Microsoft's court-order based seizure yesterday of 22 domains operated by dynamic domain name service provider No-IP has been criticised as overkill and draconian after it shut off millions of legitimate users.
The domains in question were accused of hosting and spreading the Bladabindi and Jenxcus malware. Microsoft succeed in persuading a United States federal court that No-IP was sanctioning this, and therefore should lose control over its DNS.
According to Microsoft, the malware campaign said to be run by two Algerian men infected millions of computers. Microsoft's digital crimes unit legal officer Richard Domingues said No-IP was taken to task "as the owner of the infrastructure frequently exploited by cybercriminals."
No-IP denied Microsoft's allegations and said it has a very strict abuse policy.
The company called Microsoft's actions "heavy-handed" and said they benefited no-one. A spokesperson for No-IP told security journalist Brian Krebs that four million host names unrelated to the malware campaign remained offline, with customer support requests piling up.
"To go after 2000 or so bad sites, Microsoft has taken down four million," the No-IP spokesperson told Krebs.
No-IP said in a statement that Microsoft intention was only to filter out "known, bad hostnames" while allowing the good ones to resolve. This did not work however, for technical reasons.
"Apparently, the Microsoft infrastructure is not able to handle the billions of queries from our customers. Millions of users are experiencing outages to their services because of Microsoft's attempt at remediate hostnames associated with a few bad actors." - No-IP statement.
As of writing, the No-IP domains are still inaccessible, and the company is suggesting that customers create new hostnames on the remaining five domains that are still operating.
While No-IP initially said there had been no contact from Microsoft before the seizure of the domains, a representative for the company told iTnews that the two parties are now in talks with each other, but would not comment further.
Microsoft has used court orders several times in the past to disrupt and take down botnets such as ZeroAccess, Kelihos, Nitol, Zeus and Citadel, often working with law enforcement and security firms.
Due to the way the domain name system works, it is not normally possible to host domains on systems with changeable internet protocol addresses. Changeable internet protocol addresses are typically used for residential broadband connections. Dynamic DNS providers keep track of changing IP addresses on such connections, making it possible to resolve hostnames to them over the Internet.
Domain hosting is otherwise typically done through static or immutable IP addresses, but these are expensive and difficult to come by for users on residential connections.
Updated: No-IP announced on July 3 the 23 seized domains had been handed back to its control.
"We are so sorry for the inconvenience that this takedown has caused our customers. Thank you so much for the support and for sticking with us through the entire process this week," the company said in a statement on its website.