Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > News > Tech News > MacNN testing: Microsoft domain seizure blocks VPN, allows odd traffic

MacNN testing: Microsoft domain seizure blocks VPN, allows odd traffic
Thread Tools
NewsPoster
MacNN Staff
Join Date: Jul 2012
Status: Offline
Reply With Quote
Jul 1, 2014, 11:06 AM
 
Updated with more testing Early Monday morning, Microsoft announced that had seized, by court order, 23 domains used by dynamic IP company no-ip.com. Seeing a preponderance of malware hosts using these domains, the company then routed all "known bad traffic" through Microsoft filters, in order to classify the identified threats. The move was not without innocent victims, however, as users who use the affected domains -- including paid users for legitimate VPN purposes and one MacNN employee -- are this morning unable to connect through the redirect, at least in part.

Home connections often have dynamic IP addresses from their Internet provider. These addresses shift at some time interval, with some ISPs rotating IP addresses as often as once per hour. This allows ISPs to have fewer IP addresses allocated to them, preventing ISP from having to purchase one IP per customer, and saving some money for the company. This has the side effect of effectively preventing users without dynamic IP redirect services, like those provided by No-IP, from running servers or VPN services with any regularity.

Microsoft claims in a blog post trumpeting the seizure that "No-IP domains are used 93 percent of the time for Bladabindi-Jenxcus infections, which are the most prevalent among the 245 different types of malware currently exploiting No-IP domains. Microsoft has seen more than 7.4 million Bladabindi-Jenxcus detections over the past 12 months."

No-IP is aware of the problems being foisted upon legitimate users by Microsoft's action. Company officials wrote of the seizure and filtering, saying that "[Microsoft] claims that its intent is to only filter out the known bad hostnames in each seized domain, while continuing to allow the good hostnames to resolve. However, this is not happening. Apparently, the Microsoft infrastructure is not able to handle the billions of queries from our customers. Millions of innocent users are experiencing outages to their services because of Microsoft's attempt to remediate hostnames associated with a few bad actors."

Microsoft told the Nevada court that awarded it the DNS authority for the No-IP domains that it would allow the non-malware traffic to flow unimpeded. Microsoft claims 18,000 malicious hostnames were in use. No-IP claims that more than four million sites and other similar connections have been knocked offline by Microsoft's action.

The company's first communication from Microsoft regarding the issue was a court order served to the CEO early in the morning of June 30. "We work with law enforcement all the time, and our abuse department responds to abuse requests within 24 hours," No-IP representative Natalie Goguen said. "It's pretty sad that Microsoft had to take such extreme measures to go about this."

Electronista and MacNN tested a subscription this morning (that had been in use for nearly a decade) and found the same problem as reported by No-IP. A connection attempt simply times out, with a VPN connection not negotiated between a remote computer and a No-IP linked network. Interestingly, using depreciated OS X networking tool Sharetool to connect a remote computer to an AppleTalk network, the connection was made, and data was exchanged with no issue, including iTunes music streaming and Apple Screen Sharing features.

Update": Further testing has been performed, moving VPN services to non-standard ports. The Microsoft filter software still blocks all the VPN solutions we tried. Moving Sharetool and other services to known malware vector ports has no effect on the communications, further lending credence to Microsoft intentionally blocking most VPN communications.

The only conclusion to make from our tests is that Microsoft's filters do work, contrary to No-IP's claim, but possibly not in the way that Microsoft intended. Microsoft's filter software has decided that some vanilla VPN connections are illegitimate, hazardous, and users need to be protected from them, whether they want to be or not. The haphazard nature of the block also questions the efficacy of the malware prevention from miscreant sites -- if a relatively unknown connection like Sharetool can make it through the Microsoft blockade, what else can?
( Last edited by NewsPoster; Jul 1, 2014 at 06:10 PM. )
     
cashxx
Junior Member
Join Date: Apr 2009
Status: Offline
Reply With Quote
Jul 1, 2014, 11:34 AM
 
My home cameras and security is down because of this. Everyone should sue Microsoft for not going about this properly and taking down systems.
     
