Slashdot Mirror


D-Link Firmware Abuses Open NTP Servers

DES writes "FreeBSD developer and NTP buff Poul-Henning Kamp runs a stratum-1 NTP server specifically for the benefit of networks directly connected to the Danish Internet Exchange (DIX). Some time last fall, however, D-Link started including his server in a hardcoded list in their router firmware. Poul-Henning now estimates that between 75% and 90% of NTP traffic at his server originates from D-Link gear. After five months of fruitless negotiation with a D-Link lawyer (who alternately tried to threaten and bribe him), he has written an open letter to D-Link, hoping the resulting publicity will force D-Link to acknowledge the issue. There are obvious parallels to a previous story, though Netgear behaved far more responsibly at the time than D-Link seem to be."

7 of 567 comments (clear)

  1. wrong easy fix. try this... by swschrad · · Score: 5, Interesting

    send a private communication to the authentic users (not the robot moochers from D-Link) that on date X, the new IP service address will be unhacked.gps.dix.de or whatever suits him.

    on date X, send bogus packets in response... not just wrong time, but seriously wrong time, like a packet with time of 9s in all fields, which would be most seriously wrong.

    hopefully, it would lock up the offending junkpiles, and clear the problem right smartly.

    the general idea in engineering an end to these things is to find a way to blow up the crooked machine by a seriously wrong entry that will screw up the internals. since they took an ugly and cheap shortcut by using firmware tables, they probably don't error-check their inputs from NTP and other services. so there should be a memory jump and a crash in those pirate boxes someplace.

    and that puts the onus back where it belongs, on supercheap designers for obnoxious companies that don't give a shit about network etiquette. the market will punish them. that's how it should be for slap-happy outfits.

    --
    if this is supposed to be a new economy, how come they still want my old fashioned money?
  2. D-Link is just a bad net citizen by cdrudge · · Score: 4, Interesting

    It's not the first time that D-Link's crappy programming has affected a service. DynDNS.com last year started blocking all update requests that match a user-agent of client/1.0, beleived primarily to be several D-Link routers. D-Link has been mum on a response last I heard.

  3. Re:Moochers by typical · · Score: 4, Interesting

    It's cheaper for D-Link to freeload off other people.

    That being said, D-Link has acquired quite a bad reputation in my book. The last time they were prominently mentioned on Slashdot was when their routers were randomly silently redirecting a small chunk of HTTP traffic to D-Link advertisements, and causing the obvious mayhem in non-human-readable HTTP traffic.

    I'm also wondering just how much mayhem this guy could cause on various networks by playing with the time he returns. I'm not advocating that...I'm just pointing out that D-Link is rather leaving the owners of their routers open to whatever he chooses to do to them. Adding NTP support to a product is one thing -- hardcoding it to reference an NTP server that you can't guarantee is trustworthy is another thing. Suppose, for instance, this guy drops the name due to the expenses and someone else picks it up...

    To be blunt, buying D-Link hardware at this point means that you're kind of, well, asking for whatever the hardware does to you.

    --
    Any program relying on (nontrivial) preemptive multithreading will be buggy.
  4. Re:Im confused by typical · · Score: 5, Interesting

    There are three conventions being violated:

    * To keep the network working, the NTP system is tiered. Anything other than a time server used to redistribute time to other machines should probably access a Tier 3 system, or a Tier 2 if that is not possible. It should never hammer a Tier 1 -- this can screw up the rest of the NTP network.

    * There are large lists of NTP servers, and they list access restrictions. As pointed out in the letter, this guy explicitly stated in his access rules that this server was not for client use.

    * As pointed out in the letter, this guy explicitly stated in his access rules that this server was not for use outside of Denmark.

    You may not be used to this sort of thing, because no such set of agreements exists for, say, webservers. However, in the NTP world, network administrators respect these, and it is why the time system continues to work.

    What D-Link is doing hurts all Danish NTP users, and freeloads off a volunteer (D-Link is selling the product and profiting from it -- let *them* handle the traffic and factor any bandwidth costs into their product cost). It opens their product to potential abuse if the server becomes malicious (a properly-designed router would allow the user to specify an NTP server, or if the user is unable to configure a router, to do what the letter suggested and use a D-Link-controlled name.). It violates agreements that have been generally respected by the NTP-using administrator community for many years.

    --
    Any program relying on (nontrivial) preemptive multithreading will be buggy.
  5. D-Link Business Development by Qbertino · · Score: 4, Interesting


    Ok, let's do some good. Are we slashdot, or what?

    D-Link Business Development and Strategic Partnerships, E-mail: bdm@dlink.com

    >>>
    To whom ever it may concern:

    Hello.
    I just learned of you companies notably persistent inability and unwillingness to deal with a serious design flaw in a growing range of your products. This flaw is severly disrupting internet services for a large amount of internet participants and even though you have been informed in detail of these effects your products are having, you have done nothing of substance to resolve the issue and compensate for the damage done.

    Until I learn that the issue described in the open letter do D-Link, available under http://people.freebsd.org/~phk/dlink/, was resolved in a professional and mutualy satisfying manner I will not purchase any D-Link products and will strongly discourage anybody asking for my expertise as a professional in the IT field from buying D-Link products or from engageing in any sort of business relationship with D-Link.

    Sincerely
    An Internet User

    Mistakes in this one? Please post corrected version below and then add a 'mailto' link to the address.
    Grammar Nazis, it's your turn!


    --
    We suffer more in our imagination than in reality. - Seneca
  6. Path to Justice by doublem · · Score: 5, Interesting

    1. Buy the domain name off this poor guy / arrange for alternate hosting if it can't be sold.

    2. Take a collection from the /. community to set up an alternate server.

    3. Wait a month for all the legitimate users to switch to a new URL.

    4. Fire up a server at the old URL reporting Midnight, Jan 1, 1900

    5. Let D-Link deal with users accusing D-Link of failing to sell a Y2K compliant product in 2006.

    --
    "Live Free or Die." Don't like it? Then keep out of the USA
  7. Re:WTF??? by LurkerXXX · · Score: 5, Interesting
    It doesn't seem like a moral crusade to me.

    He discovered a problem.
    He contacted the company causing the problem.
    He explained the problem, and simply asked them to fix it.
    They didn't.
    They put him off.
    They threw a lawyer at him to threaten him.
    They offered 'compensation' that didn't come close to covering his costs.

    He was trying to do it all quietly and nicely, not crusading, and they wouldn't have it.

    So instead of going through the often extremely troublesome and lengthy legal procedings (which are even worse than normal since this is an international case), he was hoping to publically embarrass the company into fixing the problem they caused. Seems like a reasonable attempt at a speedy solution, not a crusade.