Please create an account to participate in the Slashdot moderation system


Forgot your password?

D-Link Firmware Abuses Open NTP Servers 567

DES writes "FreeBSD developer and NTP buff Poul-Henning Kamp runs a stratum-1 NTP server specifically for the benefit of networks directly connected to the Danish Internet Exchange (DIX). Some time last fall, however, D-Link started including his server in a hardcoded list in their router firmware. Poul-Henning now estimates that between 75% and 90% of NTP traffic at his server originates from D-Link gear. After five months of fruitless negotiation with a D-Link lawyer (who alternately tried to threaten and bribe him), he has written an open letter to D-Link, hoping the resulting publicity will force D-Link to acknowledge the issue. There are obvious parallels to a previous story, though Netgear behaved far more responsibly at the time than D-Link seem to be."
This discussion has been archived. No new comments can be posted.

D-Link Firmware Abuses Open NTP Servers

Comments Filter:
  • by SuperficialRhyme ( 731757 ) on Friday April 07, 2006 @10:39AM (#15084051) Homepage
    From TFA: "A number of D-Link products, so far I have at least identified DI-604, DI-614+, DI-624, DI-754, DI-764, DI-774, DI-784, VDI604 and VDI624, contain a list of NTP servers in their firmware and using some sort of algorithm, they pick one and send packets to it."
  • Re:Im confused (Score:5, Informative)

    by Nohea ( 142708 ) on Friday April 07, 2006 @10:42AM (#15084078)
    NTP server use is tiered. So client PCs are not supposed to hit the tier 1s, they should hit 2nd tier or a local ntp server.

    You don't use the root DNS servers for all your DNS requests, right?
  • Re:Im confused (Score:5, Informative)

    by phil reed ( 626 ) on Friday April 07, 2006 @10:42AM (#15084080) Homepage
    Yes, you're confused. And, you didn't read the article. The author is pissed because he's running an NTP server intended to be accessed only by Danish networks, and for use by servers, not clients. D-Link products are only marketed to clients, and not just Danish clients.
  • by Bogtha ( 906264 ) on Friday April 07, 2006 @10:43AM (#15084088)

    If there's one thing I hate more than incompetence, it's people who don't care that they are incompetent and carry on churning out crap regardless of the problems it causes others.

    According to this page [], D-Link have an office operating in Denmark. This makes them subject to Danish law whether they like it or not. I don't know whether Denmark's computer crime laws cover this, but it wouldn't surprise me.

  • Re:Easy fix (Score:5, Informative)

    by holdenholden ( 961300 ) on Friday April 07, 2006 @10:46AM (#15084117)
    He says that such a solution is hard to implement on Cisco, and would be too CPU intensive. FTFA: "Filtering the D-Link packets requires inspection of fields which are not simple to implement in Cisco routers, and in particular such filtering seems to send all packets on the interface through the CPU instead of fast switching, so ingress filtering the packets at the ingress of AS1835 is totally out of the question."
  • by fruity_pebbles ( 568822 ) on Friday April 07, 2006 @10:47AM (#15084120)
    The pool guys have been talking of implementing a $ setup. Having the $company_name specificity would allow them some leeway if an individual vendor does something silly. I don't know if any vendors have bought into this though.
  • Re:Im confused (Score:5, Informative)

    by Chyeld ( 713439 ) <> on Friday April 07, 2006 @10:48AM (#15084122)
    He hosts a NTP server with the intention of it being used by a certain audience. He's not pissed people outside of that audience are using the server, he's pissed that D-Link decided to abuse the service he's providing and now the overwhelming majority of the people using his service are outside the intended audience.

    Sorta like how server admins get pissed when an article posted on their site causes them to be Slashdotted.

    And honestly, the fact that D-Link is acting in the way it is while he trys to get them to resolve the issue probably isn't helping matters.

    Then again, as a former owner of a D-Link product which rebooted itself anytime I went over 50 simultaneous connections (think P2P), I don't doubt they'd be too cheap to actually just run their own.
  • by Aggrajag ( 716041 ) on Friday April 07, 2006 @10:48AM (#15084127)
    The DI-624+ is not on the list and it is possible to manually change the NTP server which the router uses.
  • by DES ( 13846 ) * <> on Friday April 07, 2006 @10:48AM (#15084130) Homepage
    A good idea, but not easily doable, since the allowed networks include most of Denmark. He would have to filter traffic based on the AS of the sender; this would require a full BGP feed and probably also a continuously updated mirror of the RIPE database.
  • D-Link ha! (Score:2, Informative)

    by SpaghettiPattern ( 609814 ) on Friday April 07, 2006 @10:55AM (#15084185)
    I own a D-Link Ethernet ADSL modem and guess what, the local IP adress is fixed to Nope, no changing that thing. If I had known beforehand... I had to completely renumber my network. I only had 8 NICs and two LANs but was pissed off nevertheless.
  • Sorry to correct your rant, but he does say in TFA that the offer was so low that it didn't even cover his costs. That would be a good enough reason to say no wouldn't it?

  • Re:Blacklist time (Score:3, Informative)

    by bhtooefr ( 649901 ) < minus punct> on Friday April 07, 2006 @11:08AM (#15084314) Homepage Journal
    I already have done a complete 180 on recommending D-Link, since much of the D-Link equipment I use and work with has failed spontaneously.

    And that was BEFORE this.
  • by sheehaje ( 240093 ) on Friday April 07, 2006 @11:08AM (#15084318)
    .... Well, if you read the article....

