Microsoft takes down No-IP DNS domains in cybercrime fight – right or wrong? [POLL]

noip-170Four days ago, Microsoft went to court in the USA.

As a result, the company succeed in grabbing temporary control of 23 internet domain names from a company called Vitalwerks Internet Solutions, based in Reno, Nevada.

Vitalwerks, which offers what are known as dynamic Domain Name System (DNS) services, is much better known by its trading name, no-ip.

You’re probably thinking, “How can you have an internet connection with no IP number?”, and, loosely speaking, you can’t.

But many users don’t have consistent IP numbers, those digital addresses that identify your computer, or at least your network, and look something like

Many ISPs use what are called dynamic IP numbers, allocated to your computer (or your network router) when you connect to their service.

When your router reboots, or your 3G modem reconnects to the cellular network, you sometimes end up with a new IP number, handed out from a pool of avaialble numbers.

→ The purpose of dynamic IPs is to make IP numbers go further, and to allow ISPs to service more customers than they have IP numbers allocated to them. Otherwise, an ISP with 65,000 IP numbers at its disposal could never reliably sign up more than 65,000 customers, even if no more than half of those customers were ever connected at the same time.

Provided it doesn’t change in the middle of an online transaction, exactly what IP number you have doesn’t matter much.

At least, it doesn’t matter for outbound traffic.

But if you want to run a server, or to let someone connect to you, then having a dynamic IP number, instead of a static one that survives router reboots and modem reconnects, is a real pain.

It’s a bit like getting a new phone number: once every few years is OK, but twice a month would be far too often for convenience.

Dynamic DNS

What dynamic DNS services do is offer you a domain name service (more accurately, a subdomain name service ) that not only converts a human friendly name like into an IP number, but also keeps that name-to-number mapping up to date whenever your IP number changes.

Best of all, at least for home users, is that many companies like no-ip offer a free version of their service, in the hope of attracting paying customers to their premium offerings.

That sounds like a win-win situation, but in the real world, it can end up a bit more of a win-win-lose.

That’s because free dynamic DNS services are of special value to cybercriminals.

By signing up for thousands of free accounts, they get someone else to do the hard work of keeping a large and innocent-looking list of static computer names reliably hooked up to an ever-shifting raft of malware distribution servers.

If they hack into your network today so they can use it to serve up infectious webpages, the dynamic DNS service will happily point their victims at your server.

But if you spot the attack and clean up the server, it’s a matter of moments for the crooks to get their dodgy hostname redirected to someone else’s hacked server to keep the cyberscam alive.

That’s because dynamic DNS services are designed to make it easy to update DNS records, and to tell the world quickly about the changes that just happened.

→ DNS replies include a number, expressed in seconds, called time-to-live (TTL), during which a computer should cache that reply to use again. Typical values are 300 (5 minutes), 1800 (half an hour) and 3600 (one hour). This reduces the load on the overall DNS infrastructure a lot, but a large TTL means that a change in your IP number can take a while to propagate. Dynamic DNS services often use a TTL of 60 (one minute) to improve switch-over times.

18,000 homes for cybercrime

Microsoft convinced the court that no-ip’s free dynamic DNS domains were home to at least 18,000 servernames in active use by zombie malware, or bots.

Redmond even named two of the most common bots that allegedly use no-ip as part of their infrastructure, together with the men they claim run those bots.

Indeed, Naser al Mutairi, allegedly running the Bladabindi malware as a business out of Kuwait, and Mohamed Benabdellah, alleged author of the Jenxcus malware out of Algeria, are explicitly named as defendants in the court documents, along with Vitalwerks.

Longstoryshort, of course, is that temporarily taking over no-ip’s free dynamic DNS domains didn’t just nobble the 18,000 hostnames that helped Bladabindi (Sophos name: Troj/BBdindi-A) and Jenxcus (Sophos name: VBS/Autorun-CAI) do their dirty work.

Collateral damage

The takedown affected lots and lot of other users, who had the misfortune to use the same service for perfectly innocent purposes.

One school of thought is that 18,000 cybercrime domains on one provider’s infrastructure goes beyond what is reasonable; indeed, the court repeatedly used the words negligent and negligence.

The collateral damage to legitimate users is regrettable, but a necessary and practical part of fighting cybercrime.

Another school of thought is that legitimate users should not be made to pay for the alleged crimes of Messrs Muatairi and Benadbella, especially if the collateral damage could potentially affect millions of users in return for stopping just 18,000 dodgy hostnames from working.

The collateral damage is out of scale to the benefits that it might bring in dealing with a tiny part of the cybercrime ecosystem.

Which side are you one? Vote in our poll…

NB. According to Ars Technica, Microsoft has now given up those 23 seized domains, of which 18 have already been restored to no-ip. Whether Microsoft already got far enough in its anti-cybercrime activities or decided that it should err on the side of public access (or both!) is not yet clear.