RIPE questions registration freeze related to botnet bust
- 24 November, 2011 01:55
A Dutch organization responsible for allocating IP addresses to network providers in Europe is questioning an order by police to not allow changes to the registrations of four blocks of addresses that were used until recently by a known criminal network.
RIPE NCC, a nonprofit Regional Internet Registry (RIR) based in Amsterdam, received a letter from Dutch police on Nov. 8 with the order.
The Dutch order is linked to a court order issued on Nov. 3 by the U.S. District Court for the Southern District of New York. The order mandates a range of protective measures intended to stop a gang of cybercriminals from regaining control of a massive botnet.
The U.S. Federal Bureau of Investigation announced on Nov. 9 that six Estonians had been arrested as the result of a two-year investigation into a cybercriminal ring that infected up to 4 million computers with malicious software.
The malicious software, known as DNSChanger, tampered with the computers' DNS (Domain Name System) settings in an elaborate scheme intending to fraudulently collect at least US$14 million in Internet advertising revenue, the FBI said.
The cybercriminals ran some of their operations on IP addresses registered with RIPE, which has been criticized for allegedly not thoroughly vetting applicants for IP address blocks.
The IP addresses, blocked out in the police notice posted by RIPE in a news release last week, can be found in the U.S. court order. Some of the IP addresses in the court order are linked by computer security experts with abusive activity as far back as five years ago.
The U.S. court order said that RIRs, of which there are five worldwide including RIPE, should not make any registration changes for the IP addresses and ranges specified in its order. The purpose is to prevent anybody associated with those arrested from taking actions that would disrupt ongoing remediation efforts.
The computers of DNSChanger victims were directed to a set of DNS servers run by the criminals. Authorities couldn't just shut off those servers, since 4 million computers suddenly wouldn't have DNS services, a problem akin to losing your address book for the Internet.
Instead, the Internet System Consortium has set up replacement DNS servers. The ISC will run those servers for 120 days, ending around March 8. ISC is tasked with identifying infected computers as they query the replacement servers.
RIPE is not supposed to allow any changes to the registration information for IP addresses in question until March 22, and it is complying. But RIPE has distanced itself from any liability, writing in a press release on Nov. 9 that "Dutch police take full responsibility for the consequences that could arise from the registration being temporarily locked."
Last week, RIPE issued another press release, this time saying that it "intends to take the Dutch public prosecutor to court over a police order it received." A spokesman for RIPE said on Tuesday that the organization was seeking clarification around the order from authorities.
The spokesman said a public prosecutor in the Netherlands received a request from the U.S. Department of Justice and found it to be in line with Dutch law. No Dutch court was involved. The request was then passed to the Dutch police, which then sent the letter to RIPE, the spokesman said.
Send news tips and comments to firstname.lastname@example.org