Slashdot Mirror
D-Link Firmware Abuses Open NTP Servers
DES writes "FreeBSD developer and NTP buff Poul-Henning Kamp runs a stratum-1 NTP server specifically for the benefit of networks directly connected to the Danish Internet Exchange (DIX). Some time last fall, however, D-Link started including his server in a hardcoded list in their router firmware. Poul-Henning now estimates that between 75% and 90% of NTP traffic at his server originates from D-Link gear. After five months of fruitless negotiation with a D-Link lawyer (who alternately tried to threaten and bribe him), he has written an open letter to D-Link, hoping the resulting publicity will force D-Link to acknowledge the issue. There are obvious parallels to a previous story, though Netgear behaved far more responsibly at the time than D-Link seem to be."
From TFA: "A number of D-Link products, so far I have at least identified DI-604, DI-614+, DI-624, DI-754, DI-764, DI-774, DI-784, VDI604 and VDI624, contain a list of NTP servers in their firmware and using some sort of algorithm, they pick one and send packets to it."
Give people an inch and they take a mile. I don't see why D-Link and Netgear couldn't just make their own stratum-1 NTP servers. I mean, if you trust the brandname enough for your routing, don't you trust them enough for your time as well?
I'd think they could just firewall off just their ntp servers, and only allow certain networks in - their networks. Of course, it wouldn't be open anymore, but with PHBs trolling around like daleks, opening things up the general internet public is getting more and more difficult.
"We are all geniuses when we dream"
- E.M. Cioran
If he can detect that the majority of connections are from D-Link products, then he can detect which connections are from D-Link products. The easy solution? Whenever a D-Link product connects, report a very very wrong time. :)
pool.ntp.org?
NTP server use is tiered. So client PCs are not supposed to hit the tier 1s, they should hit 2nd tier or a local ntp server.
You don't use the root DNS servers for all your DNS requests, right?
Yes, you're confused. And, you didn't read the article. The author is pissed because he's running an NTP server intended to be accessed only by Danish networks, and for use by servers, not clients. D-Link products are only marketed to clients, and not just Danish clients.
...phil
"For a list of the ways which technology has failed to improve our quality of life, press 3."
If there's one thing I hate more than incompetence, it's people who don't care that they are incompetent and carry on churning out crap regardless of the problems it causes others.
According to this page, D-Link have an office operating in Denmark. This makes them subject to Danish law whether they like it or not. I don't know whether Denmark's computer crime laws cover this, but it wouldn't surprise me.
Bogtha Bogtha Bogtha
Should be using pool.ntp.org surely........
or am I being daft again..
Time to add D-Link to the hardware vendor blacklist. Whenever you're asked by your non-tech friends what hardware they should buy, recommend anything BUT D-Link, and tell them to actively AVOID D-Link.
...phil
"For a list of the ways which technology has failed to improve our quality of life, press 3."
He hosts a NTP server with the intention of it being used by a certain audience. He's not pissed people outside of that audience are using the server, he's pissed that D-Link decided to abuse the service he's providing and now the overwhelming majority of the people using his service are outside the intended audience.
Sorta like how server admins get pissed when an article posted on their site causes them to be Slashdotted.
And honestly, the fact that D-Link is acting in the way it is while he trys to get them to resolve the issue probably isn't helping matters.
Then again, as a former owner of a D-Link product which rebooted itself anytime I went over 50 simultaneous connections (think P2P), I don't doubt they'd be too cheap to actually just run their own.
The DI-624+ is not on the list and it is possible to manually change the NTP server which the router uses.
