RIPE NCC, a Dutch organisation responsible for allocating IP addresses to network providers in Europe, is questioning an order by police to not allow changes to the registrations of four blocks of addresses that were used until recently by a known criminal network.

The Amsterdam-based nonprofit Regional Internet Registry (RIR) received a letter from Dutch police on November 8 with the order.

The Dutch order is linked to a court order issued on November 3 by the US District Court for the Southern District of New York. The order mandates a range of protective measures intended to stop a gang of cybercriminals from regaining control of a massive botnet.

The US Federal Bureau of Investigation announced on November 9 that six Estonians had been arrested as the result of a two-year investigation into a cybercriminal ring that infected up to four million computers with malicious software.

DNSChanger

The malicious software, known as DNSChanger, tampered with the computers' DNS (Domain Name System) settings in an elaborate scheme intending to fraudulently collect at least £8.8 million ($14 million) in internet advertising revenue, the FBI said.

The cybercriminals ran some of their operations on IP addresses registered with RIPE, which has been criticised for not thoroughly vetting applicants for IP address blocks.

The IP addresses, blocked out in the police notice posted by RIPE in a news release last week, can be found in the US court order. Some of the IP addresses in the court order are linked by computer security experts with abusive activity as far back as five years ago.

The US court order said that RIRs, of which there are five worldwide including RIPE, should not make any registration changes for the IP addresses and ranges specified in its order. The purpose is to prevent anybody associated with those arrested from taking actions that would disrupt ongoing remediation efforts.

The computers of DNSChanger victims were directed to a set of DNS servers run by the criminals. Authorities couldn't just shut off those servers, since four million computers suddenly wouldn't have DNS services, a problem akin to losing your address book for the internet.

RIPE seeking legal clarification

Instead, the Internet System Consortium has set up replacement DNS servers. The ISC will run those servers for 120 days, ending around March 8. ISC is tasked with identifying infected computers as they query the replacement servers.

RIPE is not supposed to allow any changes to the registration information for IP addresses in question until March 22, and it is complying. But RIPE has distanced itself from any liability, writing in a press release on November 9 that "Dutch police take full responsibility for the consequences that could arise from the registration being temporarily locked."

Last week, RIPE issued another press release, this time saying that it "intends to take the Dutch public prosecutor to court over a police order it received." A spokesman for RIPE said earlier this week that the organisation was seeking clarification around the order from authorities.

The spokesman said a public prosecutor in the Netherlands received a request from the US Department of Justice and found it to be in line with Dutch law. No Dutch court was involved. The request was then passed to the Dutch police, which then sent the letter to RIPE, the spokesman said.