Microsoft's NoIP takedown

As I am writing this article I already know that you won’t be able to read it… Why is that? Well at the time of writing, No-IP.com’s services have been severely compromised meaning that DNS lookups for www.polaris64.net will always fail. So why don’t No-IP fix this problem? Well, it’s not their fault, it is Microsoft’s fault…

Before I talk about what Microsoft has to do with this, for those of you who are not familiar with dynamic DNS services let me explain what No-IP is and why I and so many people use it. Currently, the vast majority of the Internet uses IPv4 addressing; these addresses look something like 173.194.34.120. This IP address actually belongs to Google and is more commonly referred to as "www.google.co.uk". The TCP/IP stack on any computer needs this IP address in order to communicate with Google’s www server, but users will almost always use the domain name, which of course is so much easier to remember than the IP address.

Therefore a system needs to be in place to translate this domain name to the relevant IP address. This system is called the Domain Name System (DNS) and is the backbone of the global Internet. Now the domain name system is important in many ways. Firstly, it’s a lot easier for people to remember the DNS name rather than the IP address. Secondly, many web servers like Apache, nginx and Microsoft’s own IIS use a system known as virtual servers. This allows many web sites to be hosted on the same physical server and IP address; the correct site is selected based on the DNS name that is passed from the client. So entering “http://173.194.34.120/” into your browser may or may not actually give you the Google UK homepage, even though it’s still actually Google’s HTTP server with which you are communicating. Finally, as IPv4 addresses are running out, IP addresses are very volatile and are prone to change. Imagine if we all had to access Google as http://173.194.34.120/; if Google had to change the IP address of their server then the entire world would need to be informed in some way, no “Googling it” would be possible! Also no virtual hosting would be possible, so a system like DNS is absolutely required for today’s World Wide Web.

Large corporations like Google have the power to own a large number of IP addresses and to assign them to servers as they want, and they can update DNS accordingly when they make a change. People like me (and millions of others) are not so fortunate, especially due to the diminishing IPv4 address space. When I connect to the Internet from home I am assigned a seemingly arbitrary IP address by my Internet Service Provider (ISP) which actually comes from a pool of addresses that they own. I run this website from my own personal server at home which, for the attentive reader, should ring some alarm bells! How can I run a server when its IP address changes, sometimes multiple times throughout the day? I could keep track of the IP address myself, checking it whenever the router is restarted, or just every half an hour for example. If it changes, I could then modify my DNS zone file for polaris64.net and update the record for www so that it points to this new IP address. This if course would be very time consuming and prone to errors. For this reason, dynamic DNS services such as No-IP have been created and are used my millions of people worldwide.

With a free No-IP account, I am given one hostname on one of their domains, for example "simon.no-ip.biz". This hostname can be assigned to point to a single IP address. What makes this different to a regular DNS hostname is that the zone file change can be automated. I have a piece of software provided by NoIP running on my server which, when my Internet IP address changes, will automatically update the NoIP hostname to point to it. I have coupled this service into my polaris64.net domain in the form of a canonical name (CNAME) record. Instead of the "www" record in the polaris64.net zone pointing to an IP address (an A record), it points to my NoIP hostname via a CNAME record. This will of course in turn resolve to my actual IP address through the NoIP A record. Well, it would do normally, and that brings me nicely on to Microsoft’s involvement…

Microsoft doesn’t own the global domain name system, so how is Microsoft causing this current problem? Well unfortunately it seems that they do own a large part of the legal system in the US, so through the courts Microsoft have seized many of NoIP’s domains and have changed their nameservers to their own. Why did they do this? Well, as with any service, NoIP’s service can also be abused. While millions of users like me are using NoIP for legitimate reasons, others are using it for malicious software. Imagine a piece of malware that sits on a computer and harvests passwords. When it comes time to send those passwords back to the attacker’s server it makes sense not to hard-code an IP address directly into the software as the target server might have been compromised or simply had its IP address changed. The solution? Use dynamic DNS such as NoIP.

Now fair play to Microsoft, they are trying to mitigate the effectiveness of certain malware by shutting down these hostnames, meaning that when the malware tries to connect to the target server it will be unable to. But it’s the way Microsoft went about doing this which should be the subject of debate. According to NoIP’s official statement on the subject, instead of Microsoft telling them about this problem and asking if they could shut down these hostnames, Microsoft instead decided to take the matter to the courts, where they have a tradition of winning. The courts agreed and ownership of NoIP’s property was handed over to Microsoft. Microsoft then changed the nameserver records (the servers responsible for responding to DNS queries for these domains) to point to their own servers. The idea was that Microsoft themselves would filter queries based on the hostname: ask for a blacklisted hostname and you’d receive a non-existent domain (NXDOMAIN) response, ask for a valid domain and everything would be the same as normal. This would effectively stop malware from “phoning home” while allowing valid services to continue unaffected. Unfortunately this is not the case. For the last three days now, performing a DNS query on my NoIP hostname always results in a server failure (SERVFAIL) response. And of course, without an IP address, access to my site is impossible.

Why is their server failing? I don’t know. Microsoft’s official statement indicates that this was just a temporary glitch and that it has now been resolved, but again this has been a consistent problem for three days and counting. My best guess is that Microsoft underestimated the amount of traffic and their servers simply can’t cope with the influx of requests. So that’s the problem I and millions of others are facing at the moment. For me it’s just a nuisance but for others it is causing huge problems. Imagine some embedded systems that rely on a NoIP hostname in order to operate, perhaps a DVR which requires access to a server. Now even customers who use these systems are affected.

My main concern is how easily a huge corporation like this can have so much legal power and be able to cause so much disruption. If they had simply talked to NoIP I’m sure this issue could have been resolved quietly without me or anyone else ever knowing about it. I really think this needs to be discussed more openly; let’s set an example to Microsoft. Remember, NoIP is just a service which can be abused by criminals, just like Microsoft’s own Hotmail for example. Maybe somebody should ask the US courts to shut down Hotmail because some of its users use it to distribute the malware that caused this problem in the first place? Oh wait, how stupid of me, this is Microsoft we’re talking about and the legal system would never allow anything to happen to them…

I would ask you to retweet this article with the hashtag #FreeNoIP, but of course you won’t actually be able to read it in time…

UPDATE: I decided to change my DNS by hand so at least I will have some uptime until the matter is resolved.



Links