I have never once had a good piece of D-Link hardware. I bought both the DI-624 wireless router and the DWL-G520 PCI wireless card. First up the router didn't do UPNP properly; it simply did not work. A call to tech support told me to upgrade the firmware because they knew that UPNP simply didn't work. After the firmware upgrade, port forwarding didn't work at all either. No solution for the router yet. As for the wireless card. After installing it, my system would completely hardlock after about 5 minutes of use. I called D-Link tech support and had to deal with all the questions for clueless people such as "Do you have the drivers?" and "Is it plugged in right?". After being elevated two or three tiers of tech suport, I was finally able to get an RMA. I sent the card to D-link and waited a week or so for my new card. I plug in the new card and what happens? Same deal! Hardlock in 5 minutes of use! Now I have to wade through tech support all over again and end up getting another RMA. Wait another week; new card makes not one lick of difference. So I decide, I will just return the bugger to the store. The store wouldn't take it back because it has been 30 days since I baught the card! 30 days of tech support and RMAs. I call D-Link once more. This time I get to top level tech support and the guy said "Oh yeah, that card doesn't work with certain VIA chipsets, sorry.". I am quite annoyed because it says nothing of the sort on the box of the card. So I politely ask that since the card doesnt work as advertised if I could have a refund. He said "Oh no, we can't do that it is against our policy.". He then offered me an 802.11b card for a $15 administration fee.
So let me get this straight... this guy hosts an NTP server and is pissed because... its being used as an NTP server?
If I set up an NTP server, say for my university, and left it open for others, I also might think it a bit unorthodox if a multinational corporation hardcoded all there gear (which was deployed internationally) to query it. This is for several reasons. First, it generates unneeded bandwidth and violates convention by not using a local NTP server. Second, it means thousands of people are relying on one person for their gear to work properly, a person the company did not even bother to consult. What if he decides to change the time by five hours, just for fun? It is bloody irresponsible of the manufacturer to give him that option. And what happens if the server is deprecated or the hostname and IP changed in a reworking of the network? Tons of wasted traffic as they ping his IP space.
He's not just any guy. He is one of the main FreeBSD developers. His work is used directly and indirectly by millions of people (yourself included) each day. It's even quite possible that D-Link uses FreeBSD.
When we see how much this man gives to the community for free, and the extremely high-quality of his work, I can't but help support him in this matter.
I, for one, would consider donating to a fund to help him battle this menace, even though I'm not a Danish citizen. I would hope that Netgear, Cisco and others would help him financially, as well.
And it never occured to him to systematically unplug each device to see if it was the one causing the problem and then spend $99 on a new router? Something seems mighty fishy to me.
Either this is a very weak attempt at a troll, or an incredible demonstration of ignorance.
I own a D-Link Ethernet ADSL modem and guess what, the local IP adress is fixed to 192.168.0.1. Nope, no changing that thing. If I had known beforehand... I had to completely renumber my network. I only had 8 NICs and two LANs but was pissed off nevertheless.
I hadn't the slightest objection to his spending his time planning massacres for the bourgeoisie... (P.G. Wodehouse)
if you dont want people to use your NTP server then logic would dictate dont set one up in the first place
That is one of the dumbest things I have ever heard.
Using your twisted logic there is nothing wrong with spammers sending people hundreds of thousands of unsolicited commercial email a day. If people don't want spam then they should not have set up an email address right?
He followed standard protocol for NTP servers, which is to list the restrictions on the use of your server with its entry on the NTP server list. System administrators are supposed to check this to make sure they're not making an unauthorized connection. They're also supposed to contact the NTP server administrator to let him know they're using the server, unless the server admin states otherwise.
You can learn all this and check the list to be sure you comply within 10 minutes thanks to the power of Google. Any responsible company would know this and do so. D-Link made a big mistake (not in terms of the impact on them, sadly) and is evidently refusing to own up.
As others have pointed out, it's not easy to implement the restrictions that would enforce the access policy. It's also sad, though not surprising, that one would have to. It'd be one thing if the server was the target of script kiddie DOS attacks, but a legitimate company selling network products really ought to know better (and care).
Sorry to correct your rant, but he does say in TFA that the offer was so low that it didn't even cover his costs. That would be a good enough reason to say no wouldn't it?
send a private communication to the authentic users (not the robot moochers from D-Link) that on date X, the new IP service address will be unhacked.gps.dix.de or whatever suits him.
on date X, send bogus packets in response... not just wrong time, but seriously wrong time, like a packet with time of 9s in all fields, which would be most seriously wrong.
hopefully, it would lock up the offending junkpiles, and clear the problem right smartly.
the general idea in engineering an end to these things is to find a way to blow up the crooked machine by a seriously wrong entry that will screw up the internals. since they took an ugly and cheap shortcut by using firmware tables, they probably don't error-check their inputs from NTP and other services. so there should be a memory jump and a crash in those pirate boxes someplace.
and that puts the onus back where it belongs, on supercheap designers for obnoxious companies that don't give a shit about network etiquette. the market will punish them. that's how it should be for slap-happy outfits.
if this is supposed to be a new economy, how come they still want my old fashioned money?
