Last week, Microsoft seized 22 domain names owned by DNS service No-IP. Doing so through a civil suit, the tech giant claimed these domains were being used by hackers known as Bladabindi and Jenxcus to spread malware. This week, the last of the domain names are being returned to the control of No-IP. The swift yet complex unfolding of events, in this case, have brought to light many concerns about how tech companies are allowed to deal with cybercrime.
The Seizure of Domains from No-IP
On June 19, Microsoft filed a sealed civil suit against No-IP claiming that its domains were being regularly used by hackers and their botnets and that their security practices were not sufficient to put an end to these abuses. As this was a sealed case, No-IP was not given the opportunity to defend itself in court.
The following Monday the federal court hearing the case ruled that Microsoft should be given control of the domain names in order to block malicious activities. At that time, Microsoft gained control of 22 of No-IP’s domain names.
No-IP responded harshly, stating the way the issue was handled was unfair. Noting that Microsoft had not once contacted No-IP regarding the malware, the DNS service insisted the matter could have been amended privately with less collateral damage.
And collateral damage there certainly was. Microsoft took over the 22 domain names and all their associated traffic so that they could snuff any malicious activity. However, Microsoft was not able to handle all the additional traffic, and almost all domains hosted by No-IP went down. Many of 14 million users of No-IP were unable to access their services.
Microsoft has been going through the seized domains and shutting down addresses with malicious activity. The seized domains have been gradually restored to No-IP after being filtered by Microsoft, and this week all have been returned. Yet, debate surrounding the case remains heated.
Legal Seizure: Draconian or Efficient
One of the main critiques coming from No-IP is the abrupt attitude Microsoft took with the seizure of the domains. They maintain Microsoft did not contact them prior to the legal notice of the seizure.
According to a statement issued by No-IP, “Had Microsoft contacted us, we could and would have taken immediate action.”
However, this assertion has been called into question. According to a blog post by Eugene Kaspersky, “…out of all large providers, the No-IP dynamic DNS was the most unwilling to cooperate.” No-IP was a known hotbed of malware and cybercrime, and it did not have a history of taking active security measures.
The measure has been accused of being draconian, yet quick seizures such as these have been extremely effective in eliminating malware in the past. Take for example the Citadel malware, one of the most harmful in recent history. After legal seizure of certain domain names by Microsoft, the malware was all but eliminated.
This takeover has been successful as well. Kaspersky notes that since the seizure, targeted attacks monitored by Kaspersky Lab have dropped by 25 percent. Whether draconian or merely efficient, the results cannot be denied.
Industry Security Standards
In the complaint, Microsoft stated that No-IP did not conform to industry security standards and that it lent itself to criminal abuse. While this may not be intentional, it cannot be denied that domains owned by No-IP were certainly being abused.
However, these security standards remain ambiguous. The NIST recently released its cybersecurity framework, which would help Microsoft give concrete justification for the seizure. However, this framework has received considerable criticism and has yet to attain common practice.
Microsoft might have lacked firm legal justification for the takeover, but past successful use of this method surely aided their case. And, ultimately, the seizure has been successful, at least thus far.
Keeping Unceremonious Seizure in Check
Though Microsoft may have been correct in asserting that No-IP would not have done anything to curb abuses of its services, perhaps making the effort of contacting them first would have been reasonable. This would provide more transparency, and potentially would have prevented unnecessary outages.
Regardless, seizures like this have been effective in the past, and they are bound to continue because of their successes. Perhaps more transparency is in order, but there is no need to limit effective methods.