held by some kind of international treaty entity acting as IANA.
IP can work between broad and anonymous mesh nets, but when an IP address can be resolved to a business or person it provides an exploit vector.
Reminds me of the old days of communism when you could have your "property" sized since legally speaking everything belonged to the state.
And no you can't say this is different because the courts ordered it since no-ip was not given a chance to defend itself.
How much would like to bet Microsoft presented the case as some rogue Arab sounding names(terrorists?) running shady bot-nets in cooperation with no-ip a company obviously involved in that criminal activity.
Not the largest and well known freed DNS provider in the world that happens to be used by a large number of bot-nets as well.
If this is ok I'm sure you could find millions of reasons to seize goggles domains like indexing warez sites or websites like the pirate bay.
Oh nevermind...NSA...M$ is teh suxor...oh mer gurd!!!!
This just proves that the current authorized domain system is not working, and its the beginning of the end.
http://uk.reuters.com/article/2014/06/30/us-cybercrime-micro...
That may still make people uncomfortable, but it seems much less egregious than Microsoft taking control of No-IP's domains, which is what this press release implies.
Edit: the reuters article is in error here, not the Microsoft Blog. See below. Turns out this really is as egregious as it sounds.
Unfortunately that's false. See below:
dig -t ns no-ip.biz
; <<>> DiG 9.9.2-P2 <<>> -t ns no-ip.biz ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7020 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: ;no-ip.biz. IN NS
;; ANSWER SECTION: no-ip.biz. 7154 IN NS ns8.microsoftinternetsafety.net. no-ip.biz. 7154 IN NS ns7.microsoftinternetsafety.net.
;; ADDITIONAL SECTION: ns8.microsoftinternetsafety.net. 3560 IN A 157.56.78.93
;; Query time: 3 msec ;; SERVER: 10.1.1.3#53(10.1.1.3) ;; WHEN: Mon Jun 30 14:14:47 2014 ;; MSG SIZE rcvd: 117
On Google (8.8.8.8) or Comcast DNS I'm not seeing this for their top domains (no-ip.org, no-ip.biz, no-ip.info).
I wonder if your ISP is working with Microsoft.
I don't want Microsoft to have that kind of power, let alone use it. Worse yet, they make it sound like it's some kind of PR win for them. "Microsoft the hero, takes down evil network". But they usually try to hide how they did it. Very few articles mentioned they were uninstalling Tor from the computers the last time around. Most were just churning Microsoft's press release and the hero narrative.
>Very few articles mentioned they were uninstalling Tor from the computers the last time around. Most were just churning Microsoft's press release and the hero narrative.
Microsoft's security software did that, that too only stopped it from automatically starting if it was installed by a known virus. So if you install and run a virus scanner, why wouldn't you expect it to block such attacks?
If you didn't want it to do that, I am sure there are ways to opt out from using Microsoft's security tools. Were there any reports of legitimate Tor users getting affected by the action?
They did not uninstall Tor. They disabled it. More importantly, this Tor was NOT installed by the user of the computer. It was installed by the malware for its own use, without the knowledge of the computer user [1].
> I don't want Microsoft to have that kind of power, let alone use it
Actually, if you are running anti-malware software, you DO want them to have this power, as finding and disabling things that malware has installed on your computer is the whole point of anti-malware software.
[1] http://www.tripwire.com/state-of-security/top-security-stori...
Where is the due process? Where is the oversight in this? All I'm seeing is vigilanteism.
> Microsoft has seen more than 7.4 million Bladabindi-Jenxcus detections over the past 12 months, which doesn’t account for detections by other anti-virus providers. Despite numerous reports by the security community on No-IP domain abuse, the company has not taken sufficient steps to correct, remedy, prevent or control the abuse or help keep its domains safe from malicious activity.
> On June 19, Microsoft filed for an ex parte temporary restraining order (TRO) from the U.S. District Court for Nevada against No-IP. On June 26, the court granted our request and made Microsoft the DNS authority for the company’s 23 free No-IP domains, allowing us to identify and route all known bad traffic to the Microsoft sinkhole and classify the identified threats.
No-IP in the past has denied allegations, e.g. the Cisco blog post linked to by Microsoft was denied here: http://www.noip.com/blog/2014/02/12/cisco-malware-report/
This is also a temporary order, it's not permanent.
Sure, it's creepy when courts have control over DNS entries, but ... they do. The Internet isn't lawless, it operates within the legal bounds of each country that participates.
