Susam, I'm glad we were able to get this resolved for you and I
apologize for the inconvenience and the scare this caused you.
Automated legal actions and takedowns like this introduce a lot of
risk of collateral damage but I wonder what the alternatives are.
The investigators would likely argue that notifying domain holders
would reduce the chance that they can take down a botnet's
infrastructure successfully, which seems likely.
Could there be some maximum time after which the 'rule set' for the
auto-takedown code needs to be made open source/public? It must
presumably be implemented as software and/or configuration files.
That would at least allow for inspection, confirmation and disputes
about how it's implemented, and if this was 30 days or so, it
shouldn't risk the takedown effort.
While top-tier network engineers are developing takedowns like this,
presumably they'll do a good job of minimizing false positives - but
as this case shows, it's not always going to be perfect - and I
worry that if it becomes more common, we'll see sloppier
That could lead to connectivity and access issues for more users
(again in an international context). It's great that the situation
was resolved in this case but I imagine not all users would be able
to raise a complaint at a similar level of technical detail and
respectful tone and for it to receive the same amount of attention.
Maybe that's untrue. Maybe injustices really do get amplified by
social media and relying on companies to notice this 'works'. It
doesn't sit particularly well with me as a remediation process
though, and I'm not sure it scales.
This was a really good write up, thank you. And congratulations on
getting your domain back.
Props to you by reacting suitably: worried, but calm and measured
and not jumping on some Twitter outrage bandwagon.
The scariest part is that it looks like this got resolved quickly
only because your tweet got noticed and retweeted. I wonder how long
it would have taken otherwise.
Someone less technical would likely have no idea what happened to
their domain. An individual relying on their web presence for income
could be massively impacted by something like this. There really
does not seem to be a clear way for someone to a) know what the
problem is, and b) get it resolved quickly.
As a small business owner, this terrifies me. Since the TTL for NS
records is 48 hours, a domain takeover like this could easily
bankrupt a lot of SaaS companies.
What options are there to prevent this? Would a registrar such as
MarkMonitor provide at least some notice or protection?
A couple of years ago we lost our domain
Duct Tape Holding the Internet Together) due to a registrar
(that we were not a customer of) erroneously issuing a
suspension. The amount of honor system involved in the whole
process, particularly in ccTLDs without as much oversight, was
Thank you for this. We are definitely seeing the declining use of
centralized domain-resolution. It has advantages only when it is not
itself being gamed, and increasingly companies and governmental
orgs have found ways to do just that. At the very least every domain
should have dual central + decentral resolutions, and browsers should
give you options when the resolutions conflict.
I'm glad that this particular instance was resolved reasonably
gracefully, but all it would have taken is a less informed or
connected victim and it would have been so much worse.