Slashdot Mirror
D-Link Firmware Abuses Open NTP Servers
DES writes "FreeBSD developer and NTP buff Poul-Henning Kamp runs a stratum-1 NTP server specifically for the benefit of networks directly connected to the Danish Internet Exchange (DIX). Some time last fall, however, D-Link started including his server in a hardcoded list in their router firmware. Poul-Henning now estimates that between 75% and 90% of NTP traffic at his server originates from D-Link gear. After five months of fruitless negotiation with a D-Link lawyer (who alternately tried to threaten and bribe him), he has written an open letter to D-Link, hoping the resulting publicity will force D-Link to acknowledge the issue. There are obvious parallels to a previous story, though Netgear behaved far more responsibly at the time than D-Link seem to be."
From TFA: "A number of D-Link products, so far I have at least identified DI-604, DI-614+, DI-624, DI-754, DI-764, DI-774, DI-784, VDI604 and VDI624, contain a list of NTP servers in their firmware and using some sort of algorithm, they pick one and send packets to it."
Give people an inch and they take a mile. I don't see why D-Link and Netgear couldn't just make their own stratum-1 NTP servers. I mean, if you trust the brandname enough for your routing, don't you trust them enough for your time as well?
I'd think they could just firewall off just their ntp servers, and only allow certain networks in - their networks. Of course, it wouldn't be open anymore, but with PHBs trolling around like daleks, opening things up the general internet public is getting more and more difficult.
"We are all geniuses when we dream"
- E.M. Cioran
If he can detect that the majority of connections are from D-Link products, then he can detect which connections are from D-Link products. The easy solution? Whenever a D-Link product connects, report a very very wrong time. :)
Since you can apparently sign your life away with a EULA, why not say in the T&C's for your NTP server(s) that any requests users cause that do not follow certain conditions will cost $1 each or something.
Reading the fine article hasn't killed anyone yet.
pool.ntp.org?
NTP server use is tiered. So client PCs are not supposed to hit the tier 1s, they should hit 2nd tier or a local ntp server.
You don't use the root DNS servers for all your DNS requests, right?
Yes, you're confused. And, you didn't read the article. The author is pissed because he's running an NTP server intended to be accessed only by Danish networks, and for use by servers, not clients. D-Link products are only marketed to clients, and not just Danish clients.
...phil
"For a list of the ways which technology has failed to improve our quality of life, press 3."
This guy gets pissed because he hosts an ntp server meant for a few thousand servers on Danish networks but is being used by millions of little home routers all over the world, abusing the policy stated where D-Link picked up the server name!
If there's one thing I hate more than incompetence, it's people who don't care that they are incompetent and carry on churning out crap regardless of the problems it causes others.
According to this page, D-Link have an office operating in Denmark. This makes them subject to Danish law whether they like it or not. I don't know whether Denmark's computer crime laws cover this, but it wouldn't surprise me.
Bogtha Bogtha Bogtha
Should be using pool.ntp.org surely........
or am I being daft again..
Time to add D-Link to the hardware vendor blacklist. Whenever you're asked by your non-tech friends what hardware they should buy, recommend anything BUT D-Link, and tell them to actively AVOID D-Link.
...phil
"For a list of the ways which technology has failed to improve our quality of life, press 3."
Ah moderation has gone to hell these days.
and point it to Dlinks servers, perhaps when they are innundated with ntp request packets they will change their routers config in the future (or set their own one up with the millions of dollars they earn in "profit")
seems like a bit of a fuss over nothing, if you dont want people to use your NTP server then logic would dictate dont set one up in the first place
He hosts a NTP server with the intention of it being used by a certain audience. He's not pissed people outside of that audience are using the server, he's pissed that D-Link decided to abuse the service he's providing and now the overwhelming majority of the people using his service are outside the intended audience.
Sorta like how server admins get pissed when an article posted on their site causes them to be Slashdotted.
And honestly, the fact that D-Link is acting in the way it is while he trys to get them to resolve the issue probably isn't helping matters.
Then again, as a former owner of a D-Link product which rebooted itself anytime I went over 50 simultaneous connections (think P2P), I don't doubt they'd be too cheap to actually just run their own.
The DI-624+ is not on the list and it is possible to manually change the NTP server which the router uses.
Yeah he seems to have wanted it to be a private NTP server for about 2000 servers in denmark. Which seems like an easy thing if they just did NTP over SSL or something. He is estimating under $10k / year in extra costs in damages, so the problem is that this is an individual and not an institution.
I have never once had a good piece of D-Link hardware. I bought both the DI-624 wireless router and the DWL-G520 PCI wireless card. First up the router didn't do UPNP properly; it simply did not work. A call to tech support told me to upgrade the firmware because they knew that UPNP simply didn't work. After the firmware upgrade, port forwarding didn't work at all either. No solution for the router yet. As for the wireless card. After installing it, my system would completely hardlock after about 5 minutes of use. I called D-Link tech support and had to deal with all the questions for clueless people such as "Do you have the drivers?" and "Is it plugged in right?". After being elevated two or three tiers of tech suport, I was finally able to get an RMA. I sent the card to D-link and waited a week or so for my new card. I plug in the new card and what happens? Same deal! Hardlock in 5 minutes of use! Now I have to wade through tech support all over again and end up getting another RMA. Wait another week; new card makes not one lick of difference. So I decide, I will just return the bugger to the store. The store wouldn't take it back because it has been 30 days since I baught the card! 30 days of tech support and RMAs. I call D-Link once more. This time I get to top level tech support and the guy said "Oh yeah, that card doesn't work with certain VIA chipsets, sorry.". I am quite annoyed because it says nothing of the sort on the box of the card. So I politely ask that since the card doesnt work as advertised if I could have a refund. He said "Oh no, we can't do that it is against our policy.". He then offered me an 802.11b card for a $15 administration fee.
So let me get this straight... this guy hosts an NTP server and is pissed because... its being used as an NTP server?
If I set up an NTP server, say for my university, and left it open for others, I also might think it a bit unorthodox if a multinational corporation hardcoded all there gear (which was deployed internationally) to query it. This is for several reasons. First, it generates unneeded bandwidth and violates convention by not using a local NTP server. Second, it means thousands of people are relying on one person for their gear to work properly, a person the company did not even bother to consult. What if he decides to change the time by five hours, just for fun? It is bloody irresponsible of the manufacturer to give him that option. And what happens if the server is deprecated or the hostname and IP changed in a reworking of the network? Tons of wasted traffic as they ping his IP space.
We're American. He's Danish. Problem sorted.
If he squeals again we hit him with a B 52. That's the American Way. Always sorts out any problems in the films.
Solution: Close them to those users.
He who knows best knows how little he knows. - Thomas Jefferson
wtf? try reading again. This is about thousands of home network routers ignoring the protocol standard and flooding his NTP server.
Why dont they link: time.microsoft.com
Ah, I don't think he has the time to go around unplugging every d-link router in the whole world.
He's not just any guy. He is one of the main FreeBSD developers. His work is used directly and indirectly by millions of people (yourself included) each day. It's even quite possible that D-Link uses FreeBSD.
When we see how much this man gives to the community for free, and the extremely high-quality of his work, I can't but help support him in this matter.
I, for one, would consider donating to a fund to help him battle this menace, even though I'm not a Danish citizen. I would hope that Netgear, Cisco and others would help him financially, as well.
And it never occured to him to systematically unplug each device to see if it was the one causing the problem and then spend $99 on a new router? Something seems mighty fishy to me.
Either this is a very weak attempt at a troll, or an incredible demonstration of ignorance.
I own a D-Link Ethernet ADSL modem and guess what, the local IP adress is fixed to 192.168.0.1. Nope, no changing that thing. If I had known beforehand... I had to completely renumber my network. I only had 8 NICs and two LANs but was pissed off nevertheless.
I hadn't the slightest objection to his spending his time planning massacres for the bourgeoisie... (P.G. Wodehouse)
Is the IP address hard coded? Or the name? Change whichever is needed and propogate the changes to the partners you want to connect. Seems much easier than beating your head against a wall...don't you think?
WTF? Over?
And it never occured to him to systematically unplug each device to see if it was the one causing the problem and then spend $99 on a new router? Something seems mighty fishy to me.
Parent is retarded or unable to read. Please mod him down before someone wastes 2 minutes of their valuable time putting him right.
He followed standard protocol for NTP servers, which is to list the restrictions on the use of your server with its entry on the NTP server list. System administrators are supposed to check this to make sure they're not making an unauthorized connection. They're also supposed to contact the NTP server administrator to let him know they're using the server, unless the server admin states otherwise.
You can learn all this and check the list to be sure you comply within 10 minutes thanks to the power of Google. Any responsible company would know this and do so. D-Link made a big mistake (not in terms of the impact on them, sadly) and is evidently refusing to own up.
As others have pointed out, it's not easy to implement the restrictions that would enforce the access policy. It's also sad, though not surprising, that one would have to. It'd be one thing if the server was the target of script kiddie DOS attacks, but a legitimate company selling network products really ought to know better (and care).
He hasn't got a D-Link router. He runs an NTP server that thousands and thousands of D-Link routers are hitting for a time update.
Dear Idiot,
Did you even bother to RTFA? If yes, then please explain how you would suggest he unplugs every D-Link router on the list in all of the world. You should specifically address his technical reasons why he cannot filter or discern the traffic in question, and the economic consequences for him, if he continues to be in violation with the service agreement he has with the ISPs in Denmark.
You Sir, smell fishy.
Sorry to correct your rant, but he does say in TFA that the offer was so low that it didn't even cover his costs. That would be a good enough reason to say no wouldn't it?
send a private communication to the authentic users (not the robot moochers from D-Link) that on date X, the new IP service address will be unhacked.gps.dix.de or whatever suits him.
on date X, send bogus packets in response... not just wrong time, but seriously wrong time, like a packet with time of 9s in all fields, which would be most seriously wrong.
hopefully, it would lock up the offending junkpiles, and clear the problem right smartly.
the general idea in engineering an end to these things is to find a way to blow up the crooked machine by a seriously wrong entry that will screw up the internals. since they took an ugly and cheap shortcut by using firmware tables, they probably don't error-check their inputs from NTP and other services. so there should be a memory jump and a crash in those pirate boxes someplace.
and that puts the onus back where it belongs, on supercheap designers for obnoxious companies that don't give a shit about network etiquette. the market will punish them. that's how it should be for slap-happy outfits.
if this is supposed to be a new economy, how come they still want my old fashioned money?
They didn't offer to pay for the service. They first accused him of blackmail, then offered to pay him to stop bothering them. The amount was well short of what their snafu had already cost him, and at no point did they offer to simply remove his server from the list, which is all he asked for in the first place.
So why didn't they just own up to the mistake, update the firmware and cut him a check for his expenses plus a 5% or so to apologize for the inconvenience? Bureaucrats and lawyers who cannot admit that they are wrong only end up creating more public disgust with their behavior. When you find yourself digging a hole, stop digging!