So why didn't they just own up to the mistake, update the firmware and cut him a check for his expenses plus a 5% or so to apologize for the inconvenience? Bureaucrats and lawyers who cannot admit that they are wrong only end up creating more public disgust with their behavior. When you find yourself digging a hole, stop digging!
It's not the first time that D-Link's crappy programming has affected a service. DynDNS.com last year started blocking all update requests that match a user-agent of client/1.0, beleived primarily to be several D-Link routers. D-Link has been mum on a response last I heard.
.... Well, if you read the article....
It's not just about money, it's also about client routers using bandwidth meant for BGP routers used by ISP's. It's a public network, but one intended for ISP's to transfer Data, not for Client use.
He is asking for some reimbursement for the troubles he's endured, but D-Link is saying he is extorting them.
IMHO, it is a problem D-Link did cause by their incompetence, and what is being asked is reasonable. The problem won't go away totally, because it relies on the average joe customer to actually update firmware, and now he has to deal with the situation for a long time to come. To be able to continue his "free" service, he may now have to pay for bandwidth that was free to him before D-Link wrongly implemented a protocol feature in some of their routers.
And just when I thought reading comprehension on Slashdot couldn't get any worse...
Vandemar.org
I recently installed the new firmware for my 614+. It was released on 3/20/06 and had the revision info "Fixed NTP." Does anyone know how to find out which NTP server the router is using?
There are three conventions being violated:
* To keep the network working, the NTP system is tiered. Anything other than a time server used to redistribute time to other machines should probably access a Tier 3 system, or a Tier 2 if that is not possible. It should never hammer a Tier 1 -- this can screw up the rest of the NTP network.
* There are large lists of NTP servers, and they list access restrictions. As pointed out in the letter, this guy explicitly stated in his access rules that this server was not for client use.
* As pointed out in the letter, this guy explicitly stated in his access rules that this server was not for use outside of Denmark.
You may not be used to this sort of thing, because no such set of agreements exists for, say, webservers. However, in the NTP world, network administrators respect these, and it is why the time system continues to work.
What D-Link is doing hurts all Danish NTP users, and freeloads off a volunteer (D-Link is selling the product and profiting from it -- let *them* handle the traffic and factor any bandwidth costs into their product cost). It opens their product to potential abuse if the server becomes malicious (a properly-designed router would allow the user to specify an NTP server, or if the user is unable to configure a router, to do what the letter suggested and use a D-Link-controlled name.). It violates agreements that have been generally respected by the NTP-using administrator community for many years.
Any program relying on (nontrivial) preemptive multithreading will be buggy.
Change the DNS name. Granted, he gives reasons for not wanting to do this, but the only practical alternative is to shut down the server entirely. This will still require 2000 or so system administrators to reconfigure their servers, so he might as well provide a logical alternative.
FreeBSD uses pf (well, it can use pf if you want to) as a packet filter. It has the wonderful option to filter traffic according to the OS fingerprint, as in you can block traffic originating from specific operating systems. I'd advice this guy to block all traffic from these dlink devices.
If there's no fingerprint on record yet you could generate it yourself, it's not that difficult to generate one.
Reality has a notoriously liberal bias -- Stephen Colbert
...why don't you change the one they (D-Link) use to (basically) lie about the time! Deliberatly send out the wrong information. Altered the config for the customers of dix and let the D-Link customers go mad at D-Link
Brutal but (in theory) affective....
Jaj
the market will punish them.
The market has no mechanism for punishing them. It is completely helpless to deal with this. It takes a sysadmin from a left-socialist country to deal with the things the market cannot.