I wonder what No-IP will say next and if figures collected by independent groups verify their "swift action" against security threats. As a company providing DDNS services, I wouldn't expect them to understand and use the latest in packet filtering techniques, but ... abuse is abuse and I'm sure they submitted evidence that this was required, temporarily.
In this case it was a US court and between two US companies, what if no-ip.com was French or UK or...
Would the US court still have authority in this case? Would MS have to go to a French / UK court?
"In a civil case filed on June 19, Microsoft named two foreign nationals, Mohamed Benabdellah and Naser Al Mutairi, and a U.S. company, Vitalwerks Internet Solutions, LLC (doing business as No-IP.com), for their roles in creating, controlling, and assisting in infecting millions of computers with malicious software — harming Microsoft, its customers and the public at large. ...
On June 19, Microsoft filed for an ex parte temporary restraining order (TRO) from the U.S. District Court for Nevada against No-IP. On June 26, the court granted our request and made Microsoft the DNS authority for the company’s 23 free No-IP domains, allowing us to identify and route all known bad traffic to the Microsoft sinkhole and classify the identified threats."
Due process, maybe. But not very good due process.
In what way is the court at liberty to grant a plaintiff permission to enforce a restraining order though, sounds ultra vires? Aren't the only ones enabled legally to do so law enforcement officers?
Next thing we know your lawyers and lobbyists are going to come up with some legislative wheeze and you will be running the biggest botnet in the world. You created the problem so fix it yourself.
Well, uh, then why does Microsoft need to do anything, if it's still as good as they day it was first sold?
To throw the towel in on an OS which has the same subset API as a recent one yet has many minor incompatibilities through shoddy API design (win32) is a shitty business model which people shouldn't have to shovel cash at over and over again.
To hell with them.
As far as they are concerned if it is capable of doing what they bought it for, why should they upgrade? Software doesn't wear out or breakdown like a physical good and a lot of the hardware is still fine. Those systems are going to be around forever until the hardware breaks down.
They are also committed to providing upgrades for their bigger customers, so why can't they extend to everyone else, as though it will cost them extra? The only caveat for the non corporate customers should be that if they are not under a support contract and the upgrades break their systems they are out of luck.
- signed, owner of an iMac, two rMBPs, two iPhone 5Ss, two iPad Airs and an Apple TV (no Microsoft brown-nose here).
It took me 5 minutes to switch my completely legitimate hosts over to ddns.net. I'm sure the evil botnet owners have backup hostnames and will do the same, or more likely switch to another provider entirely.
The end result will be a short-lived dip in criminal activity over the next 72 hours or so, inconveniencing many thousands of legit users, and putting a completely innocent company out of business. Nice move, MS.
Unfortunately .net is also under the jurisdiction of US courts so it's not any 'safer' from seizure
The registry for .info and .mobi is in Ireland, .me is Serbia and Montenegro. Might be worth looking for dynamic DNS options in those TLDs if you seek future-proofing.
If you use a car wash that is also laundering money, your legitimate need for a clean car is not a defense against shutting the business down.
To use your car wash analogy, it's more like the car wash unknowingly washed the car of a drug trafficker and then was essentially put out of business the next day for being "complicit in the illegal activity".
Is this common practices in the us legal system? Would it work like this in the offline world also? If my neighbor sometimes had loud parties that bothered me, could I be granted the right to stand in front of his door and turn any potential troublemakers away.
What if they were bothering 7.4 million people and inconveniencing many more?
And then didn't show up in court in spite of summons? The police or courts will take that far more seriously.
It's highly likely that over the years, more that 7.4 million spam emails have been sent through Microsoft's systems.
Under the bar set by this judge, I should be able to apply for, and receive, ownership of outlook.com based on the fact that Microsoft doesn't always rush to comply with emails that I send them.
It won't happen, of course, because Microsoft has more money than I do (and because it's a fucking stupid idea).
This is an appalling remedy and I hope Microsoft and the Judge in question face serious repercussions for it.
Courts not understanding the social effects of technological law and making an order in favour of the more "respectable" looking party? Happens all the time.
I'm also assuming this is why my no-ip domain disappeared this morning, leaving me with no access to my home servers.
Perhaps the linux on my servers is considered malware. It sure is malicious to Microsoft's bottom line. I kid, but only a little.
> allowing us to identify and route all known bad traffic to the Microsoft sinkhole and classify the identified threats.
According to MSFT, they are only looking at known "bad" traffic. You can take their word for it... or not.
And I'm asking only because I know the answer - that it's impossible, they are looking at the entire traffic and (officially) deciding if it's "bad" afterwards.
I mean, obviously some shady legal tactics are at work here, but why did Microsoft got to control those domains instead of, Mozilla for example? or Google? even more so, why wasn't control transferred to ICE for example?