It's not the first time that D-Link's crappy programming has affected a service. DynDNS.com last year started blocking all update requests that match a user-agent of client/1.0, beleived primarily to be several D-Link routers. D-Link has been mum on a response last I heard.
"I have also been offered a specfic amount of "hush-money" if I would just shut up and go away, but the amount offered would not even cover my most direct expenses."
Brought to you by Carl's Junior.
What in the fucking hell are you talking about? You seem to think that the problem has to do with a D-Link router he bought. But that is not the case, as would be plainly obvious if you had even bothered to read the title of this news entry!
PHK is one of the main FreeBSD developers. He's known for writing excellent software, often making it available for free. The entire Internet community benefits off of his work. But beyond that, he runs a NTP server meant for use by systems in Denmark. Put simply, D-Link devices, many outside of Denmark, have been hard-coded (in firmware) to sometimes use his server. He does not want that to happen, for various reasons (clearly explained in his open letter).
The problem is not with some device that he purchased from his local electronics retailer. It's with certain D-Link devices which are abusing his service.
And it never occured to him to systematically unplug each device to see if it was the one causing the problem and then spend $99 on a new router? Something seems mighty fishy to me.
No, you seem to have not RTFA... These aren't his D-Link devices.
TFA did mention that the amount they offered him was less than it costs him to deal with the influx of traffic they're shooting at him.
- fader
He should configure the servers to send back the wrong date (one in the future) to the d-link devices. This way customers would see problems and raise calls with d-link.
can't it be both?
You have to be the biggest moron on the planet.
.0000000000000000000000001 percent.
1.) Buy some rope (not too long)
2.) Loop one end of it around your neck
3.) Attach the other end securely to chimney of your house
4.) Jump off roof
Result: Net IQ of the planet Earth rises
.... Well, if you read the article....
It's not just about money, it's also about client routers using bandwidth meant for BGP routers used by ISP's. It's a public network, but one intended for ISP's to transfer Data, not for Client use.
He is asking for some reimbursement for the troubles he's endured, but D-Link is saying he is extorting them.
IMHO, it is a problem D-Link did cause by their incompetence, and what is being asked is reasonable. The problem won't go away totally, because it relies on the average joe customer to actually update firmware, and now he has to deal with the situation for a long time to come. To be able to continue his "free" service, he may now have to pay for bandwidth that was free to him before D-Link wrongly implemented a protocol feature in some of their routers.
1 - Unauthorized access to a server.
2 - Theft of a service.
Both of these are crimes in most jurisdictions.
The author pointed out the notice that limits legitimate access to the server.
The company has been explicitly told that their products aren't allowed to access the server. That's a lot like serving someone with a notice of trespass. The crime just got more serious.
And just when I thought reading comprehension on Slashdot couldn't get any worse...
Vandemar.org
This doesn't explain why the time is always WRONG on my dlink router!
I recently installed the new firmware for my 614+. It was released on 3/20/06 and had the revision info "Fixed NTP." Does anyone know how to find out which NTP server the router is using?
You don't use the root DNS servers for all your DNS requests, right?
Actually, I do. I have our DHCP hand them out.
Less chance of getting hit with as poof attack this way.
There are three conventions being violated:
* To keep the network working, the NTP system is tiered. Anything other than a time server used to redistribute time to other machines should probably access a Tier 3 system, or a Tier 2 if that is not possible. It should never hammer a Tier 1 -- this can screw up the rest of the NTP network.
* There are large lists of NTP servers, and they list access restrictions. As pointed out in the letter, this guy explicitly stated in his access rules that this server was not for client use.
* As pointed out in the letter, this guy explicitly stated in his access rules that this server was not for use outside of Denmark.
You may not be used to this sort of thing, because no such set of agreements exists for, say, webservers. However, in the NTP world, network administrators respect these, and it is why the time system continues to work.
What D-Link is doing hurts all Danish NTP users, and freeloads off a volunteer (D-Link is selling the product and profiting from it -- let *them* handle the traffic and factor any bandwidth costs into their product cost). It opens their product to potential abuse if the server becomes malicious (a properly-designed router would allow the user to specify an NTP server, or if the user is unable to configure a router, to do what the letter suggested and use a D-Link-controlled name.). It violates agreements that have been generally respected by the NTP-using administrator community for many years.
Any program relying on (nontrivial) preemptive multithreading will be buggy.
Specifically search for and read the section about DIX, what it is and what it does. Are you seriously suggesting that we here in Denmark unplug the core NTP server for the Danish ISP companies? Thank a bunch and the same to you too.
Can we have a moderation type "-1 Moron"?
Change the DNS name. Granted, he gives reasons for not wanting to do this, but the only practical alternative is to shut down the server entirely. This will still require 2000 or so system administrators to reconfigure their servers, so he might as well provide a logical alternative.
NTP over SSL (a VPN-sorta thing) would not work well at all, especially for a Tier-1. NTP requires minimal and predictable delay, and a server may have a large number of users -- connection setup and teardown would be very sizeable.
He is estimating under $10k / year in extra costs in damages, so the problem is that this is an individual and not an institution.
Which is why I can't understand why D-Link didn't just shut up and foot the bill. He has a very legitimate gripe, and as long as he doesn't go public about it, $10K/year is pretty minimal. The cost of the lawyer they set on him, assuming anything more than four or five bullshit letters with no research were sent is going to exceed this.
Any program relying on (nontrivial) preemptive multithreading will be buggy.
FreeBSD uses pf (well, it can use pf if you want to) as a packet filter. It has the wonderful option to filter traffic according to the OS fingerprint, as in you can block traffic originating from specific operating systems. I'd advice this guy to block all traffic from these dlink devices.
If there's no fingerprint on record yet you could generate it yourself, it's not that difficult to generate one.
Reality has a notoriously liberal bias -- Stephen Colbert
Service Area: Networks BGP-announced on the DIX
Access Policy: open access to servers, please, no client use
"Since D-Link does not comply with these restrictions, D-Link has no legitimate access to the server, and it follows trivially that D-Link should have asked for my permission before including it in the list embedded in their products firmware. "
that is why
every day http://en.wikipedia.org/wiki/Special:Random
...why don't you change the one they (D-Link) use to (basically) lie about the time! Deliberatly send out the wrong information. Altered the config for the customers of dix and let the D-Link customers go mad at D-Link
Brutal but (in theory) affective....
Jaj
the market will punish them.
The market has no mechanism for punishing them. It is completely helpless to deal with this. It takes a sysadmin from a left-socialist country to deal with the things the market cannot.
Edith Keeler Must Die
I've got a DI-624. It only appears to do NTP if you put an NTP server in the Tools->Time page. Am I missing something?
Disinfect the GNU General Public Virus!
This isn't very good for NTP. It violates the intent of running NTP servers and is causing problems for this particular stratum that is being abused innappropriately. You really want to use an NTP server as close to you as possible. That's the intent to ensure you get more stable time and a tigher errors from true time.
Why doesn't this guy set up a filter to ensure that only people in his stratum can hit his NTP server? Seems like the best way to enforce the intent of NTP. That's what I would do. Heck.. I recall when NTP servers and these stratums were first being set up that I had to request and *justify* why I should be able to be a client to a particular server. Now I use my ISP's NTP server.. which seems completely appropriate to me. But I should check since I do have one of the offending Dlink products...
Slashdot.. where people join together in deliberate ignorance.
If your router is doing this (querying a tier-1 ntp server) and this is not listed in the product description, then it is clearly doing something other than it should and is therefore faulty. Return for a refund right away.
Burns: We're building a casino!
McAllister: Arrr. Give me 5 minutes.
It was a joke. He is referencing the normal diagnostics steps that a home user is put through when the cable modem or router is not working. Unplugging all the devices attached one at a time is what the techs make you do.
Your ignorance made you miss the joke. You should apologize.
I don't understand your problem, if you do not understand the first time just read twice...
I'm surprised phk is screwing around writing long-winded letters. Much faster would have been to just add a dns A-record entry by the name of private-ntp.dix.dk for the legit users and have them use that server. The old gps.dix.dk entry should be made into a CNAME for www.dlink.com. That would put the crushing levels of ntp traffic back where it belonged -- right on Dlink's doorstep.
Block it and watch as the chaos follows with consumers returning "defective" products :)
You're on DIX. Your audience is on DIX. The TTL should not exceed ~3.
They'll eventually stop if they don't receive any answer.
Isn't this against the Computer trespass law? Couldn't a complaint be filed with the FBI?
Unfortunately, this is how most big companies operate: they get scadloads of letters/emails/faxes a day saying "Stop doing $thing" - most of which are groundless or otherwise BS (e.g. "Stop raping our planet" - not exactly actionable).
So, in order to filter the BS from the rest, they take the attitude of "Unless we see something official and legal we ignore you."
Now, in this case, while the admin of the affected system has contacted DLinks's lawyers, he has not done so in a fashion that says "I am serious. I am official."
Now, if suddenly Special Agent Jones of the FBI shows up at DLink HQ and says "I am here about this complaint that you are in violation of the Computer Trespass act" - then shit will happen.
www.eFax.com are spammers
ATTN: President & CEO
17595 Mt. Herrmann St
Fountain Valley, CA 92708
I have recently read an open letter to D-Link available at the following URL:
http://people.freebsd.org/~phk/dlink/
I must say that I am disgusted with D-Link's poor choice of action. D-Link may
think that abuse such as this will go un-noticed, but that is not the case.
While I don't expect my actions to bring your corporation to its knees, I am the
"geek" of my family, and I have taken a personal stand by ordering Linksys
products to replace any and all of the D-Link networking gear that my parents,
siblings, cousins, and roomates are using. I hope that my sacrifice puts a dent
in the damage your corporate negligence has caused Mr. Kamp.
-- lol pwned
There's now way to send a private communication. I have a legit NTP server that I've configured to use an appropriate stratum-1 server. The administrator of that server doesn't have my email address and has no way to communicate with me. The difference is that I selected an appropriate stratum-1 server and the DLink doesn't.
Theft of a service was created (in my jurisdiction at least) to prosecute telephone hackers. Back when the telcos used inband signalling, it was possible to trick the network into making long distance calls for free. I realize that the wording is confusing but the net effect is that you can be prosecuted for accessing a service to which you aren't entitled.
It is important that the company has been notified that they aren't welcome on the server. Suppose that you enter the local mall and do something that they don't like. You can't be charged for trespass. The mall can serve you with a letter that says you aren't allowed on their property any more. If you enter the mall again, you can be charged with trespass.
Yes but these are not "client PCs" they are routers.
(yea i know +1 Flame Bait)
(and yes D-Link is evil, i'm just playing Devil's Advocate)
If you must!
You could use this same argument as a spammer or even a DOS/DDOS.
You have an open server that accepts email, if you don't want my email (spam) don't accept it.
