Microsoft’s seizure of domains backfires

Last month, Microsoft Corp. won a ruling from U.S. District Court in Nevada against, a domain hosting provider, allowing Microsoft to seize roughly 20 domain names, reportedly for security reasons, in a move that raised the ire of the security/technology community.  

“Microsoft confiscated the No-IP domains in late June through a secretive legal maneuver that didn’t give the dynamic DNS provider [No-IP] an opportunity to oppose the motion in court,” Dan Goodin, security editor at Ars Technica, wrote on the tech website on July 2, in the wake of Microsoft’s about-face.  

The headline on Goodin’s article after Microsoft surrendered the confiscated domains gives some idea of the import to the tech/security community:  

“Order restored to universe as Microsoft surrenders confiscated No-IP domains.” 

Goodin wrote: “Microsoft’s ex parte request was part of a legal action designed to dismantle two sprawling networks of infected Windows computers that were abusing No-IP in an attempt to evade takedown. As partial justification for the request, Microsoft lawyers argued No-IP didn’t follow security best practices. 

“On Monday, Microsoft said it planned to use its Azure cloud platform to block malicious No-IP subdomains that were the subject of the court action while permitting legitimate subdomains to connect as normal. In practice, dynamic DNS hosting was wiped out for all, or virtually all, No-IP users. In the process, more than 4 million connections went dark, Reno, Nevada-based No-IP said.” 


Move prompts outrage  

When tech/security writers discovered what had happened, they were quite clear about their perceptions (note: this story went unnoticed in the so-called “mainstream media”). 

Forbes’s headline screamed: “Security World To Microsoft: Stop Trying To Police The Internet.” 

The article by Thomas Brewster (BT Security Journalist of the Year 2012 and 2013) starts out: 

“Crazy. Outrageous. Unbelievable. These are a few of the many vitriolic words being levelled at Microsoft today, which is taking a kicking from the security community over the dismantling of a cybercriminal campaign said to have infected millions. 

“It was a move the tech giant thought entirely altruistic. But in knocking a critical piece of the alleged malware creators’ infrastructure offline, the Redmond [Washington] giant also appears to have wiped many legitimate users off the face of the internet. 

“In order to take the Trojans out of action, Microsoft deemed it necessary to effectively take control of systems belonging to another tech company, No-IP, that provides a portion of the telephone book for the Web – the Domain Name System. The DNS translates website names (e.g. into IP addresses that identify the machine hosting the site (e.g.”  

Brewster goes on to explain:   

“No-IP allows those with domains, such as website owners, to change IP addresses frequently and keep the same URL, so users can still find their sites when the address changes. This is known as dynamic DNS. It’s particularly handy for anyone running a Web service from home whose IP address is likely to change a lot, due to the way ISPs try to create efficiencies by shifting them around. 

“But such services also happen to be handy for allowing cyber crooks to change their IP addresses to avoid being tracked down by law enforcement whilst continuing to use domains receiving pilfered data from infected PCs. That’s why Microsoft got a court order, possibly from a judge with little understanding of the technical ramifications of the decision, to take control of 22 No-IP domains, under which sat more than 18,000 free subdomains said to be used by criminals running the data stealing spy software …” 

Microsoft, for its part, claimed No-IP didn’t follow security best practices and reported on its website,, that it had “launched what it hopes will be the most successful private effort to date to crack down on cyber crime by moving to disrupt communications channels between hackers and infected PCs.” 

The court order, Microsoft said, allowed it “to disrupt communications between infected machines and a Reno, Nevada, firm known as Vitalwerks Internet Solutions. 

“Microsoft has not accused Vitalwerks of involvement in any cybercrime, though it alleges that the company failed to take proper steps to prevent its system from being used for such activities.” 

“We just want them to clean up their act, to be more proactive in monitoring their service,” Richard Domingues Boscovich, assistant general counsel of Microsoft’s cybercrime-fighting Digital Crimes Unit, said in an interview.  

However, No-IP officials said they were never contacted by Microsoft about its concerns and were never given the chance to clear things up in advance of any legal action. 

“Officials at said that Microsoft had never contacted them prior to the takedown operation and denied that the company was involved in providing cover for any cybercrime operations,” Dennis Fisher wrote on the website in the days following the action. “Now, Microsoft officials say that the company made a technical error that caused disruptions for the legitimate customers of No-IP.” 

The headline on Fisher’s article reads: “Microsoft says ‘technical error’ led to legitimate No-IP customers losing service.” 

Fisher notes that this was not the first time Microsoft has taken down the infrastructure used in the operation of malware. In fact, he says, this was “the latest in a series of such actions that the software giant has taken against botnet operators, malware gangs and other cybercime operations. 

“… Microsoft’s involvement in these operations has not been without controversy,” Fisher wrote. “Security researchers have questioned why the company is taking it upon itself to seek legal authorities to seize domains, servers and other assets. This latest takedown on Monday raised many of those same questions, with researchers and officials at criticizing Microsoft’s actions and saying the company had overstepped its bounds.” 

In the days following Microsoft’s seizure, according to Fisher, officials at No-IP said, “We have been in contact with Microsoft today. They claim that their intent is to only filter out the known bad hostnames in each seized domain, while continuing to allow the good hostnames to resolve. However, this is not happening,” the company said in a statement. 

On Tuesday, Fisher wrote, “No-IP said some of its customers were still having problems.” 

“We apologize for this outage. At this point it is completely out of our hands, but please understand that we are fighting for you,” No-IP said. 


The other side  

“In fairness to Microsoft,” Goodin of Ars Technica wrote, “aggressive legal actions that confiscate domain names have played a key role in ridding the Internet of some of the most abusive and resilient botnets. [Microsoft’s] legal department deserves credit for innovating a maneuver that has made the Internet a safer place. These draconian actions, however, should be taken only as a last resort.  

“Microsoft has yet to respond to No-IP allegations that no one at Microsoft ever privately complained of the abuse. It that’s true, it’s hard to conclude this episode wasn’t an overreach and a gross abuse of the legal process.”