Slashdot Mirror


Netgear Routers DoS UWisc Time Server

numatrix writes "For the last few months, hundreds of thousands of netgear routers being sold had hardcoded values in their firmware for ntp synchronization, causing a major denial of service to the University of Wisconsin's network before it was filtered and eventually tracked down. Highlights how not to code embedded devices." A really excellent write-up of the incident.

20 of 447 comments (clear)

  1. and now... by Anonymous Coward · · Score: 5, Funny

    slashdot has hard coded a link to the UWisc CS server, sending a DoS to them too

    oh, and fp.

  2. Obligatory Scooby Doo reference by OneIsNotPrime · · Score: 5, Funny

    And we would have gotten away too, if it weren't for those meddling kids!

    --

    ---

    WARNING:Slashdot karma not redeemable in the afterlife.

  3. Poor uWisc by mobiGeek · · Score: 4, Funny
    First the NTP flood.


    Now the /. effect.

    --

    ...Beware the IDEs of Microsoft...

  4. I did that to myself once by eschasi · · Score: 5, Funny

    I did that to myself once. It was a piece of software that went to comp.sources.unix (or something similar) and was default-configured to send error mail to an alias that pointed to me. A patch was released very shortly afterwards.

  5. If they did it to my NTP server... by lightspawn · · Score: 5, Funny

    I'd just send the wrong time back to netgear routers. I bet they wouldn't try that again.

    1. Re:If they did it to my NTP server... by charon_on_acheron · · Score: 3, Funny

      Right. So just figure out what number represents how many seconds would add up to Febuary 30, 2003. Basically, it would be the same value as March 2, 2003, but you have to remember to set the evil bit. That'll do it every time.

  6. Hasn't /. learned? by ndogg · · Score: 4, Funny

    It's not nice to kick someone when they're down.

    --
    // file: mice.h
    #include "frickin_lasers.h"
  7. In other news at the University... by BMonger · · Score: 4, Funny

    "Quick! Block port 80!"

  8. Delicious irony by ryanvm · · Score: 4, Funny

    I love the irony of trying to read an article about a DoS from a site that's experiencing one because of the article. Yummy.

  9. Indeed by gilesjuk · · Score: 4, Funny

    The C comments in the netgear code were a giveaway, they match those in SCOs code.

    "/* Huge Bodge */"

    "/* Kludge */"

    "/* Magic numbers are cool */"

    1. Re:Indeed by crawling_chaos · · Score: 3, Funny
      You forgot:

      /* Too drunk -- debug later */

      --
      You can only drink 30 or 40 glasses of beer a day, no matter how rich you are.
      -- Colonel Adolphus Busch
  10. Ouch! by MarkGriz · · Score: 3, Funny

    I'd hate to be working in Netgear's accounts payable dept. when the bandwidth usage bill arrives.

    --
    Beauty is in the eye of the beerholder.
  11. And then, on friday august 22 2003.. by 192939495969798999 · · Score: 4, Funny

    And then we got a ridiculous number of HTTP requests about the problem, which caused our server to explode and rain tiny bits of hazardous material into Lake Michigan. Fortunately, the indigenous wildlife was not affected, because nothing lives in Lake Michigan.

    --
    stuff |
  12. Simple Fix by Boss,+Pointy+Haired · · Score: 5, Funny

    UWisc hard codes the date/time on their time time server to 2038-19-01 03:14:00.

    After 6 seconds, the netgear will crash and burn as a result of the Y2K38 problem and the requests will be no more.

  13. Re:It's not about just embedded devices... by tommck · · Score: 5, Funny
    Of course if the gravitational constant changes, we've got bigger problems than updating your high school programming assignments! :-)

    --
    ---- It puts the lotion on its skin or else it gets the hose again. It does this whenever it's told.
  14. Poor UWisc by EmagGeek · · Score: 5, Funny

    First the time server

    Then the e-mail server (from the helpdesk requests)

    Then the webserver (from /.)

    What next?

  15. Re:It's not about just embedded devices... by jeffy124 · · Score: 4, Funny
    that is indeed still the case today. This past spring I was a TA for a freshman programming course, and was instructed to deduct points for those who didnt follow such practices -- pi, hours/day, minutes/hour, etc. On exams, the prof would write "-5 - use of magic numbers."

    oh, and we laughed long and hard at the guy who put down:
    const int SIXTY = 60;
    const int TWENTY_FOUR = 24;
    --
    The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
  16. Re:Our usage graph...You Jerks! by ClippyHater · · Score: 5, Funny

    Oh yeah?! Well, we just /.'d that one, too!

    Go ahead, give us another, I dare ya! :)

  17. What by Pvt_Waldo · · Score: 3, Funny

    Nobody figured how to blame Microsoft yet? Come on you "M$" people - get cracking!

  18. Re:Our usage graph...You Jerks! by Just+Some+Guy · · Score: 4, Funny
    You really just linked to content that
    1. is dynamic and has to be generated every time?
    2. is graphic?

    ShortSpecialBus, eh? ;-)

    --
    Dewey, what part of this looks like authorities should be involved?