You have a computer that is accepting data on a public network, if you don't want my data (massive flood of junk) you shouldn't have your computer on the public network.
Let me clarify a number of details here.
1. My server has not replied to the packets sinde the CodeRed virus/worm abused NTP servers to coordinate attacks. That was a couple of years ago. I doubt D-Link ever even tried to test this.
2. NTP is a timing protocol. You do not want to do expensive and timeconsuming filtering on the packets because that disturbs your timing performance.
3. If I have to sue D-Link, it will be either in USA or Taiwan. Both their Danish marketing office and the UK european office will be able to deflect a lawsuit to their mothership.
4. If you download a firmware file from D-Link, it is often a ARJ archive. unpack that and run strings. If you see GPS.dix.dk in there, please use another version. If the firmware you run is older than about a month, please update it.
5. The list of products in my open letter is unlikely to be complete, those are the only ones I have been able to positively identify (using the method above). If you find out other products are affected, please email me.
6. We do have a number of very interesting sections of our penal code here in Denmark that are very likely to apply. Only problem is, they havn't been tried in a court yet. So I have to persuade an overworked criminal inspector to raise a criminal case against a foreigner over a, lets face it, quite small monetary amount. Then I have to spend a lot of time making sure that we convince a judge who have never heard of NTP that they are guilty and then if I win, I can see some D-link manager make a checkmark in their pocket book: "Remember to not visit Denmark under true name". I have better things to use my life for.
I can see a couple of hits from a C-class belonging to "D-Link Irwine": please escalate this guys, your bosses don't read slashdot.
Thanks for all the supportive email.
Poul-Henning
Poul-Henning Kamp -- FreeBSD since before it was called that...
D-Link must be run by Osama Bin Laden. That's why no one can be reached (hiding in the mountains of the Afghanistan and Pakistan border). Obviously, this attack has something to do with that cartoon thing.
now we need to go OSS in diesel cars
I like the cut of your jib.
Ok, let's do some good. Are we slashdot, or what?
D-Link Business Development and Strategic Partnerships, E-mail: bdm@dlink.com
>>>
To whom ever it may concern:
Hello.
I just learned of you companies notably persistent inability and unwillingness to deal with a serious design flaw in a growing range of your products. This flaw is severly disrupting internet services for a large amount of internet participants and even though you have been informed in detail of these effects your products are having, you have done nothing of substance to resolve the issue and compensate for the damage done.
Until I learn that the issue described in the open letter do D-Link, available under http://people.freebsd.org/~phk/dlink/, was resolved in a professional and mutualy satisfying manner I will not purchase any D-Link products and will strongly discourage anybody asking for my expertise as a professional in the IT field from buying D-Link products or from engageing in any sort of business relationship with D-Link.
Sincerely
An Internet User
Mistakes in this one? Please post corrected version below and then add a 'mailto' link to the address.
Grammar Nazis, it's your turn!
We suffer more in our imagination than in reality. - Seneca
Well, no one's stopping you from doing that right now, but you're breaking the social contract.
If everyone on the net did what you're doing, the system would drag to a halt, or there would be a ton of new "security restrictions" on the dns system to prevent it, basically a new pain in the ass for everyone.
if you're that worried about dns attacks, i'd rely more on public key enc and certs.
I'd stay away from anything with "VD" just because...
If the BOFH were running the server, he'd just take all obviously non-Danish IP addresses and return a really strange time. Maybe he could even stumble on a buffer overflow in their client and brick the router. Then d-link would have a lot of pissed off customers and drive support costs way up. This might not solve the immediate problem that the NTP server has, but at least it would piss off a lot of people, and that's more important to the BOFH, anyway.
I would get a new DNS entry, use my existing IP address for NTP, and have all my clients pointing to a new IP for NTP purposes. Next, I would purposely keep my existing NTP server running yet have it feed totally erroneous time information. Or maybe I would find a D-Link address and point my old NTP name to that address. More and more I find these days that people respect something they can physically touch or experience; they dont aprpeciate nor care to take the time to understand knowledge.
Although I have a few problems with DLink, I must point out that it was Belkin's routers that were redirecting HTTP requests to an advertisment page, not DLink.
e lkin_router/0 5
http://www.theregister.co.uk/2003/11/07/help_my_b
http://slashdot.org/article.pl?sid=03/11/07/17402
Which is sad, since I've worked with a few Belkin routers lately and they really are quite nice pieces of machinery. The router a customer brought in had just about every tool you might ever want -- and a few I wouldn't even think of, for example, setting it up as a combination AP/Range Extender, or a bridge between two SSIDs.
Looks good to me, although I don't know how much it will help...
I [may] disapprove of what you say, but I will defend to the death your right to say it.
Lots of people do, tragically: http://www.caida.org/publications/presentations/ie tf0112/dns.damage.html
Sample quote: "Win2k shipped with default configuration trying to update roots".
Isn't there some lawyer in the US that is interested in making a name for themselves by doing some very worthwhile pro bono work? It seems like it should be pretty easy to win based on the evidence that I've seen. And if I were the operator of the NTP server I think I would eventually write off that money and say that any lawyer that wins the case against D-Link can have the settlement/judgment money.
Joe
In the UK, there's an old law that any clock in sight of the Queen's Highway must be accurate within 2 minutes of the correct time {unless it is stopped, and then the hands must be set to an impossible position}.
But since he isn't in the UK, and the Internet isn't the Queen's Highway, what's to stop him from just running an absolutely bogus timeserver?
Je fume. Tu fumes. Nous fûmes!
Your an idiot...truely an idiot...using root servers doesn't protect you from spoofs it only puts more strain on the root servers. People like you make the internet suck
(oh yea! more +1 Flamebait)
If you must!
Now that you look at your ethernet sniffs (I assume you just went running off and ran ethereal) look at the source ethernet address... Hmmmmm - doesn't that look familiar, like maybe it looks kinda like your first hop routers MAC address.
Nice try -
Thank you, Come Again
And please read either Stevens or Comer before posting on networking topics again
I have mod points and I am not afraid to use them
1. Buy the domain name off this poor guy / arrange for alternate hosting if it can't be sold.
/. community to set up an alternate server.
2. Take a collection from the
3. Wait a month for all the legitimate users to switch to a new URL.
4. Fire up a server at the old URL reporting Midnight, Jan 1, 1900
5. Let D-Link deal with users accusing D-Link of failing to sell a Y2K compliant product in 2006.
"Live Free or Die." Don't like it? Then keep out of the USA
When asked, a Vonage rep said this was "authorized".
It still makes me nervous that equipment in my possession is making network and computing requirements of military servers.
You could've hired me.
Change the DNS to make GPS.dix.dk a CNAME that points to pool.ntp.org, and then put the stratum-1 server somewhere else.
Tired of FB/Google censorship? Visit UNCENSORED!
I would suggest cc: the following e-mail addresses:
customerservice@dlink.com
webmaster@dlink.com
analysts@dlink.com
sale@dlink.com
si@dlink.com
broadband@dlink.com
bdm@dlink.com
edusales@dlink.com
oem@dlink.com
productinfo@dlink.com
hr@dlink.com
This is pure bullshit since root servers don't resolve recursive queries on their own.
However, running your own DNS server with the root-servers as referrals is possible, makes you equally "spoof-proof" and is not unfriendly since root NS records have long TTLs.
As I said above - Call the FBI. Lodge a complaint of criminal computer trespass - they are using your service in violation of your TOS.
DLink will pay attention when a Special Agent shows up.
www.eFax.com are spammers
DLink isn't bound by a contract they never signed nor agreed to. The server never asks for consent to its terms prior to allowing you to use it. You are arguing for something like an EULA (which is already questionable) on steroids. For example would you agree an album has the right to say the cover "this may be listened to in a car but not in truck" and that being binding to people listening on the radio?
That's very cheap of D-Link to be hardcoding his server.
:)
I know what I would do: Set up a new server for the 'intended' audience (other Danish NTP stratum-2 servers), and on the IP/Hostname of the old one (that D-Link refers to) I would run a modified NTP server that sends out random times to all those D-Link customers and watch them get swamped in support calls.
That'll teach 'em
Dear Sir or Madam,
I have learned of your company's persistent unwillingness to deal with a serious design flaw in a growing range of your products. This flaw is disrupting internet services for a large number of users. You have been informed in detail of the problems you are causing, and you have done nothing of substance to resolve the issue and compensate those involved.
The issue I refer to is described in the "open letter to D-Link", available at http://people.freebsd.org/~phk/dlink/.
Until this problem has been resolved in a professional and universally satisfactory manner, I will not purchase any D-Link products and will act in my capacity as an I.T. professional to discourage others from doing so.
Sincerely,
Writing Style Nazi
(I'm not a spelling nazi, so please check this again)
The real issue is, as no one seems to be recognizing, that you have to set your desktop machine to connect to the router, and sync the time.
And since D-Link is not a brand with a great reputation in the segment of the population who knows HOW to do that, all we're going to end up with is a bunch of routers with crewy internal time, and a bunch of clueless users who will never know it.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
The article doesn't mention whether it's a global list which gets hit at random or whether it's regional with a preference order or whether that algorithm is called upon everytime the NTP service is used (eg, once a unit choose the NTP server it always uses the same server or whether it has an equal chance of hitting every other NTP server in the list).
How the algorithm chooses the NTP server is relevent, the long and short of it is that D-Link are not relying on 1 guy, so for them this is not an issue unless he find someway to poison the results he sends back and D-Link customers start getting bad times.
These comments are my personal opinions and do not necessarily reflect the opinions of the other voices in my head.
At least the AC realizes that root servers as DNS will not work. W00T, you win the "I'm not an idiot" award but then again, the fact that you don't have a /. account gave you extra points.
Slashdot readers unite. Let's boycott D-Link until they fix this issue. I bet this audience overlaps significantly with their consumer base.
There is a reason why tier one servers are restricted. I can't use security time stamps if the time is all pouched because some coder has no respect for others. They never read any of the use restrictions, I know bigben.cac.washington.edu is locally restricted. Not to mention this is a prime example of how poorly coded dlinks gear is. What means of detection did they use? The farest place from you? Most of these devices are here in the US not in denmark. The admins of restricted servers here in the US should make claims against dlink, under homeland security. See if that gets thier attention. Also I read a bit back the use of ISP level filtering to prevent DDOS, could he at least reduce the use by having them block use to the danish subnets? Or set up a second dns name to give admins in denmark time to switch over say 6 mo. then kill the one dlink uses? Just thoughts.
should become authoritive for the domain GPS.dix.dk and forward traffic to dlink. You DNS admins know who you are.
Consider this. To use NTP, they have to use it to spec.
open specifications are still the property of the creators. (kinda like the GPL)
they are licensed to 'the world' to use, so long as the specification is followed.
the spec in this case, includes disallowing certain services to certain levels of useage
So, the creators of NTP spec can (in an extreme beyond all belief example)
deny d-link further permission to use NTP at all.