Edith Keeler Must Die
I think unauthorized is going to be tough to prove.
1) The name of the server is public
2) The address of the server is public
3) The access to the server is public
4) No attempt has been made to limit traffic.
To use your trespass analogy:
land that borders a public park without a fence without anything distinguishing it from the park.
More importantly the time doesn't meet the criteria:
(A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
(B) information from any department or agency of the United States; or
(C) information from any protected computer if the conduct involved an interstate or foreign communication;
________
As for theft of service. No way. DLink would need control of the service. I assuming you mean criteria (b) below:
a) -- deception or threat
b) -- Knowingly or purposely diverts another's services to the actor's own benefit or to the benefit of a third person, when the actor has control over the disposition of services to another to which the actor is not entitled; or
c) -- holding personal property beyond the expiration of rental period without consent of the owner." He can't allege anything of the sort.
RTFA. He discusses this.
1. He's already out a bunch of money trying to figure out what happened.
2. He could change the DNS name, but then every legitimate user would have to change their configuration, and there's no guarantee D-Link wouldn't just update the firmware with the new name.
I'm surprised phk is screwing around writing long-winded letters. Much faster would have been to just add a dns A-record entry by the name of private-ntp.dix.dk for the legit users and have them use that server. The old gps.dix.dk entry should be made into a CNAME for www.dlink.com. That would put the crushing levels of ntp traffic back where it belonged -- right on Dlink's doorstep.
Block it and watch as the chaos follows with consumers returning "defective" products :)
ATTN: President & CEO
17595 Mt. Herrmann St
Fountain Valley, CA 92708
I have recently read an open letter to D-Link available at the following URL:
http://people.freebsd.org/~phk/dlink/
I must say that I am disgusted with D-Link's poor choice of action. D-Link may
think that abuse such as this will go un-noticed, but that is not the case.
While I don't expect my actions to bring your corporation to its knees, I am the
"geek" of my family, and I have taken a personal stand by ordering Linksys
products to replace any and all of the D-Link networking gear that my parents,
siblings, cousins, and roomates are using. I hope that my sacrifice puts a dent
in the damage your corporate negligence has caused Mr. Kamp.
-- lol pwned
Let me clarify a number of details here.
1. My server has not replied to the packets sinde the CodeRed virus/worm abused NTP servers to coordinate attacks. That was a couple of years ago. I doubt D-Link ever even tried to test this.
2. NTP is a timing protocol. You do not want to do expensive and timeconsuming filtering on the packets because that disturbs your timing performance.
3. If I have to sue D-Link, it will be either in USA or Taiwan. Both their Danish marketing office and the UK european office will be able to deflect a lawsuit to their mothership.
4. If you download a firmware file from D-Link, it is often a ARJ archive. unpack that and run strings. If you see GPS.dix.dk in there, please use another version. If the firmware you run is older than about a month, please update it.
5. The list of products in my open letter is unlikely to be complete, those are the only ones I have been able to positively identify (using the method above). If you find out other products are affected, please email me.
6. We do have a number of very interesting sections of our penal code here in Denmark that are very likely to apply. Only problem is, they havn't been tried in a court yet. So I have to persuade an overworked criminal inspector to raise a criminal case against a foreigner over a, lets face it, quite small monetary amount. Then I have to spend a lot of time making sure that we convince a judge who have never heard of NTP that they are guilty and then if I win, I can see some D-link manager make a checkmark in their pocket book: "Remember to not visit Denmark under true name". I have better things to use my life for.
I can see a couple of hits from a C-class belonging to "D-Link Irwine": please escalate this guys, your bosses don't read slashdot.
Thanks for all the supportive email.
Poul-Henning
Poul-Henning Kamp -- FreeBSD since before it was called that...
D-Link must be run by Osama Bin Laden. That's why no one can be reached (hiding in the mountains of the Afghanistan and Pakistan border). Obviously, this attack has something to do with that cartoon thing.
now we need to go OSS in diesel cars
Ok, let's do some good. Are we slashdot, or what?
D-Link Business Development and Strategic Partnerships, E-mail: bdm@dlink.com
>>>
To whom ever it may concern:
Hello.
