Netgear Routers DoS UWisc Time Server

numatrix writes "For the last few months, hundreds of thousands of netgear routers being sold had hardcoded values in their firmware for ntp synchronization, causing a major denial of service to the University of Wisconsin's network before it was filtered and eventually tracked down. Highlights how not to code embedded devices." A really excellent write-up of the incident.

NTP should be responsibility of network server

[jefbed]

It is foolish to code code dependencies on servers in firmware. There are two problems that result from this. The first is that specified in the article, the denial of service. The second is the high potential for broken network dependencies if, for example the hardcoded site goes offline or the ip address changes. Technically each site should be running their own ntpd to ease the load on the primary servers. ntp syncronization should not be the job of the router, but instead the job of the network administrator.

Re:Now did NetGear get permission

[jenkin+sear]

Not in this case- it's a public time server. If it wasn't, they'd be able to just block inbound UDP for the ntp port at the firewall.

Check out the NTPd man pages- I believe this server is a second echelon mirror.

Think Strata

[n9fzx]

Dave Mill's original clock distribution architecture ala NTP was based loosely on the Bell System's inverted tree structure. Only the top level servers are locked to the national servers; the next level is locked to the top level, and so on. In theory, it's a perfectly scalable infrastructure, with terrific fan-out.

Unfortunately, the code droids seem to think that there's something magical about being at Stratum 2 instead of Stratum 3 or Stratum 4; also, they seem perfectly willing to take advantage of a nonprofit consortium (the owners/operators of public Strat 1 clocks) instead of spending the $500 or so on hardware to service their own customers, who presumably paid them for something.

Anyone else remember the Good Old Days when it was considered polite to ask first before using someone else's clock?

[Truechiming since 1987...]

Mentioned on ntp.org mailing list a while ago..

[James_G]

I can't get to the article, so in the meantime, here's the text of an email about this with some details that was sent to an ntp.org mailing list back in June:

David L. Mills wrote on 2003-06-26 10:55:

> Guys,
>
> I find myself on the review team for an incident taking place at U Wisconsin/Madison. Apparently, the Netgear folks have manufactured some 700,000 routers with embedded SNTP clients configured to use the public U Wisconsin NTP server. The server address is unchangeable and the client cannot be disabled. If that isn't bad enough, if the client gets no replies, it starts sending packets at one-second intervals until forever and without backoff.
>
> The U Wisconsin folks determined some 285,000 different IP addresses are now sending between 300 and 700 packets per second requiring between 150 and 400 megabits per second. Apparently, the principal eason for this flux is misconfiguration of the firewall component of the router. This is costing them $266 per day.
>
> The Netgear folks were slow to respond until U Wisconsin folks emailed the entire senior management and others known to be U Wisconsin alum. Netgear says they have no way to recall those routers and no way to insure the products are updated from the web site. The products cost between $20 and $40 depending on rebate.
>
> U Wisconsin have considered several ways to deflect the tide, the most promising may be noting the source port 23457 unique to these products and tossing them at the doorstep. The products do not use DNS and are not configurable. Another way considered is to configure a subnet visible to BGP and convince the ISPs to punch holes in the routing fabric. Send money.
>
> I never thought it could get as bad as that. My reasoned recommendation was to fire up the lawyers and sue the bastards for costs and punitive damages and to injoin the company from selling any products until proved safe. There is apparently some standards group that allegedly reviews and certifies new products for Internet use. The Netgear products were all certified, which surely says nothing about the standards group.
>
> Include me in any replies; I am not on any ntp.org list.
>
> Dave

Re:I wonder what NetGear's liability is.

[ShortSpecialBus]

We are discussing several options with NetGear. I can't really go into them at the moment, but NetGear has been VERY cooperative throughout this whole thing.

This is par for the course for Netgear.

[Anitra]

Someone on the coding team at Netgear needs to be taken outside and shot; they never seem to learn their lesson about abusing other people's services.

Story:
I used to work/volunteer for DynDNS.org. The Netgear firmware client for DynDNS tried to update regularly (I believe every 5 minutes) whether or not the IP address had actually changed AND whether or not it got a response. Once enough of these got out into the market, this became quite a problem for DynDNS, especially with users complaining that we "blocked" their hostnames updated with the Netgear client when their router advertised specifically that it worked with our service.

I believe after a year or so of nagging the Netgear people, they finally released a firmware update that actually fixed the problem.

Re:I wonder what NetGear's liability is.

[zimage]

according to a post on an ntp.org mailing list, it's costing $266 per day.

To Netgears Credit...Okay maybe not..

[wacko-Netgear]

First off i would like to disclaim that my views do not represent the company's views. With that said, I can say that I worked at Netgear for a short period of time in the area of support.

This specific issues was raised back in may... I can say within that same week they had already started testing firmware to fix the issue. The issue comes with the huge break between Netgear engineers and Netgear support. Umm often times the supports reps do not know of the release of the product until like 2 days or 3 days after its already hit the market. On top of that there is very little communication between the two on firmware and whats the latest version. Its been only in the past couple weeks have they really started to communicate.

Along with that Netgear did not have a device testing program until i would say about 3-4 months ago, before that it was just people there who had the time to test products... woudl test them. I know being one of those who has and still does test there products, that the communication is not very stable and that sometimes issues like these get short-cutted for other major issues such as security and hardware stability.

I am also sure anyone in the hardware market understands the rush that sometimes comes with products; in netgear this is not different. I can this was an issue that was not expected and was fixed as soon as it was reported. It should have never gone out as is and the products should have been tested throughly in the consumer enviorment. But, to Netgear's credit the company does sell pretty good products and there customer support although you may not always be able to get your answer to the issue or may not be able to sometimes understand the reps any and all issues do esclate to people who can fix them. If you issues are not getting fixed at that point the president of the company does read your mail and does forward them to the Head of the customer support. I can say that issues like these will become less of a problem now that Netgear has started a beta program and engineers are required to speak to support engineers on a regualr basis