Further, if they are not following the spec (honoring requests by the NTP server not to be used
in this manner) you could as the owner of one of the devices(one again, extreme example)
sue d-link for advertising/listing on the box of the products in question,
for saying they are ntp capable- when it's proven they are not compatible with the spec.
(the spec that includes respecting requests not to be used in this manner)
what are your damages? at least the cost of the affected hardware.
every day http://en.wikipedia.org/wiki/Special:Random
I've to admit, back then I configured my box to hit the root straightly for all DNS request, for why I couldn't remember, I guess it's probably just stupid.
And I thought, "why is it always sooooo slow when I go from one site to another?" Not knowing that my box had to go a long way just to fetch the IP address.
Hello, I currently purchase D-Link products for my networking needs but recently I have seen this posted on the internet. http://people.freebsd.org/~phk/dlink/ I have the D-Link products mentioned in this and am now concerned that my products will become "defective" once they are blocked from this NTP server. If such "defects" occur because of bad design, where can I get a refund. I believe that under EU Consumer law that a product must be fit for the purpose it is purchased for. Please clarify the status of the "functionality" of my products and whether I should purchase a different brand that will not become defective when such services are blocked. Regards.
DLink isn't bound by a contract they never signed nor agreed to.
Neither are script kiddies performing a DDoS.
The server never asks for consent to its terms prior to allowing you to use it.
Because the NTP protocol doesn't allow for that. The UDP protocol doesn't either, but that doesn't mean it isn't illegal to flood a server with UDP packets causing it to crash.
For example would you agree an album has the right to say the cover "this may be listened to in a car but not in truck" and that being binding to people listening on the radio?
Bad analogy. You buy a CD, the CD becomes your property, and an implied contract is fulfilled. In this instance, D-Link haven't bought the services of the NTP server, it's a service not a tangible good, and you readily admit no contract is present.
You seem to think that it's legal unless a contract says otherwise. That is not the case. A contract, implied or otherwise, is necessary for it to be legal.
I decided to check out the pool.ntp.org website. Comedy. It's the default Apache "you've successfully installed your webserver!" page. Either put something meaningful there or shut off httpd.
Security Rule #0: You shouldn't run services you don't need.
PHK have (of course!) considered moving his box to a new DNS name, the problem lies in the way it is used:
By moving it, he'll require every single BGP router in Denmark to be reconfigured, if you read his Open Letter you'll notice that he has considered and rejected this option as unworkable.
Terje
(Who's been hosting windows ntp binaries for several years now, at http://norloff.org/ntp/)
"almost all programming can be viewed as an exercise in caching"
If he wants to limit the number of NTP users to his servers, the best way is to have some kind of authentication or registration scheme; it's not hard--many NTP servers do it--have a web page and a CAPTCHA.
While what D-Link did is stupid, trying to find a legal, rather than technical, solution to it will set a bad precedent. I mean, where does it end? Should we permit the Mozilla project be sued for distributing a bookmark to some site just because it turns out that the resulting site can't handle the load?
People who offer open, public services should be prepared to deal with whatever traffic comes their way.
Wouldnt a random time generator to all D-link mac address move the issue over to d-link problem.
...when companies don't make their own products. They're likely not even familiar with the firmware in question, because it (along with the hardware) is probably provided to them by a third party company in Taiwan who couldn't care less about the situation.
For example, my last D-Link wireless router was not made by D-Link. It was made by a Taiwanese outfit called Amit. The exact same products were sold under names varying from SMC, Asante and GVC to 3Com, US Robotics, and doubtless others as well.
The moral of the story: *most* of these manufacturers sell the exact same junk, with the exact same firmware, coded by the exact same people - just with some different logos slapped onto the chassis and the web interface. The only value in buying from a particular vendor is because of their support options (if any), or because their price is lowest. There's no differentiation in the actual feature set of the products. (Heck, for some time I ran my router on "somebody else"'s firmware because they were first to get a bug fix out).
Okay, I'll bite. Why? Unless the path from your local DNS server (which, well, may not exist) to the Internet is significantly longer than the path straight to the Internet (and I would doubt that this is the case, unless you've done a very poor job of configuring your network), the only attack against DNS that you avoid that I can think of would be someone actually rooting the DNS server itself (and not even then, if the DNS server is on an outbound segment). Anyone that can root a machine on a segment that can see the DNS requests can still spoof the request.
Any program relying on (nontrivial) preemptive multithreading will be buggy.
Sounds like a classic denial of service attack to me.
Bavarian Purity Law of Rice Krispie Squares: Rice Krispies, Marshmallows, Butter, Vanilla.
"Filtering the D-Link packets requires inspection of fields which are not simple to implement in Cisco routers, and in particular such filtering seems to send all packets on the interface through the CPU instead of fast switching, so ingress filtering the packets at the ingress of AS1835 is totally out of the question."
Only if your hardware is from 1998. Anything a little more modern lays the ACL down to hardware and it goes through fast path rather than process switching.
Its beside the point of course.
Script kiddies charged under the theft of service law are often charged because of the servers they hacked into. They used deception and deception is where they end up in violation. The NTP access doesn't require deception.
If you'd bother to read the article, you'd see that their offer didn't even cover his most direct expenses, let alone all the inderects this thing has/will cause.
If you make an open NTP server you don't have any legal rights other than to turn it off
His NTP server lists it's terms of service. D-link is breaking those. I think a court is better suited to say if this is illegal than some idiot on /. who can't even RTFA.
I'm sorry, but I just can't support Poul-Henning Kamp on this one. The entire point of the Internet is to make information publicly available. If his intent was to only provide NTP services to a certain set of people/computers, then he should have protected his network appropriately.
/. users love so much are considered private property and it would be trespassing for us to use them. I am in favor of supporting the Internet status quo: unless a resource (NTP server, wireless AP, web site, etc) owner takes basic steps to restrict access to the resource, it is considered a publicly available resource. Obviously this argument is not extended to hacks or attacks, where the intent is to circumvent a security measure designed to restrict access.
Think about the repercussions of ruling in Kamp's favor. Now all those open 802.11 AP's that
~ SleezyG
customerservice@dlink.com
webmaster@dlink.com
analysts@dlink.com
sale@dlink.com
broadband@dlink.com
bdm@dlink.com
oem@dlink.com
productinfo@dlink.com
hr@dlink.com
edusales@dlink.com
si@dlink.com
Perhaps they should have read this Slashdot story, which was about Netgear routers DoS-ing innocent time servers.
http://erichsieht.wordpress.com/category/english/
the market for home routers is very competitive, and there is little to help customers distinguish between d-link vs. netgear vs. linksys. learning that my d-link di-624 router is a "gross polluter" is a big incentive to upgrade to another brand -- they're cheap devices that get replaced every couple of years anyway.
hearing about d-link's inept implementation of ntp makes me wonder what other shortcomings may be baked into the various d-link products i've purchased over the years. when the product is a commodity such as a network card or a home router, its a very easy decision for customers to switch brands when they learn that d-link has made a major mistake that they are unable to correct after ~120 days of private communication with the victim of their DDoS.
about sean dreilinger
Either this is a very weak attempt at a troll, or an incredible demonstration of ignorance.
Here at slashdot, we just call this phenomenon a comment.
If I provide a service, I have the ability to dictate my terms of service. If you break those terms of service, you are abusing it and are liable for damages caused by your neglect. It's a rather simple concept that translates to the internet very easily, simply replace service with server.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
He estimates it.
No doubt based on the fact he has about 2000 legitimate subscribers, the rest of the traffic is likely of D-Link and it's ilk origine.
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
but I think this guy is being just a bit unreasonable.
l ) with a restriction of use does not make what DLink is doing is illegal. Just as if I say in a newsgroup posting "do not spider my website" would not prevent Google from doing so (automatically, or by legal necessity).
Firstly, just because the NTP server is "advertised in the NTP projects list of Stratum 1 NTP servers" (http://www.eecis.udel.edu/~mills/ntp/clock1a.htm
Secondly, he says there is "nothing [he] can do to avoid the packets arriving at [his] server", after rejecting the idea of changing the domain name because it would be a "very timeconsuming effort" for the "2000 legitimate users". Yet he asks D-Link to change the firmware on hundreds of thousands (maybe more, maybe less?) of their routers. Now, I don't know how much compensation D-Link has offered him (in good faith, not by any legal obligation).. but it seems to me the most pragmatic solution is to just go ahead and change the name, and as long as D-Link provides adequate compensation to perform this task.. then that is what should be done, and that's the end of it.
I am the maverick of Slashdot
I sent something like this to MicorCenter. Other places should be altered as well. If their buyers mention it, it will have more impact that our direct emails to D-Link.
---------------
Please forward this email to your manager.
You sell D-Link equipment. D-Link is currently destroying a computing resource in Denmark, and has made no real restitution or attempt to fix the problem. They are bad Internet citizens.
And they make ROUTERS.
Please tell D-Link that they have an opportunity to get some free press by simply solving this problem and apologizing for the issue.
Your current stock of D-Link products will sell less well in the coming weeks and months, because many of us will refuse to buy them, and will tell your other customers of D-Link's incompetence.
This is why: http://people.freebsd.org/~phk/dlink/
I've long been a FAN of D-Link hardware, after having nothing but problems and short-lifespans with LinkSys and Belkin networking hardware.
I've owned two DI-624 routers (Rev B and Rev C) and I update the firmware on those units pretty frequently.
As long as I can recall, turning on NTP has always been an *option* and I've *always* had to manually input the NTP server I want to use. It's never been hard-coded, or even available from a drop-down list.
When I've left the NTP option unchecked, and set the time manually, I've found that after a router reboot the time is lost, and highly inacurate (by years) - which would indicate to me it's not sneaking around and grabbing NTP without my knowledge.
As for the assorted posts about how hard it is to contact someone at D-Link - I've also not had a problem there.
Case-in point, there's an issue in the latest firmware for their Revision C routers (firmware 2.70). Specifically, it doesn't DHCP to non D-link Wireless hardware. I sent an e-mail to their tech support dept, they helped me troubleshoot and workaround the issue, and I assumed I was done hearing from them until a new firmware was posted.
A week later D-Link e-mailed a beta firmware that had a fix for the DHCP issue in it.
I've found their hardware to have a long-life (better than Linksys, as much as I enjoy Cisco), be more configurable thank Belkin, and after this case with their support dept - I **strongly** recommend D-Link to all my friends and SOHO clients.
I guess, at this point, I feel for the guy in the article, he's providing a useful service, and he *appears* to have researched this pretty thoroughly. If D-Link really has tried to blow him off, well, I blame lawyers, not D-Link.
In my experience, with two DI-624 routers (which are named in the open letter), however, I don't see where/how this can be a problem.