I just learned of you companies notably persistent inability and unwillingness to deal with a serious design flaw in a growing range of your products. This flaw is severly disrupting internet services for a large amount of internet participants and even though you have been informed in detail of these effects your products are having, you have done nothing of substance to resolve the issue and compensate for the damage done.
Until I learn that the issue described in the open letter do D-Link, available under http://people.freebsd.org/~phk/dlink/, was resolved in a professional and mutualy satisfying manner I will not purchase any D-Link products and will strongly discourage anybody asking for my expertise as a professional in the IT field from buying D-Link products or from engageing in any sort of business relationship with D-Link.
Sincerely
An Internet User
Mistakes in this one? Please post corrected version below and then add a 'mailto' link to the address.
Grammar Nazis, it's your turn!
We suffer more in our imagination than in reality. - Seneca
Now that you look at your ethernet sniffs (I assume you just went running off and ran ethereal) look at the source ethernet address... Hmmmmm - doesn't that look familiar, like maybe it looks kinda like your first hop routers MAC address.
Nice try -
Thank you, Come Again
And please read either Stevens or Comer before posting on networking topics again
I have mod points and I am not afraid to use them
1. Buy the domain name off this poor guy / arrange for alternate hosting if it can't be sold.
/. community to set up an alternate server.
2. Take a collection from the
3. Wait a month for all the legitimate users to switch to a new URL.
4. Fire up a server at the old URL reporting Midnight, Jan 1, 1900
5. Let D-Link deal with users accusing D-Link of failing to sell a Y2K compliant product in 2006.
"Live Free or Die." Don't like it? Then keep out of the USA
Dear Sir or Madam,
I have learned of your company's persistent unwillingness to deal with a serious design flaw in a growing range of your products. This flaw is disrupting internet services for a large number of users. You have been informed in detail of the problems you are causing, and you have done nothing of substance to resolve the issue and compensate those involved.
The issue I refer to is described in the "open letter to D-Link", available at http://people.freebsd.org/~phk/dlink/.
Until this problem has been resolved in a professional and universally satisfactory manner, I will not purchase any D-Link products and will act in my capacity as an I.T. professional to discourage others from doing so.
Sincerely,
Writing Style Nazi
(I'm not a spelling nazi, so please check this again)
The real issue is, as no one seems to be recognizing, that you have to set your desktop machine to connect to the router, and sync the time.
And since D-Link is not a brand with a great reputation in the segment of the population who knows HOW to do that, all we're going to end up with is a bunch of routers with crewy internal time, and a bunch of clueless users who will never know it.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Consider this. To use NTP, they have to use it to spec.
open specifications are still the property of the creators. (kinda like the GPL)
they are licensed to 'the world' to use, so long as the specification is followed.
the spec in this case, includes disallowing certain services to certain levels of useage
So, the creators of NTP spec can (in an extreme beyond all belief example)
deny d-link further permission to use NTP at all.
Further, if they are not following the spec (honoring requests by the NTP server not to be used
in this manner) you could as the owner of one of the devices(one again, extreme example)
sue d-link for advertising/listing on the box of the products in question,
for saying they are ntp capable- when it's proven they are not compatible with the spec.
(the spec that includes respecting requests not to be used in this manner)
what are your damages? at least the cost of the affected hardware.
every day http://en.wikipedia.org/wiki/Special:Random
PHK have (of course!) considered moving his box to a new DNS name, the problem lies in the way it is used:
By moving it, he'll require every single BGP router in Denmark to be reconfigured, if you read his Open Letter you'll notice that he has considered and rejected this option as unworkable.
Terje
(Who's been hosting windows ntp binaries for several years now, at http://norloff.org/ntp/)
"almost all programming can be viewed as an exercise in caching"
If you'd bother to read the article, you'd see that their offer didn't even cover his most direct expenses, let alone all the inderects this thing has/will cause.
