There’s a group of people at Microsoft who are like internet superheroes on a mission to protect the world from evil hackers. And this week, that group convinced a judge to turn over a chunk of the internet to their control, and then messed up that control, bringing websites down for “millions” of people.
It’s a strange story of good intentions coupled with, arguably, zealous overreach.
On Monday, Microsoft’s hacker-fighting unit, Microsoft Digital Crimes Unit (DCU), published a blog post saying it had filed a US lawsuit against two men who it believes are notorious hackers: Mohamed Benabdellah (who Microsoft believes lives in Algeria) and Naser Al Mutairi (believed to live in Kuwait).
In that same suit, Microsoft also named a company called No-IP that rents website names. Microsoft argued in the suit that No-IP was being used by these criminals and wasn’t doing enough to stop them. It said that Microsoft should be given custody of a chunk of the internet controlled by No-IP.
A federal judge agreed and authorized Microsoft to seize that part of the internet.
But after Microsoft got control, it couldn’t handle the internet traffic, and websites went down for many of No-IP’s 14 million customers.
Note than 4 million sites were pulled off the internet, including both malicious and harmless ones – affecting 1.8 million users, according to security researcher Eugene Kaspersky.
To be sure, Microsoft’s DCU has done a lot of good over the years, working with the FBI to take down some of the worst, nastiest criminal hacker computer networks on the planet.
But in No-IP’s case, the company wasn’t a hacker. The problem, Microsoft argued, was that No-IP’s business model lent itself to criminal abuse. Microsoft wasn’t the only one that thought this. Earlier this year, Cisco’s security team said the same thing about No-IP’s business model.
Here’s what they said was wrong: Computers prefer numbers, humans prefer words. A website has two internet addresses, one of them is numbers, called an IP address, the other is words, called a URL; together they are known as a “domain.”
A system called “domain name service” (DNS) matches up the two, so when you type businessinsider.com into your browser (easier for humans to remember), you are connected to the IP address of 18.104.22.168 (easier for computers to work with).
Microsoft’s problem is that No-IP uses something called Dynamic DNS, a tech that allows lots of websites to share the same numerical IP address. This isn’t special to No-IP. DDNS is used in everything from corporate networks to home networks.
But DDNS websites, often called “subdomains,” are not tracked the same as regular websites, making them a haven for criminals wanting to hide their activities and whereabouts, according to research done by Cisco and Microsoft. That research showed that free IP addresses, particularly those owned by No-IP, were being used regularly by hackers to distribute malware.
As Richard Domingues Boscovich, assistant general counsel, for Microsoft DCU explained:
We’re taking No-IP to task as the owner of infrastructure frequently exploited by cybercriminals to infect innocent victims.
Our research revealed that out of all Dynamic DNS providers, No-IP domains are used 93% of the time for Bladabindi-Jenxcus infections, which are the most prevalent among the 245 different types of malware currently exploiting No-IP domains. … ”
On June 19, Microsoft filed for an ex parte temporary restraining order (TRO) from the US District Court for Nevada against No-IP. On June 26, the court granted our request and made Microsoft the DNS authority for the company’s 23 free No-IP domains.
To be fair, those free No-IP addresses are also used by lots of people for plenty of legit reasons. It’s a popular choice, for instance, for internet-security cameras that let people watch their homes over the web while away.
The first time the folks at No-IP knew of Microsoft’s interest in their business was when they seized their domain names, they said in a blog post.
“We have a long history of proactively working with other companies when cases of alleged malicious activity have been reported to us. Unfortunately, Microsoft never contacted us or asked us to block any subdomains, even though we have an open line of communication with Microsoft corporate executives.”
Microsoft said that it planned to stop the traffic from the bad guys while letting everyone else’s websites work normally. It wants to study the hackers and share reports about them with the internet community, it said.
It set up its filtering operations using its own cloud, Azure, and network technology from a company called A10 Networks.
Only it didn’t work, as No-IP explained:
“Apparently, the Microsoft infrastructure is not able to handle the billions of queries from our customers. Millions of innocent users are experiencing outages to their services because of Microsoft’s attempt to remediate host names associated with a few bad actors.”
Microsoft admitted as much, too, in an emailed statement from David Finn, executive director and associate general counsel of the DCU:
“Microsoft took steps to disrupt a cyber-attack that surreptitiously installed malware on millions of devices without their owners’ knowledge through the abuse of No-IP, an internet solutions service. Due to a technical error, however, some customers whose devices were not infected by the malware experienced a temporary loss of service. As of 6 am Pacific time today, all service was restored. We regret any inconvenience these customers experienced.”
People took to Twitter to question why one private entity, Microsoft, was given control of another private entity’s business assets, even if an argument could be made that criminals were abusing those assets.
And everyone from the tech press to famous security professionals are starting weigh in on whether Microsoft was right to pursue this. Kaspersky says that of all the DNS providers, No-IP is not hosting the most hacker websites (not even close). But he also says it was “the most unwilling to cooperate” when warned of hacker abuse.
We reached out to No-IP to ask for further comment and will update if they respond.