Once you've contacted the box, go to "Tools" and "Time" and you can set the default time server. The field isn't really long enough for the pool.ntp.org, but here in the US, time.nist.gov seems to work just fine.
Why rule out a split DNS so soon?
Though it's probably impossible to recognise *all* d-link related requests for GPS.dix.dk, it's probably easy to catch 90-95% of them by just redirecting everything outside of Denmark to localhost.
That whould reduce illegitimate NTP queries quite a bit, maybe even making it possible to filter the rest of them through some other mechanism.
Error: password can't contain reverse spelling of ancient Chinese emperor
I wonder what DLink's reaction would be if a large number of people were to add that to their ntp.conf?
(I can't find anyway to stop slashcode from reformatting the spaces in the above text)
Only if the time reported is correct. If the time is seriously incorrect, as the parent suggested, there's a strong chance the D-Link routers will just crash. Users, regardless of their skill level will notice they don't have internet access. After they've had to reboot their routers a few times they'll correctly blame D-Link, even if they don't know exactly what is wrong with their hardware.
He discovered a problem.
He contacted the company causing the problem.
He explained the problem, and simply asked them to fix it.
They didn't.
They put him off.
They threw a lawyer at him to threaten him.
They offered 'compensation' that didn't come close to covering his costs.
He was trying to do it all quietly and nicely, not crusading, and they wouldn't have it.
So instead of going through the often extremely troublesome and lengthy legal procedings (which are even worse than normal since this is an international case), he was hoping to publically embarrass the company into fixing the problem they caused. Seems like a reasonable attempt at a speedy solution, not a crusade.
You must be from Canada or something... :-)
I've owned their products before but never much cared for them, I prefer Linksys & Cisco. But I know consulting people who do like their products, and I'm going to be talking to them today and tomorrow.
I just sent them the following email:
"I am a networking consultant, Cisco certified, and I talk to a lot of people about home wireless networking. I will not recommend D-Link products and today will begin actively campaigning against them for the unethical access and trouble that you have given to the GPS.dix.dk NTP server. When you have patched your products and made amends to the owner of the NTP server, then I will consider recommending your products again."
Their feedback link is on the bottom of their index page.
When you sympathize with stupidity, you start thinking like an idiot.
Oh wait, D-Link routers already do that when reset. (I'm serious). You can force those model D-Link routers to reset by filling up the log, that is how they are programmed to clear the log, reset. As a matter of fact, many users found out if there got lots of log messages like (Ping of Death detected) and the log fills up rather fast (P2P users), the router would reboot and drop all connections. So if you could program the NTP server to return bogus results you can put the D-link routers into an endless reboot cycle. I used to work for D-Link, they could give a rat's ass about standards, its all about first to market to get the covetted market share.
> on date X, send bogus packets in response... not just wrong time,
> but seriously wrong time, like a packet with time of 9s in all
> fields, which would be most seriously wrong.
It would be better, on date X, to just stop the service (at the old, hardcoded-in-the-routers address, leaving the new service at the new address). This is both kinder to end users (who did not know about this when they bought the hardware and probably still don't) and also a better use of network resources.
Anyway, shouldn't stratum-1 NTP servers reject (or drop) all requests except from known stratum-1 and stratum-2 NTP servers (and maybe stratum-3 NTP servers on certain approved networks)? I thought stratum 2 was where publically open NTP servers were supposed to live, with private ones for local networks on stratum 3 using a stratum-2 server.
Cut that out, or I will ship you to Norilsk in a box.
I gave up on D-Link around 1999. I bought a USB FM radio of theirs that required a device driver. Their device driver completely destabilized that system, which at the time was running Windows 2000. But worse that that, their uninstallation program failed to uninstall the device driver: it only got rid of their GUI tuner app.
I had to call in the services of a friend who writes Windows device drivers professionally. He was able to hunt down the shards of this offending driver and wipe it from the system. With the D-Link device driver finally gone, the system returned to its former stability.
Since then, I have blacklisted any device made or sold by D-Link, and have not looked back. I can see from PHK's story that D-Link or their suppliers still have the same level of programmer competence that they had when I gave up on them.
I have a Dlink DGL-4300, and it works perfectly--as far as I know. It's probably the most expensive Dlink out there.
But if there is a brand with a good reputation, I'd like to know about it. I hate crappy network equipment, but what's the good stuff?
Penny - plain text accounting
I called 1-877-453-5465, Dlink tech support line and asked how to change which NTP server my dlink router is using.
The tech said there is "no way to do that". I replied "well then How do we submit an ECR (Engineering change request), for this?"
The tech wanted to know why I needed to change it. I replied "Because I don't want me or my company to get sued for overloading Poul-Henning Kamp's server and it appears he is on the verge of starting legal proceedings."
The tech transfered me to customer service who took down the ECR information.
I also pasted a copy of Poul's letter into the tech support email contact page.
If enough of these types of things happen, Dlink may feel enough customer pressure to change things.
sadly this plan would screw other, legitimate users of this service.
Then, make the NTP server report different time depending on where the request originated from - D-Link, or somewhere else.
I opened a problem ticket with my ISP (who, incidentally, has been VERY responsive in the past) to try to get them to block or redirect the DNS entry for this dude's NTP server:
Subject: D-Link Abuse of NTP: Action Requested
I'm certain that most of the technical staff at speakeasy reads slashdot, so you may have seen this before, but please take a peek at:
http://people.freebsd.org/~phk/dlink/
It would make me very proud to be a $ISP customer if $ISP were to redirect *all* ntp traffic pointed to GPS.dix.dk were redirected to pool.ntp.org (or some other round-robin ntp alias). Although D-Link really needs to step up to the plate and do the right thing, I think that this would be an excellent way to lend a hand to somebody providing core internet services for free.
I'm certain that a good portion of your customer base uses D-Link equipment and any load that can be taken off of this poor guys host will be appreciated. Additionally, if a press announcement is made by $ISP about provding some relief for this guy, it will draw attention to the problem, and possibly other ISP's will follow suit.
I thank you in advance for your consideration of this issue and am very glad to be a customer of $ISP. I know if I were writing this support request to a Bell company or some other type corporation, it would fall on deaf ears at best.
-$ISP Customer
It's a stratum-1 NTP server. Stratum-1 NTP servers are *ONLY* supposed to be used by other stratum-1 NTP servers and by stratum-2 NTP servers, *not* by any random device on the internet. A LAN router should *NEVER* be using a stratum-1 NTP server; it should be using a stratum-3 NTP server if possible, or *maybe* a stratum-2 server, with special permission, under unusual circumstances, if there is no stratum-3 server available. If D-Link won't do anything, this guy's going to have to notify everyone who runs a stratum-1 or stratum-2 server in Denmark, give them time to reconfigure, and then shut down the service.
Cut that out, or I will ship you to Norilsk in a box.
Case closed.
if you run an open service, expect people to use it. Whining about it just makes you look sad.
Everyone owning a D-Link product should call the vendor's support hotline (preferably a toll free number) to inquire whether the device you own is one of those NTP vandalising products. That would certainly make the vendor think twice about carrying D-Link products in the future. Or call D-Link directly to find out. That would show D-Link directly what cost they cause others by their incompetence.
* As pointed out in the letter, this guy explicitly stated in his access rules that this server was not for use outside of Denmark.
So filter out everything that is not from Denmark. This will also filter out the people who have clients that connect to him.
Just like I need to edit my robots.txt to not accept google, he can change his filters not to accept traffic from outside denmark.
He is 'just' being slashdotted and can easily resolve the issue.
This all does not mean that D-Link is a bad company and should change their attitude, best by installing their own server.
Don't fight for your country, if your country does not fight for you.
if he did that, d-link would probably sue him for damages. this is how corporations think.
from http://www.rfc-archive.org/getrfc.php?rfc=4330 section 10: slashdotting is an unexpected spike in popularity, short lived. this is a negligent (and systemic) DoS attack, and (without intervention) can only get worse as D-Link's marketroids get better at their job.
i think a new entry requirement for the internet could be, "you want to use a browser? first pass this test on RFC 1945 or 2616." or perhaps mozilla could add a 'startup hint' option with factoids from the RFC's...
If opportunity came disguised as temptation, one knock would be enough.
3^2 * 67^1 * 977^1
DLink isn't bound by a contract they never signed nor agreed to.
A better analogy would be one of tresspass
The server never asks for consent to its terms prior to allowing you to use it.
The gate to a field carrying a sign stating "no tresspassers" typically dosn't validate who goes through it.
D-Links also can't keep their internal dhcp traffic to themselves. I started having to block DHCP Servers coming from inside customer networks in my network.I would have done it anyway, but customers with D-link routers forced the issue.
I just set the default server manually. Does that help? I can't find any comments to that effect. Also, the D-Link site doesn't show any firmware updates on their site. DI-604 rev E. Google isn't helping me find it either. Here's what I found on the D-Link site ftp://ftp.dlink.com/Gateway/di604_revE1/Firmware
Anybody have an alternative?
What?
Ouch. LOL. Yes, I misread. Thanks for the 27 comments telling me so.
I read 26 of them before I realized I misread all the comments too, so its good you corrected me so many times over.
__
Write My Essay
Big apple, new Yorik, undig it, something's unrotting in Edenmark.
and he'd be pulling from the right level.
somebody running an international high-energy physics experiment can be excused for going to a level-2 or level-1 server. everybody else is wrong to do that.
if this is supposed to be a new economy, how come they still want my old fashioned money?
If this open letter does not work, and to be quite honest I'm not sure it will really register with D-Link, then there appears to be only one solution.
Stop the service
Yes, it will hurt legitimate users temporarily, the sys admins probably will be made aware of this situation ( provided you get the word out, ) and when it goes down explain the reason why the service has shut down ( D-Link's abuse. ) Sys admins are more likely to be sypathetic to your problems.
Set up a new domain a few months later.
Either that, or you work for D-Link yourself.
Right, because lawyers are cheap... right.
I like how he doesn't mention any numbers.
He already has dedicated hosting, do they charge him $1 per megabyte or something?
If you'd bother to RTFA, once again, he answers how much the hosting is costing him. He talks about numbers all over the place.
" because I offer this service free of charge and NTP is a low bandwidth protocol, the organization behind the DIX has graciously waived the normal DKR 27.000,00 (approx USD 4,400) connection fee."
" the current theory is that I will have to close the GPS.DIX.dk server or pay a connection-fee of DKR 54.000,00 (approx USD 8,800) a year as long as the traffic is a significant fraction of total traffic to the server."
" I owe $5000 to an external consultant who helped me track down where these packets came from."
" I have already spent close to 120 non-billable hours (I'm an independent contractor) negotiating with D-Link's laywers and mitigating the effect of the packets on the services provided to the legitimate users of GPS.dix.dk."
" Finally I have spent approx DKR 15.000,00 (USD 2,500) on lawyers fees trying to get D-Link to negotiate in good faith."
