Microsoft convinced a federal court in Reno, Nev., to allow it to take control of 22 domains run by No-IP. Microsoft said that No-IP did too little to stop them from being used by cybercriminals, and it intended to only block computers involved in a botnet. But when Microsoft took action against these bad actors on Monday, the company had made a technical error that affected all the domains’ hostnames, not just malicious ones.
In a note to customers, No-IP stated that Microsoft contacted it on Monday, saying it intended to filter out the known bad hostnames in each seized domain and continue to allow good hostnames to resolve. No-IP said this was not happening, and that “the Microsoft infrastructure is not able to handle the billions of queries from our customers,” causing millions of users to experience outages.
Explaining the error, Microsoft Digital Crimes Unit executive director and associate general counsel David Finn stated on Tuesday, “Microsoft took steps to disrupt a cyber-attack that surreptitiously installed malware on millions of devices without their owners’ knowledge through the abuse of No-IP, an Internet solutions service. Due to a technical error, however, some customers whose devices were not infected by the malware experienced a temporary loss of service.”
While Microsoft said service had been restored by Tuesday at 6 am, No-IP and its customers have reported outages since then.
To complicate matters, a presumably unrelated DDoS attack also took down the No-IP website on Tuesday. But this, according to No-IP, did not affect its DNS infrastructure in any way.
Microsoft has participated in domain seizures before in an attempt to disrupt malware disruption, as Ars Technica and others have noted. Its procedures typically involve surprise technical and legal measures, which sometimes eliminate legitimate threats, but they can also, as in this case, backfire.
In regard to the need for Microsoft to step in to deal with malicious use of its services, No-IP said it (and parent company Vitalwerks LLC) have a very strict abuse policy, and that Microsoft’s actions were shocking. It says staff constantly work to keep the No-IP system domains free of spam and malicious activity, and the network is filtered and scanned daily for suspicious activity.
No-IP notes: “Even with such precautions, our free dynamic DNS service does occasionally fall prey to cyber scammers, spammers, and malware distributors. But this heavy-handed action by Microsoft benefits no one. We will do our best to resolve this problem quickly.”