After the sinkholing exercise of earlier this week, No-IP has said that that all of the 23 domains that were “seized by Microsoft” on June 30th were now back in its control.
In an updated blog, No-IP said that it may take time for the DNS to fully propagate, but everything should be fully functioning within the next day. “We are so sorry for the inconvenience that this takedown has caused our customers,” it said. “Thank you so much for the support and for sticking with us through the entire process this week.” A request for comment had not been received at the time of writing.
Earlier this week, we reported that had named the US company Vitalwerks Internet Solutions, LLC (doing business as No-IP.com) as being responsible for infecting users with the Bladabindi (NJrat) and Jenxcus (NJw0rm) family of malware. It specifically named two Kuwaiti and Algerian nationals for this, and No IP for not taking sufficient steps to correct, remedy, prevent or control the abuse or help keep its domains safe from malicious activity.
This led to it taking civil action which alleged that the malware was distributed through more than 18,000 sub-domains belonging to No-IP, which was granted on June 26th and Microsoft became the DNS authority for the company’s 23 free No-IP domains, allowing it to sinkhole all known bad traffic to Microsoft and classify the identified threats.
However it seemed nobody consulted No-IP, who said in a statement that it was “very surprised by this” and that Microsoft never contacted or asked them to block any subdomains, even though it has an open line of communication with Microsoft corporate executives.
“They claim that their intent is to only filter out the known bad hostnames in each seized domain, while continuing to allow the good hostnames to resolve. However, this is not happening,” it said. “Apparently, the Microsoft infrastructure is not able to handle the billions of queries from our customers. Millions of innocent users are experiencing outages to their services because of Microsoft’s attempt to remediate hostnames associated with a few bad actors.
“Had Microsoft contacted us, we could and would have taken immediate action. Microsoft now claims that it just wants to get us to clean up our act, but its draconian actions have affected millions of innocent Internet users.”
In the following days, No-IP said it was suffering a DDoS attack and unable to mitigate. Despite this, the internet came out in support of No-IP; Manos Antonakakis said in his blog that “without a doubt, this must be the biggest failure in the history of cyber security”. He said: “It is evident in my eyes that the logic behind DCU’s actions is not based on objective observations around botnet operation
s. Rather, DCU’s actions are based on a subjective decision that serves a different agenda. That is, if the strategic goal were to takedown the ZeroAccess botnet, for example, the operation would have simultaneously addressed all possible C&C channels (P2P or otherwise).
“It is clear that the operational security community is in desperate need of a single entity that can provide the necessary common ground that will bring industry, government and academia together to strategise against the systematic fight against internet abuse.”
Also talking to Forbes, Andreas Lindh, security analyst at I Secure Sweden AB, said Microsoft’s action against No-IP was much too drastic and should have been handled in a much less aggressive way. “It’s a crazy world where one corporation can decide that another one isn’t doing its job good enough and then simply get legal backing for taking the services of that company down,” Lindh added. “If not being ‘good enough’ at security on some ad-hoc scale is enough for being taken down, lots of people should have been shut down a long time ago, including Microsoft back in the day.”