" If I closed the GPS.dix.dk server right now, wrote off all the time I have spent myself, then my expenses would amount to between DKR 45.000,00 and DKR 99.000,00 (USD 7,300 to 16,000) and several hundered administrators throughout Denmark would have to spend time reconfiguring their servers.
If on the other hand we assume I leave the service running and that the unauthorized packets from D-Link products continue for the next five years, the total cost for me will be around DKR 115.000,00 + 54.000,00 per year (approx USD 18,500 + USD 8,800 per year) or DKR 385.000,00 over the next five years (USD 62,000). " block the NTP traffic from anything outside his network if it is sooooo expensive for him. You can do that at the ISP level in most cases.
He also mentions how blocking traffic is not feasible, and why, IF YOU'D BOTHER TO READ THE FUCKING ARTICLE. Learn how to read or STFU about him being an asshole.
Cry me a river. And quit claiming that Hans Island is yours while you're at it...
Help us build a better map!
>the market will punish them.
I deal with crappy routers all the time. The market will NOT punish them because -- by avoiding dealing with the problem -- D-Link shifts costs to SOMEONE ELSE'S SUPPORT.
'The market' is often a reference to do nothing.
I don't see anything that is going to cause Joe Sixpack to stop buying D-Link. I don't see bestbuy dropping these models. This issue quite clearly is protected by a S.E.P. shield.
I'm pretty sure we have some D-link equipment in the back. I don't want this Danish guy to sue my company, so I'd better get on the phone to D-link and ask how I can make sure my hardware doesn't access his services without authorization. I'd better call D-link's legal department, just to make sure they're ready to indemnify us (is that the right word? IANAL) in case we do get sued.
If your company uses D-link products, I suggest you do the same.
I would take a guess and you just took the bait of a troll. Hook, line, sinker.. Rod, reel and copy of Angler's times...
Either that or the grandparent poster has never looked after an ISP style environment where co-operation between sysadmins makes your lives SOOOOOO much easier. A bit of common courtesy goes a long way to preventing problems down the track.
Option three would be that we just can't get our heads that far up our own arse to see things from his point of view..
Curiosity was framed; ignorance killed the cat. -- Author unknown
Who cares what they were going to pay him? It was less than his costs. It still doesn't solve the issue of what they are going to do about the problem given that they caused it.
Have you ever worked as a sysadmin or worked admin'ing servers at an ISP? Hell, worked on anything big that has something to do with the internet? Your cable / DSL line doesn't count here.
Curiosity was framed; ignorance killed the cat. -- Author unknown
Trespass is a different crime than theft. I've responded a couple of times elsewhere but... the problem with the trespass statute is:
1) tieing DLink to the act of trespass (there isn't a conspiracy to commit trespass)
2) proving they actually had access relative to the law
3) there has to be a taking of data and I'm not sure the correct time qualifies
Basically, you could make a better case (but IMHO) not a winning one against DLink's customers.
Your ignorance made you miss the joke. You should apologize.
Apparently it wasn't a joke, but kudos to him for admitting that, at least.
The guy says dlink has to stop this or he'll get shut down, because of the costs he'll be facing if they don't. Get real, that won't help. Even if d-link updates all of their firmware today, it will take years for the bandwidth usage to stop. He's facing the costs no matter what d-link does, short of them paying his bills.
At this point he has only one choice. He has to change gps.dix.dk to gps2.dix.dk, or some other name. Yes, this will inconvenience Danish servers that use his NTP service. They'll have to switch over to the new name, and it might take a while for him to get the word out. He can run both names in parallel for long enough to give legitimate users time to make the change.
This may inconvenience Danish server admins, but my guess is it will inconvenience them a whole lot less than if he has to shut down, as he says he will if the traffic from d-link devices continues. Given that it will continue for quite some time, what other choice is there? He should just bite the bullet and do what he has to do.
That would be the best irony: His trolling articles against his company just leading to highly moderated comments about how the complaints are legitimate so that more people can see them. :)
Perhaps you're trolling, so I'm falling for it.
But who's being obnoxious here? You want to disconnect thousands? of people from the Internet by downing their router, when they probably have no idea what NTP is, or that their router even uses it.
Sure, D-Link was wrong by using it, but punishing their customers is the obnoxious thing. Blocking the time is one thing, but maliciously trying to crash their router?
Come on, grow up.
We emerge from our mother's womb an unformatted diskette; our culture formats us. - Douglas Coupland
The author should change the DNS name and IP address of his NTP server to something else, update his entry on the list of "Public NTP Primary (stratum 1) Time Servers", and move on with his life.
To prevent this abuse from happening in the future he needs to instigate a policy where only pre-approved clients can connect to his NTP server. He can choose to either set up a password on his NTP daemon, or filter by IP address at his border gateway. The latter would be the only way to prevent traffic spikes in the future from running up his hosting bill.
Anything else is an exercise in futility. Yes it sucks, but he will not be able to fix the problem by whining on Slashdot.
If he is feeling vindictive he can then change the DNS entry for GPS.dix.dk to be an alias for www.dlink.com to drive traffic to dlink's site, but that may get him in trouble.
Thank you, mr d-link lawyer.
http://www.dlink.com/site/contact/ContactDlinkCen
D-Link Customer Service
phone: 1.800.326.1688
customerservice@dlink.com
Webmaster
webmaster@dlink.com
Strategic Partnerships
mailto:bdm@dlink.com
Here's a few places to send the disgruntledosity. If everyone who cared would just send one email a day... another example of how the mindless corporation is grinding intelligence right out of humanity.
To me it looks like he is paying off all his friends, he didn't have to pay a damn thing for this server and now all of a sudden he does and will? He's getting a lot of traffic so he pays a guy $3000 to find the problem? Now he is going for the big lawsuit with a freaking OPEN LETTER? FOR THIS????!?!!!!!! $2500 in lawyer fees and no lawsuit yet? WTF... WTF is all I have to say.
The no-fees thing was based on the fact he was providing a useful service for not much bandwidth. Now his bandwidth is massive, so he has to pay. Also, lawyers cost quite a bit of money just to talk to; he'd've needed to do that for a while since this D-Link lawyer fellow was stalling him for some time.
I also set up chronyd on a regular basis and I just randomly pick a server that's publicly advertised on the internet, without thinking twice about some astronomical bandwidth costs some people may be paying for my 2 kilobytes per day.
There's a big difference between your 2kb/day and thousands of D-Link routers polling at short intervals. I don't see your point.
Fuck, mod me up for once, you guys who mod yourselves up (*cough* LurkerXXX) need to go get a life.
Go get a good argument if you want to be modded up.
We are not talking HTTP here. Robots.txt does not apply.
The place where the service restriction is clearly written out, the "stratum 1 list" is the only place where DLink can have found the name of the NTP server in the first place.
As several posters have pointed out: consumer devices like these have no need to query stratum 1 servers.
As I said clearly in my letter: filtering will not prevent me from getting hit with bandwidth charges of $8800/year.
I have not tried sending any bogus return packets because that would hit innocent consumers who bought D-Links defficient products.
And for the people who could have identified the source of these packets so much faster and easier: Drop me an email, I'll be sure to ask for your help next time.
Finally, I can see that more than 40 people at D-Link Irwine (192.152.81.0/24) have read the open letter now, please guys: get somebody to call me or email me so we can get this matter settled. (both email and phone# is in the open letter)
Poul-Henning
Poul-Henning Kamp -- FreeBSD since before it was called that...
It may be expensive to filter packets at the router level - but it's not the cisco that's doing NTP service (I assume), it's a unix box of some sort.
So - make a whitelist (it's only a few thousand legit servers), hash it (so a yes/no lookup is cheap), and give a bogus response on a miss. On a modern architecture compiled language, the extra processing should be sub-millisecond - hopefully fast enough to avoid messing NTP up for legit users. If you're lucky, a really bad time will cause real problems for Dlink customers, who can then complain to the vendor. If you're *really* lucky, they'll patch to avoid the support burden.
Yes, this would take a patched NTP. Yes, this doesn't deal with traffic, or your expenses. Yes, it only indirectly causes problems for DLink. And Yes, you shouldn't have to do this at all.
Dlink isn't going to do anything unless forced, that's clear. Your open letter may help - I hope it does - but if it doesn't, you do have a way to deny them service without grossly inconveniencing your legitimate users. You still bear the bandwidth costs... but it's something.
Having said all that - simply renumbering your IP shouldn't be as heinous as all that. Any semi-competent server admin should have a fallback NTP in case yours is down - so a renumber, while disruptive, isn't impossible. If you do it - do it sooner rather than later.
Dlink - you can fix this. Apologize, and contract with this man to provide NTP services, covering his expenses and time. He's not the only one you're hammering, and if they all take steps you're screwed. Nip this in the bud - you may well have not realized that NTP is something you have to pay for one way or the other (your alternative would have been running your own server, really) - but you do. Don't let this bad PR situation get worse.
Use my karma? I don't think so. I haven't used a bit. I'm at excellent, and responding to your trolls has only added points. There's no need to follow you around. I'm sure you'll do yourself in.
It's posts like that one which call for a 'uninformative' mod category.
I used to use a D-Link DWL-900AP+ access point. I updated to the latest firmware, which claimed to support WPA-PSK, but it wouldn't cooperate with wpa-supplicant. IIRC, for some unknown reason, the D-Link firmware would just not complete the WPA handshake.
I called tech support, got bumped up to "tier 2", only for a gruff-sounding rep to tell me "WPA is an optional feature, we don't support that".
That, and other issues I've had with them, was why my SSID for more than a year was "DLinkSucksAss".
Then I tried Netgear, with similar "results". What a scam. Therefore, my netgear AP SSID involves Patrick Lo (Netgear's CEO), a donkey's genitals, and suction.
My Madwifi/hostapd AP on the other hand hums along just fine.
My company evaluated several small "consumer" grade routers for a product of ours. We needed something small and cheap and robust. We finally settled on someone OTHER than DLink. This wasn't due to the phkamp issue, but it's still nice to know that we won't be buying several thousand routers from them. :-)
A Government Is a Body of People, Usually Notably Ungoverned
There are more details of the problem and how it was identified, written by Richard Clayton who found out where the traffic was coming from after Poul-Henning Kamp asked him for help.
Steven Murdoch.
web: http://www.cl.cam.ac.uk/users/sjm217/
Dear Zardo,
I never use anonomity to hide behind, I have no opinions of which I am ashamed.
You seem to be missing a very fundamental point in this: I live in Denmark.
Danish lawyers are not allowed to work on contingency. You get your bill first, then the verdict.
Therefore, $2500 in lawyers fees is actually not very much over here. If I tried to get this case in front of a judge, I would have to pay something like ten times that.
Furthermore, you seem to question a lot of things you could have determined for yourself by reading the actual letter I wrote.
Finally, I have probably done more for the internet and open source than you will ever be able to imagine so if you want to paint me as a simple extortionist, you may have a bit of trouble making people belive you.