Not saying it's a better alternative or even that I agree with it, but it's very VERY unsettling (and I'm not even American) that a corporation can basically say "dibs on this" backed up by a court order!
I would understand if the procedure went some more like, MS cries wolf, a court order is issued and a gov agency takes temporary control. At least it's "the government" doing the policing (even if guided by a corporation or whatever).
What's next now? Comcast and Verizon sending their IP Police to arrest you because they have a log showing piracy was downloaded at an IP owned by you? And they get to seize your stuff and now your house is a Comcast/Verizon store?
Wtf is this? It's so unreal.
Edit: typo
Still not happy to see it, though.
But it's pretty strange that control was not given to the corresponding government authority.
They could then have MS work as "consultants". I don't agree either, but at least that would have made some sort of sense. Maybe even better if it wasn't just one company but a panel of several institutions, including IETF for example, or something like that.
I hope this process is sufficiently controlled so as to no provoke a "race to control other's assets" of sorts.
How can this be legal? Does this mean that if I get malware from a hotmail.com address, I can file for a TRO against Microsoft and control their domains?
I honestly don't understand why Microsoft should be given this ability.
Given that the allegations span many months, it's hard to see how it was an appropriate form of action here. I'd be very interested to see if there was a written decision granting the TRO.
Edit: This appears to be it http://www.noticeoflawsuit.com/docs/Second%20Amended%20Order...
However, it also means that a new full hearing has been setup (likely in 2 weeks or so) where both parties can argue their case. The full decision will be taken then.
Tack on the dubious reasoning and the alleged failure to even contact NOIP at all before having this court order issued and this puts Microsoft in a really bad light. I'm not mad at NOIP about malware (frankly- I don't give a single shit), but I'm absolutely mad at Microsoft for pulling this bullshit and interfering with services I paid for completely out of nowhere.
Should've thought of this earlier. Well, hindsight is 20/20
* includes git remote configuration, configuration files, scripts, bookmarked/saved links, and the worst: other people's links.
I'm not fine with classifying noip as complicit. It's not.
But I have a better idea. Windows are an easy target for cybercriminals; maybe someone should step up and take Microsoft down.
Microsoft wrote “Free Dynamic DNS is an easy target for cybercriminals”. Are my concerns that more free dynamic DNS services will follow unfounded?
2 - No-IP statement that they have an open channel with Microsoft executives but never (never?) received a complain from MS about any malicious activity is doubtful (sure MS can produce evidence to the contrary)
3 - What was the urgency and how was this presented to the judge? Personally I don't feel the urgency to use a takeover maneuver in this case, but is there information that shows the impact of not acting was too great?
4 - Our governments are so inept at fighting cyber-crime that instead of sending the request to a govt-regulated cyber-security unit they had to trust Microsoft's with the enforcement? That's sad.
Like others, I am uneasy but thankful to MS. Just wish more details would be shared.
If this were true, I could sleep easier at night. I doubt it - the judge in question was probably just paid off or otherwise influenced to give MS just insane power, while probably being ignorant of networking in the first place.
I can't think of a software problem that is best served through the violent arm of the state.
That's a hell of an accusation.
biz. 172800 IN NS a.gtld.biz.
biz. 172800 IN NS b.gtld.biz.
biz. 172800 IN NS c.gtld.biz.
biz. 172800 IN NS e.gtld.biz.
biz. 172800 IN NS f.gtld.biz.
biz. 172800 IN NS k.gtld.biz.
;; Received 308 bytes from 192.203.230.10#53(192.203.230.10) in 526 ms
no-ip.biz. 7200 IN NS NS7.MICROSOFTINTERNETSAFETY.NET.
no-ip.biz. 7200 IN NS NS8.MICROSOFTINTERNETSAFETY.NET.
;; Received 90 bytes from 209.173.58.66#53(209.173.58.66) in 150 ms
no-ip.biz. 76834 IN NS nf5.no-ip.com.
no-ip.biz. 76834 IN NS nf2.no-ip.com.
no-ip.biz. 76834 IN NS nf4.no-ip.com.
no-ip.biz. 76834 IN NS nf3.no-ip.com.
no-ip.biz. 76834 IN NS nf1.no-ip.com.
;; Received 206 bytes from 157.56.78.73#53(157.56.78.73) in 344 msFor example, they likely would have had less success enforcing a change on a .ir domain as the registry isn't located in US jurisdiction.
https://www.noip.com/blog/2014/06/30/ips-formal-statement-mi...