If you make an open NTP server you don't have any legal rights other than to turn it off
His NTP server lists it's terms of service. D-link is breaking those. I think a court is better suited to say if this is illegal than some idiot on /. who can't even RTFA.
customerservice@dlink.com
webmaster@dlink.com
analysts@dlink.com
sale@dlink.com
broadband@dlink.com
bdm@dlink.com
oem@dlink.com
productinfo@dlink.com
hr@dlink.com
edusales@dlink.com
si@dlink.com
Someone else replied, but let me actually EXPLAIN.
pool.ntp.org is a collection of volunteer NTP servers, served up via DNS. You should not expect to get meaningful results from pointing a Web browser at such a host name, but because it is random, you could end up hitting Amazon.com (assuming they volunteered) or some guy that just set up an Apache server.
http://www.pool.ntp.org/ is what you meant, as a simple google search for "pool ntp" would have told you.
He discovered a problem.
He contacted the company causing the problem.
He explained the problem, and simply asked them to fix it.
They didn't.
They put him off.
They threw a lawyer at him to threaten him.
They offered 'compensation' that didn't come close to covering his costs.
He was trying to do it all quietly and nicely, not crusading, and they wouldn't have it.
So instead of going through the often extremely troublesome and lengthy legal procedings (which are even worse than normal since this is an international case), he was hoping to publically embarrass the company into fixing the problem they caused. Seems like a reasonable attempt at a speedy solution, not a crusade.
I've owned their products before but never much cared for them, I prefer Linksys & Cisco. But I know consulting people who do like their products, and I'm going to be talking to them today and tomorrow.
I just sent them the following email:
"I am a networking consultant, Cisco certified, and I talk to a lot of people about home wireless networking. I will not recommend D-Link products and today will begin actively campaigning against them for the unethical access and trouble that you have given to the GPS.dix.dk NTP server. When you have patched your products and made amends to the owner of the NTP server, then I will consider recommending your products again."
Their feedback link is on the bottom of their index page.
When you sympathize with stupidity, you start thinking like an idiot.
> on date X, send bogus packets in response... not just wrong time,
> but seriously wrong time, like a packet with time of 9s in all
> fields, which would be most seriously wrong.
It would be better, on date X, to just stop the service (at the old, hardcoded-in-the-routers address, leaving the new service at the new address). This is both kinder to end users (who did not know about this when they bought the hardware and probably still don't) and also a better use of network resources.
Anyway, shouldn't stratum-1 NTP servers reject (or drop) all requests except from known stratum-1 and stratum-2 NTP servers (and maybe stratum-3 NTP servers on certain approved networks)? I thought stratum 2 was where publically open NTP servers were supposed to live, with private ones for local networks on stratum 3 using a stratum-2 server.
Cut that out, or I will ship you to Norilsk in a box.
I opened a problem ticket with my ISP (who, incidentally, has been VERY responsive in the past) to try to get them to block or redirect the DNS entry for this dude's NTP server:
Subject: D-Link Abuse of NTP: Action Requested
I'm certain that most of the technical staff at speakeasy reads slashdot, so you may have seen this before, but please take a peek at:
http://people.freebsd.org/~phk/dlink/
It would make me very proud to be a $ISP customer if $ISP were to redirect *all* ntp traffic pointed to GPS.dix.dk were redirected to pool.ntp.org (or some other round-robin ntp alias). Although D-Link really needs to step up to the plate and do the right thing, I think that this would be an excellent way to lend a hand to somebody providing core internet services for free.
I'm certain that a good portion of your customer base uses D-Link equipment and any load that can be taken off of this poor guys host will be appreciated. Additionally, if a press announcement is made by $ISP about provding some relief for this guy, it will draw attention to the problem, and possibly other ISP's will follow suit.
I thank you in advance for your consideration of this issue and am very glad to be a customer of $ISP. I know if I were writing this support request to a Bell company or some other type corporation, it would fall on deaf ears at best.
-$ISP Customer
It's a stratum-1 NTP server. Stratum-1 NTP servers are *ONLY* supposed to be used by other stratum-1 NTP servers and by stratum-2 NTP servers, *not* by any random device on the internet. A LAN router should *NEVER* be using a stratum-1 NTP server; it should be using a stratum-3 NTP server if possible, or *maybe* a stratum-2 server, with special permission, under unusual circumstances, if there is no stratum-3 server available. If D-Link won't do anything, this guy's going to have to notify everyone who runs a stratum-1 or stratum-2 server in Denmark, give them time to reconfigure, and then shut down the service.