In all likelyhood, I wrote the function which protects your password.
Poul-Henning
Poul-Henning Kamp -- FreeBSD since before it was called that...
"Lawyers around here..."
Are you in Denmark, now?
If not, how the hell do you have the sligthest idea about how much fees are on that country?
Hint: Not in all countries sueing is a national sport like in the USA.
The problem is really one of economics more than anything else, so the solution has to be cheap.
He's correct that performing complex packet matching on a Cisco router would load it too much - they just don't have the CPU to do that function for any significant traffic load.
I would configure the switch that the NTP server is on to have a SPAN port - a port to which all traffic is copied. Most Cisco switches will do this without any problem. On that SPAN port, connect a Linux box with a bit of CPU power - 2GHz would be tons. On the Linux box, setup tcpdump to match the packet patterns that D-Link routers are sending ( from TFA he has this as detected by a network consultant ).
From the output of tcpdump, extract the source IP addresses. A fairly small perl script would probably do it. Take these IP addresses and massage them into access-lists for the upstream router to block, again perl or TCL/Expect would be reasonable tools. Routers are good at blocking large lists of IP addresses - its not such a load for them as the list gets compiled and pushed onto the hardware. Depending on his router model a few thousand ACL lines would be fine.
Alternatively, he could use the same approach to detect the non-D-Link source IPs - permit these and block anything else. From his stats of legit -vs- D-Link sources this would result in a shorter access list.
The only issue here is that a D-Link behind a shared-NAT'd IP address would result in that address being blocked, but there shouldn't be too many of these. And legally he can block anything he wants - his service has no written guarantee to he should be legally safe (yeah, IANAL).
To keep costs and time down, he can probably get help from the local University ( a cool project for any CompSci students ) to do the code and Linux setup, or help from the local LUG - I'd bet there would be plenty of volunteers to set it up, and I could imagine it being done within a couple of days.
Kerry
Actually you do. If you want to resolve somesite.com.au your DNS will go to the root servers and ask for the DNS for .au
Then it goes to that DNS and asks for the DNS for .com.au
Then it goes to that DNS and asks for the DNS for somesite.com.au
If you or your browser specified www.somesite.com.au then it goes the DNS for somesite.com.au and asks for the IP address for www.somesite.com.au
NTP servers should be able to send a response to say "don't ask me, ask this other server" which is pretty much what DNS does.
http://michaelsmith.id.au
1. D-Link update with a USER_AGENT of 'client/1.0' (how original). This violates all published dynamic DNS specifications, be it DynDNS, TZO.COM, no-ip etc
2. DynDNS blacklists these D-Link routers (block all agents using 'client/1.0')
3. D-Link responds by changing USER_AGENT to be '$username/1.0' (where $username is your ddns username).
I'm NOT kidding you. They took the time to do a string change to circumvent blocking, but not solve the problem! Fuck, why not set the USER_AGENT to 'Mozilla' while you're at it. Jerks.
(earth to D-Link... send at LEAST 'dlink_piece_of_shit/1.0'... or better yet send 'dlink [router:$routerver/firmware:$fwver]' so maybe only SOME of your routers get blacklisted. )
DynDNS blocks D-link routers. TZO, and no-ip currently do not.
Who pays for the customer's phone angst? Not D-Link... they've already set Support expectations SO LOW no professional will talk to them.
I even put one of their fucking routers WAN ports under a packet sniffer, and SENT THEM A HOW-TO on fixing their router! My request was last seen in Mumbai-istan-dia by a script reader named 'Steve'. These people follow RFCs as well as Myspace or GoDaddy. Outsourced Customer service is not going to be proactive about protecting a reputation of their employer's employer.
D-Link have 6 "OEM developers" who are outside contracters. When they have to fix a bug in one OEM's product, there is NO CODE SHARING with the other development teams. It's the customer's fault for not reporting the bug in every affected model, you see...
Why should D-Link care about stealing anyone's bandwidth from their own firmware bugs?
From their perspective, these things still fly off the shelf at Best Buy.
You can enable dynamic DNS in a D-link, and if you do NOT set the username and password (meaning the DDNS will fail), they HAMMER on the update server. Oh gee, a failed update means RETRY right?
The motherfucking OEM coders in Taiwan skip reading the specs because they are only written in English.
If QA doesn't complain, ship it.
Disclaimer: I work for one of these dynamic DNS companies. Avoid D-Link... go with Linksys or SMC or Buffalo or US Robotics. For the love of god stay away from D-Link PLEASE!
Hardware users should not be afraid of the hardware manufacturers. Hardware manuactures should be afraid of there users.... Greek Geek.
:-)
Don't forget to email the friendly & helpful people @ Dlink here - bdm@dlink.com, to express your ongoing satisfaction at there fabulous actions.
Greek Geek
What if we start posting details of this issue to the amazon.com reviews for the products?
Then do the same for any other places selling the routers.
D-Link won't care unless this hits their pocketbook, and spreading bad word of mouth is the best way we have to do that.
DI-604 on Amazon.com:
http://www.amazon.com/gp/product/B000069K98/
"Live Free or Die." Don't like it? Then keep out of the USA
- Keeping logfiles accurately
- Serving time to other home boxes
Even if you haven't set things up to run on a common time source, it's really helpful to have logfiles with the correct time in them.Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I have a DI-624, and it has an option to change the time server, under Tools/Time Tools.
:-)
D-Link should just have set them by default to point time.windows.com:
- That would get clueless windoze users to have their computers synchronized with the router by default, and
- Advanced users can always enter a better choice (although I really like the idea of leeching on MS bandwidth
Given that it's their negligence costing him money, they ought to just pay him anyway, but if they want to do the right thing here, they also ought to pay him.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
What about going with a geographic DNS server? If your unaware of how these work the idea is that the DNS servers provide a different IP address based the IP address of the computer making the DNS query. The idea here is that any of the Danish users would get your time server and anyone making a request outside would get an IP address of your choosing (perhaps a D-link time server) This may not block 100% of the traffic since there are probably some D-link boxes inside the PIX network. One example site that uses this technique is Olympics.com. That site is served by Akamaai (http://www.akamai.com/) but several other companies do similar things (http://www.netli.com/ is another company). It is easy enough to make dns queries from different parts of the world to see how this works in practice. You have several choices for the DNS server to use. You might be able to team with one the industry players in exchange of a bit of publicity. CISCO built in DNS servers also have this ability so you should be able to do it yourself. It does require a bit of work and magic of cordination of IP/geographic but the big boys already do it and based on the huge amount it has already cost you it might just be the quickest easiest solution. You mention that changing the IP address of the GPS.dix.dk won't work. This is good news implying that the IP address in not hard coded and hence using the Geographic DNS server will work. Mike
the problem with the trespass statute is:
1) tieing DLink to the act of trespass (there isn't a conspiracy to commit trespass)
Ah, but there is. D-Link is conspiring to have owners of their routers trespass into those NTP servers. I believe thay call this conspiracy "sales" or "marketing". I'm not sure if the owners themselves would have to have knowledge of this for it to be a conspiracy, but I don't beleive it would be.
2) proving they actually had access relative to the law.
I'm not sure what you mean by this. Read the article: The routers are intentionally made to connect into a server where the stated policy of that server indicates that they are not welcome there. That seems like trespass to me.
3) there has to be a taking of data and I'm not sure the correct time qualifies.
I bet it might if the producer of that data has asked that it not be taken. See above. Also, what's being taken here is not just data; It's really a service: the availability of a very accurate source of time data. Anyone can give you the time, but this is something that has to be maintained at some expense so it has a definite value whether he's charging for it or not. Because of that, saying it was "given away for free" or "just the time" might not work as a defense if this went to court.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I have a D-Link DSL-200B ADSL modem, and it's a shameless piece of junk. The only reason why I use it at all is because it came free with my ADSL account, and I don't have the money to replace it with something decent. It was also the main thing which forced me entirely back to XP, since even though I believe there are Linux drivers for it, with all the added crap I'd have to do installing USB, it'd be even more work than my Lucent winmodem was on dialup.
The modem will also commonly take me 3-4 attempts to connect, isn't "always-on" like most ADSL connections apparently are, and usually doesn't stay connected for more than 48 hours at a stretch, either. The drivers for XP are also truly attrocious...I had to upgrade to service pack 2 I think it was because of USB problems, but the modem drivers still manage to crash my system on occasion. I'm talking a hard crash, too...it's the only time I still see the blue screen of death these days.
So, yeah...I wouldn't recommend D-Link stuff to anybody. The only reason why they're what ISPs give away as a free modem with accounts is because they're so cheap, and I'm assuming that that is because the company already has a reputation as vendors of rubbish hardware.
Fucking ey, I bought a D-Link Di624 about a year ago with one of the purposes being to keep my DynDNS record updated.
Not buying D-Link again for the next few years - even if they started cleaning up their act, this kind of crap takes a long time to blow out of the pipes.
GOLD! GOLD! GOLD!
/. community to help you? Aside from getting this as front page news?
24 Carat pure GOLD!
Just to get back on point for a second here, is there any way for the
Being a sysadmin I have a bit of a clue how frustrating it can be dealing with all this stuff.
Curiosity was framed; ignorance killed the cat. -- Author unknown
support.dlink.com and ftp.dlink.com dont have the DI 604 firmwares up.
Looks like they took down the firmwares and might update them later.
Ah, but there is. D-Link is conspiring to have owners of their routers trespass into those NTP servers. I believe thay call this conspiracy "sales" or "marketing". I'm not sure if the owners themselves would have to have knowledge of this for it to be a conspiracy, but I don't beleive it would be.
You are missing the point. It is against the law to conspire with someone to commit trespass. So even if you can prove (2) and (3) (that is the DLink's customers were trespassing) you still have problems getting anything criminal on DLink.
I'm not sure what you mean by this. Read the article: The routers are intentionally made to connect into a server where the stated policy of that server indicates that they are not welcome there. That seems like trespass to me
Right and the law (again the trespass statues) seems to define "access" as more than a simple packet exchange. It reads like it requires a log in.
I bet it might if the producer of that data has asked that it not be taken. See above. Also, what's being taken here is not just data; It's really a service: the availability of a very accurate source of time data. Anyone can give you the time, but this is something that has to be maintained at some expense so it has a definite value whether he's charging for it or not.
There is serious question whether you can "own" facts. For example lets say I compute the product of two 50000 digit numbers. I may have been the first one to compute this product. Can I enforce a copyright on that fact? Can I patent this? Basically the law says no. The correct time may not be considered an own-able fact.
As for stealing a service, go back to ggggp. The whole trespass thread started because DLink doesn't meet the criteria for theft of service (they don't have enough control over the server, nor did they use deception).
Because of that, saying it was "given away for free" or "just the time" might not work as a defense if this went to court.
Forget about defense. I'm still waiting for anyone to actually show a possible prosecution. That is a place where DLink fulfilled all the elements of a crime.
Hi Tech company in Taiwan says "Hey, D-Link we have NTP! Want to OEM our BL-8000?" D-Link either says yes or asks their current OEM "I don't know what the hell NTP is, but why don't you have it?". In either case some lowly engineer, being paid in noodles, is told to put NTP on their router by tommorrow morning or get their noodles elsewhere. Bad design decisions often follow bad management decisions.
The programmers probably implemented a spec (this sin't Microsoft) and will no doubt fix the issue as soon as they are told about it (i.e. now it is on slashdot they will spent the weekend doing that). In this case it is th lawer who is clearly the major problem.
First off, I'm not sure about D-Links half-hearted go at NTP so I think sending those boxes seriously malformed packets could take them down... fast. I wouldn't be surprised if there isn't an exploit or two out there that take advantage of the D-Link NTP client.
However apart from quality, you know what the most striking difference are between D-Link and Cisco?
1. Cisco is definitely a pro and would never fuck up like that in the first place.
2. Just assuming it had been Cisco instead of D-Link they would be so much more likely to go
the easiest way of resolving the problem which is to fork over the $60,000 or so for bandwidth
and apologize. A letter. Five or six checks. About $60,000 loss. It'll boil down to all in all
from considering all expenses such as people's salaries who spend time on the problem and cut the
checks to the postage stamps needed for them to get to Denmark - all that will probably boil
down to a markup on equipment and services of 2 cents and nobody will ever be the wiser.
Far be it for me to give PHK advice...
But if you only have about 2000 authorized users, it seems to me you could modify the software to white list them.
Then anyone not on the white list gets a random time back (with appropriate checks to make sure that it isn't anywhere near the correct time).
As soon as it starts looking like a bug in their product, they wil take the problem seriously. But don't expect them to take it seriously until it actually becomes *their* problem.
-- Terry
"I have also been offered a specfic amount of "hush-money" if I would just shut up and go away, but the amount offered would not even cover my most direct expenses."
Add up the friggin' numbers in TFA re: his direct expenses and you have an upper limit for what D-link, via their lawyer, has offered. It's fucking obvious.
Unless of course you are so far gone in your perpetuating your non-existent logic that you can't turn back.
"Get off the cross - we need the wood" - Tori Amos
After all legitimate users are moved off, change the DNS entry and point it into d-link's IP address space. They can deal with the traffic however they like...
I just sent the Canadian d-link offce a fax quoting the open letter.
The Canadian office fax number is reachable with the http://www.tpc.int/ e-mail to fax gateway.
A listing of d-link fax numbers is available here: http://www.dlink.ca/corporate/international.php
Couldn't theft of service apply to a client is 'claiming' to be a server by connecting to a tire 1 server?
Change is certain; progress is not obligatory.
So what? Give Dlink a break. It's not like Britain isn't corrupt, or Germany, or god help up France. Some piddling communistic country time server gets hit up by some piddling communistic country's cheap-ass 'router'. So what?
The guy had help in finding out who it was who abused his service, by Richard Clayton, he writes in his blog about this: "on a typical day he'd receive 3.2 million bad packets (that's 37 a second!). "
Here he explains how he traced down who was behind, what he calls a DDoS attack: His blog
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
Learn how to read or STFU about him being an asshole.
Hear hear!
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
No, he is pissed that people who are not authorized to use it are abusing it, at his cost.
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
Poul-Henning, this reason is only slightly correct. Your timing performance, or accuracy, will not be disturbed simply because filtering is expensive or time-consuming. It will only be disturbed if the filtering takes a non-deterministic amount of time to complete. That's a big distinction, because it means you may be able to filter to help solve your problem.
If you recall David Mills' logic, drift is calculated based on the exchange of two messages, and a simple calculation. There are four local time variables involved in synchronising two hosts. These are the departure time of message 1 from host 1 (t1), its arrival time at host 2 (t2), the departure time of message 2 from host 2 (t3), and its arrival time at host 1 (t4). The calculation essentially figures out the transmission delay of a message, and uses that to figure out the drift between the clocks at host 1 and host 2 (your NTP server). The delay is calculated as (t2 - t1) + (t4 - t3) / 2, and th drift is then t2 - t1 - delay. NTP will exchange these message pairs more than once to amortise out differing propagation delays (because of different IP routes, different delays at routers, etc).
Now say you add filtering. You have two options. You can either filter before the incoming message 1 at host 2 (your NTP server) gets timestamped, or after. If you do it before, t2 will increase by the filtering amount. If the amount of time spent filtering is a fixed quantity, as well it should be on a low load system, this will not affect precision. If it's non-deterministic, then accuracy will in fact suffer. This is where option 2 comes in. If you filter the packet after you calculate t2, the precision is not affected at all, even if filtering time is non-deterministic. Then, if the filter fails, you just ignore the request and don't bother sending message 2.
The above thoughts can help you save on outgoing bandwidth. There's nothing you can do about incoming bandwidth unless D-Link get their act together, though, right?
Hope this helps. Reply to this post if you have any questions.
*blinking cursor*
Try Zyxel or Asus. Some Asus models even use linux.
but serious, shouldn't d-link, netgear, belkin, etc
... yah!
have their ownz atomic clocks and NTP servers for that
matter? it's pretty wierd, even microsoft has their ownz
NTP server (tho i dont know if they have an atomic
clock or not) at time.windows.com.
kudos microsoft!
mass manufacturing routers and stuff with NTP support
then freeloading of some non-profit dudes
Right, but because a US-American company is involved, morals cannot come into play on either side.
I would expect ntp.commercial-isp.net to usually be stratum-3 (assuming it exists). > somebody running an international high-energy physics experiment can be excused for going > to a level-2 or level-1 server. everybody else is wrong to do that. My understanding is that a stratum-3 NTP server, all else being equal, should get its time from stratum-2 NTP servers. That's what stratum-2 servers are *for*. There is such a thing as a stratum-4 server (i.e., if I put in an NTP server at work (which I would like to do), on our small network that has some 25 systems on it, it could be stratum-4 and pull time from stratum-3 sources, and would still have greater accuracy than we need), but ordinary users would ordinarily not have such a thing, and would use a stratum-3 source. A large business or an ISP would want its own stratum-3 time server, presumably.
Cut that out, or I will ship you to Norilsk in a box.
No there has to be some sort of positive attempt to determine. If they did try and determine it, then maybe but I still have some questions:
1) There aren't clear definitions of what a server means.
2) Under lots of those definitions would a DLink qualify
3) Even assuming 1, 2 don't work you could argue that DLink isn't the one performing the deception, their clients are. Dlink would be the one causing the deception to be performed so maybe maybe you could swing a conspiracy for theft of service but it sure is a stretch.
4) As someone else mentioned on this thread client based discrimination at the point of the transaction is illegal. Theft of service requires a legal agreement, if I trick you into driving me somewhere where you have the expectation of receiving pot as payment then that isn't theft of service.
I have all sorts of problems with my D-Links anyway. And this only confirms that there Firmware is crap.
They are off my radar forever.
Martin
>So filter out everything that is not from Denmark. This will also filter out the people >who have clients that connect to him.
;) .
He would have to accept the traffic into his system to filter it. His issue is the bandwidth cost, not the processing power to service the requests. His simplest way of dealing with the requests, by the time they reach his timeserver, is simply to answer them. Spending even more effort deciding who to answer simply ups his processing load, and coping with the resulting retransmits from the idiot clients would only increase his bandwidth costs.
>Just like I need to edit my robots.txt to not accept google, he can change his filters >not to accept traffic from outside denmark.
>He is 'just' being slashdotted and can easily resolve the issue.
Your robots.txt file simply directs webspiders where they are allowed on your site. Assuming you have a connection filtering set up enabled, that will deny connection based on source IP address (you do realise that IP address ranges do not map cleanly to geographical locations I presume, and that incoming connections are at this point simply IP addresses?). An http connection with a client is a "long term relationship". Rejecting that connection is trivial compared with servicing the requests. For more terse protocols like NTP this is not true at all.
The only way filtering would assist his bandwidth cost, was if it was applied by his ISP before traffic was assigned to his downlink. His isp has no interest in doing this unless he pays, since it would cost them processing power to inplement the filter and loose them money on the bandwidth he would no longer have to pay for.
>This all does not mean that D-Link is a bad company and should change their attitude, >best by installing their own server.
I presume you lost a not in that statement somewhere? As far as I can see what Dlink have orchestrated amounts to a distributed denial of service attack, and is likely illegal on that basis is quite a few juristrictions. And rightly so, this is not simply ignorant, its criminal.
An entirely appropriate response would be for ISP's to recognise Dlink kit making these requests (the originating ISP has source IP address and MAC address and can recogise the destination IP and that it is an NTP request) and thus recognise a "broken" Dlink and shitcan all traffic from it thereafter. The resulting customer backlash when Dlink routers ceased to function would get Dlink's attention fairly quickly. The originating ISP has money to gain by not forwarding traffic and have a sales oppertunity replacing the "broken" Dlink routers
Angry network engineer.
For some reason it did not occur to me until now that D-Link would :-(
be stupid enough to harvest the stratum-1 server list for their
devices, but it seems that is exactly what they did
http://people.freebsd.org/~phk/dlink/letter2.html
Poul-Henning
Poul-Henning Kamp -- FreeBSD since before it was called that...
Can his DNS host at dix.dk be configured to only resolve his ip address to other dix.dk hosts, perhaps even to a list of known BGP routers? Then one TTL later, the DLINK boxes would lose contact. This would seem to be in every Danish ISP's interest.
The ntp servers listed include a number of government sites, some universities, and others. They may be suffering without noticing yet. If some of them could be talked into taking an interest, California law and class action might be words that get the attention of D-Link management.
To the mod who just downgraded my comment.
Admittedly, the start of my post is childish, but so was the grandparent poster.
I asked if there is anything that the slashdot community could do. I was referring to maybe a fund to help him with his legal costs, or otherwise with his hosting charges. Although the article does ask for assistance in getting D-Link's attention, if this doesn't help, maybe there is something else we can do?
How would you feel if this happened to you?
Curiosity was framed; ignorance killed the cat. -- Author unknown
"Self-righteous" would make a nice new category as well.
He also mentions how blocking traffic is not feasible, and why
He says that he'd have to ingres inspect at the border for the net - that's not the case - he can setup a linux box with proxy arp and iptables to inspect packets for just the IP address in question.
It doesn't stem the flood of traffic, but he can at least poison the well.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
You shouldn't have someone writing firmware if they don't know best practices
Count yourself as lucky since you've obviously never had to use D-Link gear!
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Obviously, this attack has something to do with that cartoon thing.
I'm pretty sure the relevant line here was, "Birka Birka Birka, Mullah, Mullah, Mullah, link-i-D-Link-i-D-Link-i-D-Link, Flippity Floppity Floop".
q.e.d.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
test