If I have a domain with no-ip.com will it continue to work? Does Microsoft effectively own them now?
Do I even have to finish that statement?
For the moment, let us ignore the scary implications of the court's part in this and consider this from a technical perspective in a logical manner:
The hypothetical sub-domain abc.no-ip.org resolves to 1.2.3.4, a host somewhere that contains malicious payloads, is botnet C&C or is a member of a botnet. In any case, he's the bad guy - one of the people Microsoft are looking to exclude from the Internet.
So how can this be accomplished? Let's ignore for the moment that the bad guys are free to use any other dyndns service they please and assume that no-ip is the only one.
Approach 1
----------
Every time a host connects to no-ip to update its IP, Microsoft scans tcp & udp ports of the host looking for known C&C services, scans hosted data (public web or ftp). This will simply result in the bad guys hiding all of this in an undetectable manner, many bot-nets already use either Tor or SSH for C&C - without authentication it will be impossible to differentiate Joe Average with an SSH or Tor exit from the "targets".
As for scanning for content, this is possible assuming the content has to be public (ie. malicious payload) but even then, it's not practical - payloads can be hidden in anything and obfuscated beyond detection. Essentially all that's accomplished is another arms race based around signature detection for malicious content, with the disadvantage that unlike AV solutions this scanning is conducted remotely and the scan source is known. So the malicious guy with 2 or three lines just uses a stateful firewall to point microsoft's "scanning service" to good content, everyone else to the bad.
So what other options are there? A blacklist of IPs? Well, they're dynamic IPs, sooner or later you'll end up with every dynamic IP in the entire ipv4 range blacklisted as the bad dudes just release/renew.
Then there's banning the sub-domains/users! Also impractical because for each user and domain you ban, another will emerge.
Approach 2
----------
Microsoft resolves every request for abc.no-ip.org to their own service, all the time, this service performs stateful packet analysis before forwarding it on to the destination host. Impractical because you're essentially routing all no-ip traffic via Microsoft and once again you can only filter what you can detect -- and once the requests themselves are encrypted, that becomes impossible. This is effectively a MITM attack.
All the while we've assumed no-ip is the only alternative, it's not - and many others are beyond Microsoft and the courts jurisdiction. So ultimately the only way this "approach" could be temporarily feasible is if all Internet traffic were routed through Microsoft's service. So effectively you need to give control of every domain, TLD, ipv4 and ipv6 range to Microsoft. Not workable.
Someone is bound to point out that Microsoft's approach in this may be distributed, agents running on installs of their operating system which does address some aspects of my points above, but once again -- if Microsoft is capable of implementing effective detection on the workstation, remind me again why any of this is needed?
I must be missing something fundamental.
[1] http://www.zdnet.com/after-seven-months-and-no-microsoft-pat...
[2] http://www.microsoftproductreviews.com/microsoft-news/intern...
Ubuntu should ask the government the same power and show how little malware Ubuntu users has and how much Windows users has to suffer.
Just because an ignorant judge gave them access to some no-ip domains did not give them the right bite more then they could che and fsck it up.
The whole thing is just bizarre, WTF were they trying to accomplish? ie they took over the business of providing name service to over 4 million hosts, way bigger more than most large service providers with the intention of traffic to and from the C & C servers, or identify which of the computers were infected and inform their owners?
Why didn't they simply set up some monitoring devices and get the judges or the FBI to compel no-ip to allow them to plug it into their network so they could monitor what they wanted without disrupting the service?
If the no-ip owners were directly involved in the scam then why didn't the hand the evidence to the law enforcement authorities and let them carry on from there?
I pay for my noip account, so I'm happy to join any lawsuits against MS for this action. Personally, I see a class action suit being VERY viable.
I also have issue with the courts even allowing this. Did they do ANY research on what is actually going on? I can't see how they could let this happen.
I feel violated!
fuck you microsoft!
I have domains with NO-IP and I've had no problem with them. It would all have been better had Microsoft made a statement about seizing the DNS but I respect the DON'T TELL THE ENEMY WE'RE COMING AND ON TO THEM !
Thanks a lot, M$!
If the cliche isn't true, then I guess the next/new one is, if its free you're SOL.
Today that didn't happen.
I had originally blamed no-ip for this...
To me, Microsoft seems to be the bully and is now actually guilty of conduct No-IP was only peripherally involved in.
And especially, why don't Microsoft take care of making his OS more secure?
4.2.2.2
4.2.2.3
4.2.2.4
Grow up. You guys bitch about malware. You bitch about MS. Mainly you just bitch...and talk about Haskell.
It's boring.