Slashdot Mirror

← Back to Stories (view on slashdot.org)

Netgear Routers DoS UWisc Time Server

Posted by michael on from the RISKs-fodder dept.

numatrix writes "For the last few months, hundreds of thousands of netgear routers being sold had hardcoded values in their firmware for ntp synchronization, causing a major denial of service to the University of Wisconsin's network before it was filtered and eventually tracked down. Highlights how not to code embedded devices." A really excellent write-up of the incident.

13 of 447 comments (clear)

  1. Bad form in general by Hayzeus · · Score: 4, Insightful
    Highlights how not to code embedded devices

    Or any other kind of software for that matter.

    --

    Roving Web-Teleoperated Robot
  2. Re:Err why ? by NetJunkie · · Score: 4, Insightful

    Logging. You want your log files to have the right time. I've used my router log files many times.

  3. It's not about just embedded devices... by sczimme · · Score: 5, Insightful


    Highlights how not to code embedded devices

    I think this highlights a "how not to code" idea, period. In 1986, when I was taking a BASIC (boo, hiss) course in high school, I learned that values should be expressed as variables even if the coder does not expect them to change. So instead of using (32 feet/second^2), one should instead declare g once, using whatever units are appropriate, and thereafter refer to g instead of a hardcoded value. If g changes, the coder need only update one line.

    Note: I am not a programmer/coder/developer in any sense of any of the words, so technical nits should remain unpicked; however, if I am completely out in left field, please feel free to point that out.

    --
    I want to drag this out as long as possible. Bring me my protractor.
    1. Re:It's not about just embedded devices... by Bryan+Ischo · · Score: 5, Insightful

      Good point, but irrelevent. Even if you declare a global variable, you still have to hardcode its value. The fact that the IP address only showed up 1 time in their string search of the binary would indicate that they did exactly what you said.

      So you're not in left field, it's just that the developer who wrote the software apparently did exactly what you said, which was not relevent to the mistake at hand, which was more about the faulty implementation of the NTP service, and the fact that it was hardcoded to a single IP address.

  4. Netgear should bear the cost... by Phil+John · · Score: 5, Insightful

    IMHO, since this is blatantly a case of Netgear cocking up their appliance they should not only a)refund any monies spent by the university in this problem and b)send out patches, at their own cost, to all users of affected routers. For heavens sake, so many people don't have anti-virus software installed, don't patch, why would they with a router? They just think "I plug this in to my cable modem, plug my computer in and I dun got thar intarnet workun" why would they know that they need to upgrade the products firmware?

    --
    I am NaN
  5. Re:I wonder what NetGear's liability is. by HBI · · Score: 5, Insightful

    Of course there is liability - liability means that 'is Party X responsible for the damage'. Netgear quite clearly was responsible for the damage. Even if they allege negligence on the part of their employee, it hardly matters: Netgear had a duty to assure that the software would not cause material harm to others. This is a classic product liability case, far as I can see.

    As for the damages, those are somewhat vague. Sure, maybe they could be made to pay for the bandwidth used. The big hit would probably be punitive damages unrelated to the actual loss.

    This would be a fun case and I would encourage them to sue. So many frivolous lawsuits floating around - this one would actually have some merit.

    --
    HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
  6. SEGA's online game servers by lightspawn · · Score: 4, Insightful

    The (official) reason "Alien Front Online" (a game with the word "Online" in the title!) went offline less than a year after its release is that SEGA developers hard coded the server's IP address, and did not provide any means of changing it. When the company hosting the server went under (gameloft?) it couldn't be moved to a different company since it wouldn't have the same address. Hence, buy a game advertised as "online", never be able to play it online.

    It's not a new story, but I think it bears repeating as a showcase of stupidity.

  7. Re:So who got fired? by Cali+Thalen · · Score: 4, Insightful

    Simple mistake, sure. Barely a trickle of wasted bandwidth, hard to even believe it matters...

    Bah.

    This is one 'simple mistake' by one company that namaged to send a constant "250,000 packets-per-second (and over 150 megabits-per-second)".

    Now I know Netgear is a pretty big outfit, but there are LOTS of companies like that out there, and these little mistakes can add up. How much network traffic could be avoided with proper programming?

    Also, this kind of makes me think about the useless network activity my XP box (bleh) tries to send out. Multiply that by millions and millions, and you get a number a whole lot bigger than the one above.

    Who pays for all that wasted bandwidth?

    --
    Chaos, panic, disorder...my work here is done.
  8. Re:I wonder what NetGear's liability is. by barfomar · · Score: 5, Insightful
    Rather than enrichen the lawyers, Netgear should just donate cash and appropriate equipment to the University.

    It would probably be deductable, passing some of the cost on to we taxpayers; but would sit alot better with public perceptions of the company.

    Set up a few CS scholarships or funding a chair at the University would help.

    They could turn it into a publicity coup and end up paying out less in the long run (and screw the lawyers too). Some (not all) insurance companies have finally discovered that it's usually cheaper to negotiate with the plaintiff right away, avoiding all of the sabre rattling and lopping off a third (or more) of the total probable cost.

    Litigation is rarely the best answer.

  9. Re:So who got fired? by NulDevice · · Score: 5, Insightful

    Becasue it's not just a use of a public service, it's a complete abuse of a public service. It'd be like you damming up the colorado river for your own personal use and then telling LA to upgrade their water supply.

    This was a big screwup - when an NTP query fails, you don't start retrying every second until it comes back. You don't hardcode a single server address for it. And you don't put this in 700,000 pieces of released hardware.

    --

    ----
    "I used to listen to Null Device before they sold out."

  10. Re:So who got fired? by Dr.+Blue · · Score: 4, Insightful

    In the full description, you'll notice that they include the "strings" output from the netgear software, which includes hardcoded IP addresses.
    Netgear reported that the non-UW addresses were used for debugging by the developers.

    Here's the interesting part: at least two of those are 12.* addresses --- cablemodems with attbi.com. So if you want to know who the developer responsible is, it might be a reasonable guess it's whoever lives at those IP addresses! :-)

  11. Re:So who got fired? by Malc · · Score: 4, Insightful

    Not their first simple mistake though. Ask the people behind dyndns.org what they think of the Netgear RT314's (and other products like the RT311????) implementation of the dyndns.org client. Trust me, they have nothing nice to say.

  12. Thank you, UWisc and Netgear by SamMichaels · · Score: 4, Insightful

    Seriously. THANK YOU for not filing law suits, hiring the FBI, CIA, Marines, calling upon Patriot Act, etc.

    To Netgear, THANK YOU for not calling upon the DMCA, filing NDA law suits, etc.

    It was resolved in a diplomatic and professional manner...and the write up explaining the entire incident was educational and informative.

    Now, if it had been SCO or Microsoft involved......