All Microsoft-seized domains back with No-IP

News by Steve Gold

Just over a week after Microsoft seized more than 20 domains from No-IP, the ISP now says that all of the domain names are back in its possession.

As reported late last month, Microsoft was accused of acting “excessively” after it used a US court order to take down servers being exploited by threat actors from Algeria and Kuwait to allegedly infect millions of computers with malware - but in the process floored the servers being used by millions more innocent Internet users.

It now appears that Microsoft may have scored an own goal in its rolling programme to take down servers being used to distribute malware and other threats on the Internet. 

In a blog posting, No-IP said that all of the 23 domains that were seized by Microsoft on June 30 are now back under its control.

"Please realise that it may take up to 24 hours for the DNS to fully propagate, but everything should be fully functioning within the next day. One of the domains,, took longer to get back online, but it should be fully restored within the next day," said the company.

"We are so sorry for the inconvenience that this takedown has caused our customers. Thank you so much for the support and for sticking with us through the entire process this week. More information surrounding this event will be released within the next few days, so stay tuned," it added.

Commenting on the emerging story, Will Semple, vice president of research and intelligence with Alert Logic, said there are a number of questions being asked of Microsoft following the No-IP takedown – and the top of the list is: did they get it wrong?

"I think Microsoft as an entity has a few lessons to learn from this operation, the Digital Crime Unit (DCU) at the heart of the operation I believe were correct in the objective that they wanted to achieve. The legal execution of the takedown is very questionable and perhaps more of a scalpel is needed than a sledgehammer," he said.

Semple went on to say that the DCU had put together enough valid evidence that the No-IP service was being used to control and propagate malware for criminal ends.

This, he explained, allowed the legal team at Microsoft to make the case; how it was presented and followed through is where the problems began and technical issues followed.

"Does No-IP have a corporate obligation and responsibility to ensure that their services are not being used for malicious acts? Yes they do in my opinion.  Did Microsoft execute this takedown as well as they could? No not by a long way," he said.

"The positive result is that it has highlighted very publicly the good work that the DCU does and the growing problem of how corporate legal entities utilise legislation to negative effects. It will spark the debate on the need for tighter collaboration between corporate legal, law enforcement and the researchers who are at the coalface of the problem. No-IP's valid customers are back online again - they should not have been inconvenienced during the takedown and both No-IP and Microsoft need to take responsibility for that,” he added.

Over at cloud security specialist Zscaler, Michael Sutton, vice president of security research, was more sanguine in his analysis.

"When you fire a shotgun in a crowded room, there's bound to be collateral damage. Such is the danger of issuing a takedown order to stomp out criminal activity on shared servers when it freely intermingles with legitimate content," he said.

"This is always true when a broad-reaching takedown is ordered but especially challenging in this situation where Dynamic DNS is involved, a popular service used for both legitimate and shady purposes. While innocent victims were caught up in the No-IP takedown, it is hard to fault Microsoft for their dedication to addressing botnet activity," he added.

Sutton says that Microsoft has led the charge removing botnet infrastructure from the Web and has had several high profile takedown efforts in the past including Citadel, Zeus and SpyEye.

"Unfortunately, even Microsoft with their vast resources is realising that such efforts are only a temporary solution as the malware authors generally adapt quickly and barring prosecution, are back online only weeks later. Given the collateral damage that occurred during this takedown, expect Microsoft to be a bit more cautious the next time they fire their big gun," he noted.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews