D-Link Settles Danish Time Dispute

igb writes "The Register reports that DLink has settled the time server dispute described a little over a month ago here on Slashdot. They're going to stop using an NTP server they're not really authorized to chime with, and they've reached an amicable settlement over the use by existing products. The details of the settlement are, not unsurprisingly, somewhat vague, but let's hope that the good guys aren't out of pocket any more."

They should've known better...

than to challenge a Time Lord!

Re:They should've known better...

[Thud457]

mmmmmm....... Danish time!

Netgear did the same thing a few years ago

[dananderson]

Netgear did the same thing with the University of Wisconsin Internet NTP's servers.

It's strange these companies can't afford to set up a few of their own NTP servers instead of overloading servers that don't have the bandwidth. It it's because they are clueless or they are cheap?

Re:Netgear did the same thing a few years ago

[ottothecow]

Why dont they at least use the government supported ntp servers since then the users probobly still payed for it in taxes.

I currently use the Argonne national lab NTP server most of the time which is probobly government paid though it could be provided by the University of Chicago (though since my connection is on-campus, it makes the most sense).

Re:Netgear did the same thing a few years ago

[wowbagger]

It it's because they are clueless or they are cheap?

Yes, and yes. They are clueless, and they are cheap.

That is why pool.ntp.org was created - to provide a pool of NTP servers that these bozos can use without hammering anybody's server too badly.

Re:Netgear did the same thing a few years ago

[MikeBabcock]

These situations make no sense to me. The NTP system is very easy to use properly.

There's a great little website about how to use ntp.org servers properly.

For the quick-fix people, point your NTP capable system at pool.ntp.org.

If you live in north america, you can use the north-america.pool.ntp.org dns name instead, for only north american servers. The same applies to other continents and several country codes.

Basically, there's no excuse for hard-coding a time server in almost any situation, unless your client is completely incapable of DNS and has no access to external DNS servers.

Re:Netgear did the same thing a few years ago

[autocracy]

It would be really nice to think that it's not that hard. Yet, somehow, as a member of the NTP pool, I just keep on having issues. At this moment, I'm supporting roughly 1500 clients. 35% of my resources to supply all those clients with acurate time are being used by 40 clients. In fact, the top 10 "abusers" are taking nearly 17%... and it's a good moment.

Re:Netgear did the same thing a few years ago

[MikeBabcock]

... and that's the rub; this is a router. Surely in most cases its getting DNS information from an ISP by DHCP on behalf of its clients.

It could, you know, use that information to resolve pool.ntp.org properly.

PS, being a good netizen, I run a public NTP server that is listed on north-america.pool.ntp.org as well as ca.pool.ntp.org (being in Canada and all). I also have all my internal LAN clients query from that server, instead of the outside.

My public ntpd service is using very little memory (let me check; RSS: 4076, TRS: 433) and the bandwidth usage is not very high either.

Re:Netgear did the same thing a few years ago

[KiloByte]

as a member of the NTP pool
[...]
At this moment, I'm supporting roughly 1500 clients

Somehow, I find this value flawed. On my server, also in the pool, I logged requests from 161683 different IPs within just the first 24 hours after joining the pool; thus, only those who just resolved the name accessed it. Most NTP clients do a DNS lookup only once during the startup, thus I expect the usage to increase over time.

I'm in the pool for just over a month; I'll turn on logging for another day to gather the new data.

On the other hand, the percentage values about abusers are roughly the same here.

Re:Netgear did the same thing a few years ago

[tinkerghost]

Proper queries are only denied & not re-made if the client follows the rules.
If you check the original artical, D-Link routers do not recognize the kill request, and they re-request very quickly. So yes, he configured the NTP server correctly, AND he posted restrictions on the NTP site correctly, AND D-Link said we don't care.
It's essentially a DDOS attack on the server. There are thousands of hits with correctly formed NTP requests coming in every second - 98% of which should be directed elsewhere.

Re:Netgear did the same thing a few years ago

[Gnavpot]

At this moment, I'm supporting roughly 1500 clients. 35% of my resources to supply all those clients with acurate time are being used by 40 clients. In fact, the top 10 "abusers" are taking nearly 17%... and it's a good moment.

I wonder if the abusers are running some kind of Unix/Linux/BSD time daemons.

In my experience, when starting the 'chronyd' time daemon under Linux, it will poll very often, like 15 seconds intervals. Everytime it gets an answer, it will compare it to the system clock, log the deviation and adjust the system clock speed based on the trend. After some time, the system clock will run really accurate, so the logged deviations will be small. The polling interval will then be increased in steps up to a max. limit of 4 hours. If the computer is restarted, this scenario starts over again.

Compare this to a typical Windows XP computer which seems to poll a time server once a week or so. No doubt that the ntp server will feel some clients more abusive than others.

Disclaimers:
The intervals stated above may be wrong. I haven't tinkered with optimizing my time daemons since the old pay-per-minute ISDN days so my memory is a bit rusty.

Chronyd is just an example. I have no knowledge of whether it stresses the time servers more or less than other time daemons like 'xntpd'.

Re:Netgear did the same thing a few years ago

[tinkerghost]

So D-Link units were making a NTP request, the request was denied by the server, but the D-Link engineers put it in their list of NTP servers anyway?
Yes, but worse and out of order .....
Check out NTP.org. Specifically check the Rules of Engagement, The Stratum 1 list, and RFC 1305.
Now looking at everything we have a protocol that involves 2 components, an implimentation component and a social component. The actual implimentation of the protocol is laid first as "Format your request in this fasion and we will return the responce looking like this...". However, it also has things for implimenting request timing fallback and kill requests. The social implimentation of the protocol is layed out in the RoE and the Server Lists - note the regional restrictions and the authorization requests in the server lists.
From the original article which evidently doesn't have any information on the open letter anymore - D-Link took the Stratum 1 list and shoved it into some of their router NTP lookup tables. That blows off the entire social aspect of the protocol - both the permissions and the structure.
Next they implimented only the request portion of the protocol, they ignore the backoff & get lost request structures - essentially forgoing the entire error correction portion incorperated into the RFC. So up to the point of manufacture they have 3 strikes against them,

• Failure to obey the Stratum structure of the NTP system
• Failure to follow the permisions structure of the NTP system
• Failure to properly impliment the NTP connection protocol
  

Now there was no known issue with this until the Danish exchange turned to the Stratum 1 owner and said "You are eating a hell of a lot of bandwidth here & we can't keep giving it to you for free." At which point the problem was tracked back to a series of D-Link SOHO routers. I don't recall the exact process he used , but he started sending kill requests to anything from a D-Link router. When they ignored it & kept making requests he talked to D-Link
From memory the conversation then went like this:
Dane: You're routers are hammering my server & they need to stop, you don't have permission & you're violating the rules.
D-Link: How cute, have a nickle & go get yourself some candy.
Dane: WTF? The exchange is going to charge me $8K to cover your protocol violations.
D-Link: It's not our fault & if it is talk to our Lawyer.
Lawyer: I won't talk to you unless you come to CA & argue your case.
At which point it devolved to an open letter & public shaming - which by the way seems to have worked.

[note] IIRC someone calculated the estimated bandwidth from the D-Link routers using Stratum 1 NTP servers to be enough to continously flood a T1. So this isn't just an occasional knock on the door, it's pretty heavy usage for what amounts to a request packet and a responce packet from each router.

Re:Netgear did the same thing a few years ago

[Matt+Perry]

From the original article which evidently doesn't have any information on the open letter anymore - D-Link took the Stratum 1 list and shoved it into some of their router NTP lookup tables.

Good god. What a bunch of knuckleheads.

They already lost at least $120 in sales

[Omnifarious]

And likely more. I've been telling my friends not to buy them, and I know of at least one buying decision that was made specifically for that reason that cost them $120 worth of sales of USB wireless adapters.

Re:They already lost at least $120 in sales

[lotsotech]

I've told my friends (and my company) to avoid buying their stuff because it's junk (IME) We used to spec D-Link because one of our distributors already carried it and I'm fairly certain I've since swapped most all of it to Linksys or Netgear which are both more or less equal to me.

Re:They already lost at least $120 in sales

[anticypher]

That's nothing. I'm engineering a large scale DSL rollout, around 80,000 installations in the first 2 phases during 2006, and a potential 4 million subscribers over the next 3 years. My technical analysis of the CPEs determines who makes the shortlist. I had a lot of fun at CeBit this March, watching the sales weasels fight over who would get first shot at my account.

I had even more fun letting the D-Link fuckheads know why they were on my blacklist. For two main reasons, the NTP theft of services from all the stratum 1's, and the mac ethernet framing problems. They were told quite clearly the non-response from their engineering team on these two show-stopper problems had left them permanently blacklisted. Its called schadenfreud, and it feels good.

the AC

Re:They already lost at least $120 in sales

[stienman]

Did you also stop buying Belkin when they added sw to their routers that, about one week into operation, would randomly redirect a web page request to an advertisement for their filtering service?

How about Linksys? They've done some mean things too.

And every other company out there.

Your tactics will not impact d-link. Not only that, they are unsustainable, if you want to buy any technological equipment, that is. Eventually everyone will be on your lit shist. Then you'll start trying to figure out which one is "least evil" or perhaps which one hasn't been substantially evil for the longest period of time.

At the end of the day, someone on some project made a set of assumptions, and based a poor decision on those assumptions. It's impacted someone else quite significantly, and they have remedied that.

Personally I'm glad that they eventually remedied their situation. They will make more mistakes in the future, but it's not because they are malicious, or stupid - it's just a mistake. Even with all the history we see about time servers and routers, they may have not seen that at the right time in the project that produced that code.

Given that, the only thing that we can really blame them for is the poor response to the initial problem report, and the time it took to realize the enormity of the problem and make amends.

-Adam

Not Vague At All

[TubeSteak]

... D-Link's existing products will have authorized access to Mr. Kamp's server, but all new D-Link products will not use the GPS.Dix.dk NTP time server. D-Link is dedicated to remaining a good corporate and network citizen.

Allow me to translate: He got paid.

Part of the settlement involves him putting on his website "D-Link is dedicated to remaining a good corporate and network citizen."

Otherwise, considering his previous level of frustration, there's no chance he would shill for them like that.

Re:Not Vague At All

[Uncle+Rummy]

He also took down the entire description of the problem D-Link caused, which used to reside at that URL. Considering how pissed he was, they must have paid him well, indeed.

Re:Not Vague At All

[raitchison]

Well don't tell any of my devices, cause all of them are over 2 years old, many of them over 5 years old. Heck my "public segment", where the DSL modem (6 years old), broadband router (4 years old) and VPN device (4 years old) connect is a 15 year old 10Base-T ethernet hub. Your experience must be with Linksys, I always keep a spare D-Link broadband router on a shelf ready for when a friend or relative calls after their "Internet doesn't work" because their Linksys router fried itself. I'm continually amazed how many people think that because Linksys costs more (and now sports the Cisco logo) that it must be better.

not unsurprisingly

[boldtbanan]

The details of the settlement are, not unsurprisingly, somewhat vague...

I do not think that means what you think it means

Re:Public? Server

[Binestar]

Seems to me that if you run a (public) NTP server with a publicly available IP address and/or DNS resolution, that means anyone (public) can use the (public) service - no?

No.

Public yes, but with permission

[dananderson]

Most public NTP servers require permission prior to use. The list of public NTP servers have an email address or webpage form to use prior to using their NTP server.

The reason for this is to avoid problems like this, where the NTP server is overloaded or the NTP client is mis-configured and overloads the server or network.

What I would have done

[ch-chuck]

Is silently migrate my legit users to another ntp server and then set the D-Link'ed ones to something like Klingon time or something bizarre, streach 8 hour days to 10 hours, etc. Of course that wouldn't solve the excess traffic, but you can get creative with revenge, especially when you're in the right.

Re:What I would have done

[PayPaI]

Yes, because everyone is going to be so confused that their router is set to the wrong time that they will go out and buy a competitors product.

Re:What I would have done

[spyrochaete]

In the last story the server admin stated that he couldn't change the address because it would involve far too much work. Many people rely on his services and it was costing him enough out of pocket as is.

Re:Public? Server

[Aladrin]

Public or not, you have to follow the rules. It is pretty well known that only 'Stratum 2' NTP servers are to use 'Stratum 1' NTP servers. This is not just a 'because we want it that way' policy. There are many good reasons for this.

http://en.wikipedia.org/wiki/NTP_vandalism

NTP Pool for Vendors

There is now a way for vendors to use the NTP pool. See http://www.pool.ntp.org/vendors.html for details.

Re:Their reputation preceeds them

[John+Miles]

Agreed. D-Link appears to occupy a point on the cost-quality curve that ultimately costs more in hair-pulling time than it saves in cash. Their products may be OK for lightweight use at home, but they can really give you fits in a more demanding environment.

Case in point: we recently put a bunch of DGS-1008D 8-port gigabit switches into service, and immediately started having problems with dropped Ethernet connections. Our laser printer was sucking down enough power at the onset of its fuser-warmup phase to trigger a nearby UPS momentarily. The resulting switchover transient lasted only a few milliseconds, but it was enough to reset the DGS-1008D. After a LOT of tail-chasing, it transpired that the (cheap-ass linear) wall-wart supplies that D-Link ships with the DGS-1008D lack sufficient filter capacitance to absorb even the slightest power glitch under high-load conditions (e.g., when there are several cables plugged into the switch.)

We took a few of their power supplies apart and found that the oldest ones -- which didn't have the problem -- used a 2000-uF filter capacitor at the rectifier output. At some point, they saved 10 cents by moving to a supply with only 1000 uF, rendering their product useless in many real-world office environments.

This isn't supposed to be a general "let's all bag on D-Link" thread, but hey, if the shoe fits...

Re:Public? Server

[freshman_a]

His NTP server access policy explicitly limited use of said server to the Danish Internet Exchange (DIX). In return, DIX provided him with a free internet connection for his NTP server. Because D-Link was sucking so much bandwidth, DIX told Kamp he would have to pay yearly for the connection. D-Link disregarded his server policy and abused his server. That's why it's a problem.