Cut that out, or I will ship you to Norilsk in a box.
if he did that, d-link would probably sue him for damages. this is how corporations think.
Right, because lawyers are cheap... right.
I like how he doesn't mention any numbers.
He already has dedicated hosting, do they charge him $1 per megabyte or something?
If you'd bother to RTFA, once again, he answers how much the hosting is costing him. He talks about numbers all over the place.
" because I offer this service free of charge and NTP is a low bandwidth protocol, the organization behind the DIX has graciously waived the normal DKR 27.000,00 (approx USD 4,400) connection fee."
" the current theory is that I will have to close the GPS.DIX.dk server or pay a connection-fee of DKR 54.000,00 (approx USD 8,800) a year as long as the traffic is a significant fraction of total traffic to the server."
" I owe $5000 to an external consultant who helped me track down where these packets came from."
" I have already spent close to 120 non-billable hours (I'm an independent contractor) negotiating with D-Link's laywers and mitigating the effect of the packets on the services provided to the legitimate users of GPS.dix.dk."
" Finally I have spent approx DKR 15.000,00 (USD 2,500) on lawyers fees trying to get D-Link to negotiate in good faith."
" If I closed the GPS.dix.dk server right now, wrote off all the time I have spent myself, then my expenses would amount to between DKR 45.000,00 and DKR 99.000,00 (USD 7,300 to 16,000) and several hundered administrators throughout Denmark would have to spend time reconfiguring their servers.
If on the other hand we assume I leave the service running and that the unauthorized packets from D-Link products continue for the next five years, the total cost for me will be around DKR 115.000,00 + 54.000,00 per year (approx USD 18,500 + USD 8,800 per year) or DKR 385.000,00 over the next five years (USD 62,000). " block the NTP traffic from anything outside his network if it is sooooo expensive for him. You can do that at the ISP level in most cases.
He also mentions how blocking traffic is not feasible, and why, IF YOU'D BOTHER TO READ THE FUCKING ARTICLE. Learn how to read or STFU about him being an asshole.
Who cares what they were going to pay him? It was less than his costs. It still doesn't solve the issue of what they are going to do about the problem given that they caused it.
Have you ever worked as a sysadmin or worked admin'ing servers at an ISP? Hell, worked on anything big that has something to do with the internet? Your cable / DSL line doesn't count here.
Curiosity was framed; ignorance killed the cat. -- Author unknown
We are not talking HTTP here. Robots.txt does not apply.
The place where the service restriction is clearly written out, the "stratum 1 list" is the only place where DLink can have found the name of the NTP server in the first place.
As several posters have pointed out: consumer devices like these have no need to query stratum 1 servers.
As I said clearly in my letter: filtering will not prevent me from getting hit with bandwidth charges of $8800/year.
I have not tried sending any bogus return packets because that would hit innocent consumers who bought D-Links defficient products.
And for the people who could have identified the source of these packets so much faster and easier: Drop me an email, I'll be sure to ask for your help next time.
Finally, I can see that more than 40 people at D-Link Irwine (192.152.81.0/24) have read the open letter now, please guys: get somebody to call me or email me so we can get this matter settled. (both email and phone# is in the open letter)
Poul-Henning
Poul-Henning Kamp -- FreeBSD since before it was called that...
Dear Zardo,
I never use anonomity to hide behind, I have no opinions of which I am ashamed.
You seem to be missing a very fundamental point in this: I live in Denmark.
Danish lawyers are not allowed to work on contingency. You get your bill first, then the verdict.
Therefore, $2500 in lawyers fees is actually not very much over here. If I tried to get this case in front of a judge, I would have to pay something like ten times that.
Furthermore, you seem to question a lot of things you could have determined for yourself by reading the actual letter I wrote.
Finally, I have probably done more for the internet and open source than you will ever be able to imagine so if you want to paint me as a simple extortionist, you may have a bit of trouble making people belive you.