LenE
Junior Member
Join Date: May 2004
Status: Offline
Reply With Quote
Jul 1, 2014, 02:19 PM
 
My home domains are out, too. I can't use Indigo to check on my house, and my websites are all down.

I did not see this coming, and certainly wasn't notified about this in advance, or since.
     
LenE
Junior Member
Join Date: May 2004
Status: Offline
Reply With Quote
Jul 1, 2014, 03:21 PM
 
What I don't understand here is that Microsoft says the court order is for 23 of the free domains from no-ip. I pay for my domains. They are not part of those 23 domains. They should not be touched by this.

A single Mac OS X server is the only outside visible host on my domain. I am certainly not involved with the windows-specific malware that they say they are trying to stomp out.

It seems that MS took down all of no-ip's managed domains, which is outside the scope of the court order. I would think that the no-ip database could be copied, and then the specified domains could be split and pruned out by a few SQL statements. Everything else would continue without problems.

The fact that Microsoft is using this as a marketing opportunity for their Azure cloud, does not build much confidence for that service.
     
Mike Wuerthele
Managing Editor
Join Date: Jul 2012
Status: Offline
Reply With Quote
Jul 1, 2014, 04:19 PM
 
Our testing is continuing on this issue. Have a tale of woe about No-Ip's domain seizure and how if affects you? Post it here!
     
shawnde
Forum Regular
Join Date: Apr 2008
Location: Vancouver, Canada
Status: Offline
Reply With Quote
Jul 2, 2014, 01:50 AM
 
@LenE

"It seems that MS took down all of no-ip's managed domains, which is outside the scope of the court order. I would think that the no-ip database could be copied, and then the specified domains could be split and pruned out by a few SQL statements. Everything else would continue without problems."


But you don't expect Microsoft engineers to have that kind of skill, do you? Besides, why don't they just fix their software, instead of carpet bombing the internet??
     
LenE
Junior Member
Join Date: May 2004
Status: Offline
Reply With Quote
Jul 2, 2014, 02:36 PM
 
I hate to say it, but this may be an incompetent and ham-fisted attempt at marketing their Azure services. People using no-ip are hosting their own servers in their homes and businesses. This is antithetical to the cloud, which they are trying to find new clients for.

Clobber a dynamic dns provider, and a lot of potential customers re-enter the market. Why deal with the threat of jumping on another service, that may get clobbered next. Just go with a cloud-based hosting service, like Microsoft Azure...
     
LenE
Junior Member
Join Date: May 2004
Status: Offline
Reply With Quote
Jul 2, 2014, 02:45 PM
 
My servers are still unreachable. Because my server hosts multiple sites, none are reachable with the IP address work-around. I haven't tweaked my router and server settings to work around this yet. I shouldn't have to.

What I do not understand now, is why my stuff is still unreachable. When I do a nslookup on my windows machine at work, I get the proper IP address returned. I do a traceroute on the host name, and that shows the correct result. I can reach it with pings, still, nothing works. My websites time-out. My Indigo server is unreachable.

How is Microsoft doing this?
     
Mike Wuerthele
Managing Editor
Join Date: Jul 2012
Status: Offline
Reply With Quote
Jul 2, 2014, 04:31 PM
 
Originally Posted by LenE View Post
What I do not understand now, is why my stuff is still unreachable. When I do a nslookup on my windows machine at work, I get the proper IP address returned. I do a traceroute on the host name, and that shows the correct result. I can reach it with pings, still, nothing works. My websites time-out. My Indigo server is unreachable.

How is Microsoft doing this?
Man in the middle. I suspect Microsoft is sniffing traffic. It didn't know what the traffic for Sharetool was, so it let it go.
     
   
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 04:16 AM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,