Also, his server is a Stratum 1, and, while not explicitly written, the D-Link devices should getting the time via a Stratum 2 server. At least, that's how it's commonly done.

Does that help explain things better?

This should have been solved with a check.

[CFD339]

Someone at D-Link should simply have realized the mistake and paid for a few very fast servers to sit at a hosting facillity and respond to the requests -- and all the requests already using that service -- for as long as the Danes were willing to point the DNS entry for that server to them.

In the scheme of things, and from a marketing perspective, anything else is stupid and a waste of good will.

Re:This should have been solved with a check.

[systems_joe]

for as long as the Danes were willing to point the DNS entry for that server to them.

If you RTFA, you'll see that the devices in question are not using DNS. They are using a hardcoded IP address, so DNS would not solve this problem.

Re:What about Microsoft?

[ch-chuck]

What do they say that? - Sound like they go out of their way (advice about firewalls, etc) to let taxpayers "Set Your Computer Clock Via the Internet".

Re:I've often wondered about this

[Vyvyan+Basterd]

$8000 a year isn't exactly chump change for most people.

Re:Their reputation preceeds them

[Tony+Hoyle]

Windows sends a 1-byte ping to a server within the microsoft.com domain, ostensibly to confirm network connectivity

Years ago, Bill Gates said 'If only I had $1 for every time a windows server rebooted..'

And the rest is history.

Re:Public? Server

[tinkerghost]

Check the NTP page, there are public (open) servers and there are public (restricted) servers. There are also 3 layers of service,

• Stratum 1 are principle time servers for a region & directly query atomic clocks.
• Stratum 2 are general use for large regions or institutions - generally they should only be contacted by Stratum 3 servers - clients only as a last resort.
• Stratum 3 are the generic NTP servers of the internet - if you're an end client you should be talking to a Stratum 3 unless none are available/unrestricted for your use.

D-Link SOHO routers do 3 things wrong.

• They don't follow the NTP protocol for requests to stop using the service.
• They ignore the restrictions place on the server usage - in Denmark, for use by ISP or Stratum (2/3) requests.
• They hit a Stratum 1 NTP server as an end client.

So no, if you run a public NTP server that you have dutifully entered restrictions on, you are expecting everyone who comes to you to obey the NTP protocol. That includes following the restrictions, listening to the go away requests, and following the basic rules of who to talk to.
[Analogy type=bad]
In the US there are a number of parking spaces set asside for handicapped parking in almost every parking lot. Physically you can park there if you are not handicapped, but you're not supposed to (covers both ignoring restrictions and a client talking to a Stratum 1 server). If the manager of the parking lot tells you to get your car out of the spot - you should do that(refers to the kill request in the NTP protocol). In the real world if it get's this far, the cops come & give you a ticket. On the net you get open letters calling you an arogant prick who can't be bothered to figure out the basics of the protocols you are boasting about
[/Analogy]
For the record the Danish server was not the only Stratum 1 server they hit, they appear to have taken the Stratum 1 list (almost all of which restrict usage to Stratum 2 servers) and shoved it into the routers for general use - hardly the "Good internet citizen" they claim to be.

Poul-Henning Kamp got payed!

[__aaqwna9206]

Poul-Henning Kamp got 200.000 DDK (Danish kroner) which is about 33.000 US$.

The settlement states that Poul-Henning Kamp must not talk about the history of problems which the D-Link routers caused. But He tells danish press that any future problemes causes by D-link equiptment will be posted around the net ;-). This information is from the danish version of computerworld online at http://www.computerworld.dk/

His homepage is http://people.freebsd.org/~phk/

For those in america: Denmark is not the capital of sweden ;-)

Re:Poul-Henning Kamp got payed!

[afidel]

Since he is facing a bandwidth bill of $8,000 per year to run the server that doesn't seem like a very good settlement. I mean does D-Link think that virtually all of those devices will be off the net in less than 5 years, because if not it was a shitty offer on their part. If they do then I know who's products not to buy on technical grounds, and if they don't I know who not to buy on moral grounds =)

Re:Public? Server

[plague3106]

Taping a note to your front door that reads 'only enter if you live here' doesn't accomplish a lot if you leave the door open all the time.

Please, stop with stupid analogies. They are never helpful. You can leave your door open all the time, that doesn't give anyone the right to go in! In Vermont, thats criminal trespass, and the fine is much larger than the other forms of trespass defined in the act.

Re:resolved without legal action

[John+Hasler]

> What D-Link did was unprofessional and irresponsible...

It was also stupid. Why would anyone buy a router from people who can't even get something this simple right?

Re:They could take advantage of dispute

[Slashcrap]

IMHO they should donate their best products to him,

Dude! They've already fucked him once. What have you got against the poor guy?