In all likelyhood, I wrote the function which protects your password.
Poul-Henning
Poul-Henning Kamp -- FreeBSD since before it was called that...
The problem is really one of economics more than anything else, so the solution has to be cheap.
He's correct that performing complex packet matching on a Cisco router would load it too much - they just don't have the CPU to do that function for any significant traffic load.
I would configure the switch that the NTP server is on to have a SPAN port - a port to which all traffic is copied. Most Cisco switches will do this without any problem. On that SPAN port, connect a Linux box with a bit of CPU power - 2GHz would be tons. On the Linux box, setup tcpdump to match the packet patterns that D-Link routers are sending ( from TFA he has this as detected by a network consultant ).
From the output of tcpdump, extract the source IP addresses. A fairly small perl script would probably do it. Take these IP addresses and massage them into access-lists for the upstream router to block, again perl or TCL/Expect would be reasonable tools. Routers are good at blocking large lists of IP addresses - its not such a load for them as the list gets compiled and pushed onto the hardware. Depending on his router model a few thousand ACL lines would be fine.
Alternatively, he could use the same approach to detect the non-D-Link source IPs - permit these and block anything else. From his stats of legit -vs- D-Link sources this would result in a shorter access list.
The only issue here is that a D-Link behind a shared-NAT'd IP address would result in that address being blocked, but there shouldn't be too many of these. And legally he can block anything he wants - his service has no written guarantee to he should be legally safe (yeah, IANAL).
To keep costs and time down, he can probably get help from the local University ( a cool project for any CompSci students ) to do the code and Linux setup, or help from the local LUG - I'd bet there would be plenty of volunteers to set it up, and I could imagine it being done within a couple of days.
Kerry
1. D-Link update with a USER_AGENT of 'client/1.0' (how original). This violates all published dynamic DNS specifications, be it DynDNS, TZO.COM, no-ip etc
2. DynDNS blacklists these D-Link routers (block all agents using 'client/1.0')
3. D-Link responds by changing USER_AGENT to be '$username/1.0' (where $username is your ddns username).
I'm NOT kidding you. They took the time to do a string change to circumvent blocking, but not solve the problem! Fuck, why not set the USER_AGENT to 'Mozilla' while you're at it. Jerks.
(earth to D-Link... send at LEAST 'dlink_piece_of_shit/1.0'... or better yet send 'dlink [router:$routerver/firmware:$fwver]' so maybe only SOME of your routers get blacklisted. )
DynDNS blocks D-link routers. TZO, and no-ip currently do not.
Who pays for the customer's phone angst? Not D-Link... they've already set Support expectations SO LOW no professional will talk to them.
I even put one of their fucking routers WAN ports under a packet sniffer, and SENT THEM A HOW-TO on fixing their router! My request was last seen in Mumbai-istan-dia by a script reader named 'Steve'. These people follow RFCs as well as Myspace or GoDaddy. Outsourced Customer service is not going to be proactive about protecting a reputation of their employer's employer.
D-Link have 6 "OEM developers" who are outside contracters. When they have to fix a bug in one OEM's product, there is NO CODE SHARING with the other development teams. It's the customer's fault for not reporting the bug in every affected model, you see...
Why should D-Link care about stealing anyone's bandwidth from their own firmware bugs?
From their perspective, these things still fly off the shelf at Best Buy.
You can enable dynamic DNS in a D-link, and if you do NOT set the username and password (meaning the DDNS will fail), they HAMMER on the update server. Oh gee, a failed update means RETRY right?
The motherfucking OEM coders in Taiwan skip reading the specs because they are only written in English.
If QA doesn't complain, ship it.
Disclaimer: I work for one of these dynamic DNS companies. Avoid D-Link... go with Linksys or SMC or Buffalo or US Robotics. For the love of god stay away from D-Link PLEASE!
The guy had help in finding out who it was who abused his service, by Richard Clayton, he writes in his blog about this: "on a typical day he'd receive 3.2 million bad packets (that's 37 a second!). "
Here he explains how he traced down who was behind, what he calls a DDoS attack: His blog
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating