D-Link Firmware Abuses Open NTP Servers

DES writes "FreeBSD developer and NTP buff Poul-Henning Kamp runs a stratum-1 NTP server specifically for the benefit of networks directly connected to the Danish Internet Exchange (DIX). Some time last fall, however, D-Link started including his server in a hardcoded list in their router firmware. Poul-Henning now estimates that between 75% and 90% of NTP traffic at his server originates from D-Link gear. After five months of fruitless negotiation with a D-Link lawyer (who alternately tried to threaten and bribe him), he has written an open letter to D-Link, hoping the resulting publicity will force D-Link to acknowledge the issue. There are obvious parallels to a previous story, though Netgear behaved far more responsibly at the time than D-Link seem to be."

Moochers

[suso]

Give people an inch and they take a mile. I don't see why D-Link and Netgear couldn't just make their own stratum-1 NTP servers. I mean, if you trust the brandname enough for your routing, don't you trust them enough for your time as well?

Re:Moochers

[archen]

I mean why in the hell does cheap dlink crap need to connect to stratum-1 servers? Seriously these things should be running on stratum-3 or lower. I doubt the FBI will come into your home with national security at stake and the whole world ENDS because your $40 dlink router is off by half a second. Why doesn't dlink run their own damn ntp server off of the stratum-1 (making them stratum 2 - stratum 1 is sortof expensive). There is no need for these things to have this level of time precision - they just need ballpark correct time.

Re:Moochers

[suso]

I'm not considering good will, appreciation, or the right thing to do. None of these things apply to a business unfortunately.

Eh hem, at the risk of sounding like a troll, they apply to my business damnit and don't you forget that.

The problem is, when you do the right thing, like enforcing security over convience, customers don't always appretiate it.

Hasn't anybody at D-Link heard of

[bersl2]

pool.ntp.org?

Blacklist time

[phil+reed]

Time to add D-Link to the hardware vendor blacklist. Whenever you're asked by your non-tech friends what hardware they should buy, recommend anything BUT D-Link, and tell them to actively AVOID D-Link.

Re:Im confused

[99BottlesOfBeerInMyF]

So let me get this straight... this guy hosts an NTP server and is pissed because... its being used as an NTP server?

If I set up an NTP server, say for my university, and left it open for others, I also might think it a bit unorthodox if a multinational corporation hardcoded all there gear (which was deployed internationally) to query it. This is for several reasons. First, it generates unneeded bandwidth and violates convention by not using a local NTP server. Second, it means thousands of people are relying on one person for their gear to work properly, a person the company did not even bother to consult. What if he decides to change the time by five hours, just for fun? It is bloody irresponsible of the manufacturer to give him that option. And what happens if the server is deprecated or the hostname and IP changed in a reworking of the network? Tons of wasted traffic as they ping his IP space.

Re:Im confused

[honkycat]

He followed standard protocol for NTP servers, which is to list the restrictions on the use of your server with its entry on the NTP server list. System administrators are supposed to check this to make sure they're not making an unauthorized connection. They're also supposed to contact the NTP server administrator to let him know they're using the server, unless the server admin states otherwise.

You can learn all this and check the list to be sure you comply within 10 minutes thanks to the power of Google. Any responsible company would know this and do so. D-Link made a big mistake (not in terms of the impact on them, sadly) and is evidently refusing to own up.

As others have pointed out, it's not easy to implement the restrictions that would enforce the access policy. It's also sad, though not surprising, that one would have to. It'd be one thing if the server was the target of script kiddie DOS attacks, but a legitimate company selling network products really ought to know better (and care).

They're clearly wrong here

[MikeRT]

So why didn't they just own up to the mistake, update the firmware and cut him a check for his expenses plus a 5% or so to apologize for the inconvenience? Bureaucrats and lawyers who cannot admit that they are wrong only end up creating more public disgust with their behavior. When you find yourself digging a hole, stop digging!

Why not rename the server

[91degrees]

Change the DNS name. Granted, he gives reasons for not wanting to do this, but the only practical alternative is to shut down the server entirely. This will still require 2000 or so system administrators to reconfigure their servers, so he might as well provide a logical alternative.

cname to the rescue

[spatenbrau]

I'm surprised phk is screwing around writing long-winded letters. Much faster would have been to just add a dns A-record entry by the name of private-ntp.dix.dk for the legit users and have them use that server. The old gps.dix.dk entry should be made into a CNAME for www.dlink.com. That would put the crushing levels of ntp traffic back where it belonged -- right on Dlink's doorstep.

someone proof read my letter plz

[tehwebguy]

ATTN: President & CEO
17595 Mt. Herrmann St
Fountain Valley, CA 92708

I have recently read an open letter to D-Link available at the following URL:
http://people.freebsd.org/~phk/dlink/

I must say that I am disgusted with D-Link's poor choice of action. D-Link may
think that abuse such as this will go un-noticed, but that is not the case.

While I don't expect my actions to bring your corporation to its knees, I am the
"geek" of my family, and I have taken a personal stand by ordering Linksys
products to replace any and all of the D-Link networking gear that my parents,
siblings, cousins, and roomates are using. I hope that my sacrifice puts a dent
in the damage your corporate negligence has caused Mr. Kamp.

Re:List of Affected Products:

[ajs]

I don't get why D-Link doesn't just solve the problem. All they need to do is put up an ntp.dlink.com with a simple mock DNS server that checks the requesting IP, and returns the closest known, public (or authorized for that network) NTP server as a CNAME. In most of the cases, that's going to be the IP's ISP-provided NTP server, which D-Link could easily compile a list of from ISP Web-sites. It's like 2 weeks of one person's work to write the server, gather data, and solve 80% of the problem (and avoid doing this to companies that CAN afford to sue in the future). This would also allow organizations to request special listings in D-Link's table.

Even in the case where the request comes from a recursive lookup, it should (in almost all cases) come from a DNS server which indicates the rough location (in terms of Internet topography) of the client.

Of course, they could also obey DHCP responses (either to the device or to a directly connected IP) as a fallback, solving even more of the problem.

Re:Poul-Henning clarifies

[mpe]

I can see some D-link manager make a checkmark in their pocket book: "Remember to not visit Denmark under true name".

Can't that easily be re-written to "Remember not to visit the European Union"?