    It's not just about money, it's also about client routers using bandwidth meant for BGP routers used by ISP's. It's a public network, but one intended for ISP's to transfer Data, not for Client use.

    He is asking for some reimbursement for the troubles he's endured, but D-Link is saying he is extorting them.

    IMHO, it is a problem D-Link did cause by their incompetence, and what is being asked is reasonable. The problem won't go away totally, because it relies on the average joe customer to actually update firmware, and now he has to deal with the situation for a long time to come. To be able to continue his "free" service, he may now have to pay for bandwidth that was free to him before D-Link wrongly implemented a protocol feature in some of their routers.

  • Re:Moochers (Score:2, Informative)

    by archen ( 447353 ) on Friday April 07, 2006 @11:11AM (#15084334)
    just a correction, I sorta got stratum 0 confused in there, it should be lowered by a stratum, but honestly many recommend you connect to stratum 2 servers to lighten the load on the stratum 1 who's main purpose should be time distribution. (or high presision for those in need)
  • by DeBeuk ( 239106 ) on Friday April 07, 2006 @11:20AM (#15084427)
    FreeBSD uses pf (well, it can use pf if you want to) as a packet filter. It has the wonderful option to filter traffic according to the OS fingerprint, as in you can block traffic originating from specific operating systems. I'd advice this guy to block all traffic from these dlink devices.
    If there's no fingerprint on record yet you could generate it yourself, it's not that difficult to generate one.
  • Re:Fairly simple fix (Score:3, Informative)

    by nsayer ( 86181 ) <> on Friday April 07, 2006 @11:25AM (#15084479) Homepage
    RTFA. He discusses this.

    1. He's already out a bunch of money trying to figure out what happened.

    2. He could change the DNS name, but then every legitimate user would have to change their configuration, and there's no guarantee D-Link wouldn't just update the firmware with the new name.
  • Re:Blacklist time (Score:2, Informative)

    by Anonymous Coward on Friday April 07, 2006 @11:25AM (#15084480)
    Actually there are some pretty good alternatives out there.
    I have been using and recomending both SMC [] and Asante [] products. They work flawlessly and the price is good too.
  • Re:Moochers (Score:5, Informative)

    by boneshintai ( 112283 ) <ojacobson AT lionsanctuary DOT net> on Friday April 07, 2006 @11:27AM (#15084502) Homepage
    That was Belkin [].
  • by grimwell ( 141031 ) on Friday April 07, 2006 @11:39AM (#15084599)
    Because there are ~2000 legit users of his ntp server. But in the end that is probably the solution he'll have to do... rename his ntp server, allow legit users to update their config and then point at a collection of boxes on D-Link's network.
  • by phkamp ( 524380 ) on Friday April 07, 2006 @11:48AM (#15084704) Homepage
    Let me clarify a number of details here.

    1. My server has not replied to the packets sinde the CodeRed virus/worm abused NTP servers to coordinate attacks. That was a couple of years ago. I doubt D-Link ever even tried to test this.

    2. NTP is a timing protocol. You do not want to do expensive and timeconsuming filtering on the packets because that disturbs your timing performance.

    3. If I have to sue D-Link, it will be either in USA or Taiwan. Both their Danish marketing office and the UK european office will be able to deflect a lawsuit to their mothership.

    4. If you download a firmware file from D-Link, it is often a ARJ archive. unpack that and run strings. If you see in there, please use another version. If the firmware you run is older than about a month, please update it.

    5. The list of products in my open letter is unlikely to be complete, those are the only ones I have been able to positively identify (using the method above). If you find out other products are affected, please email me.

    6. We do have a number of very interesting sections of our penal code here in Denmark that are very likely to apply. Only problem is, they havn't been tried in a court yet. So I have to persuade an overworked criminal inspector to raise a criminal case against a foreigner over a, lets face it, quite small monetary amount. Then I have to spend a lot of time making sure that we convince a judge who have never heard of NTP that they are guilty and then if I win, I can see some D-link manager make a checkmark in their pocket book: "Remember to not visit Denmark under true name". I have better things to use my life for.

    I can see a couple of hits from a C-class belonging to "D-Link Irwine": please escalate this guys, your bosses don't read slashdot.

    Thanks for all the supportive email.


  • Re:Moochers (Score:2, Informative)

    by Moonwick ( 6444 ) on Friday April 07, 2006 @11:52AM (#15084737) Homepage
    Startum 1 servers aren't "expensive" nor are they a limited resource; any time server that pulls its timebase from GPS, for example, is stratum 1.
  • by SuperficialRhyme ( 731757 ) on Friday April 07, 2006 @11:57AM (#15084789) Homepage
    I asked for details and this is what he provided to me. I haven't gotten to do this yet:

    "If you download the firmware from DLink and run unarj on it
    you get a file called something like nml.mem.

    Run strings on that and grep for to make sure it is not
    listed in there."
  • by DES ( 13846 ) * <> on Friday April 07, 2006 @11:58AM (#15084790) Homepage
    No, he can't "just firewall the server" and "tell the few people that would affect". There are thousands of legitimate users distributed across thousands of ASes covering thousands of IP ranges which may change from day to day or even hour to hour. His server is directly connected to the core switch at the Danish Internet Exchange, where all major Danish networks exchange BGP routing information and domestic IP traffic, and its purpose is to provide a stratum-1 reference for NTP servers on these networks. To determine which IP ranges may legitimately access his server, he would need a full BGP feed and a continuously updated copy of all as-block and aut-num records in the RIPE database.
  • by codegen ( 103601 ) on Friday April 07, 2006 @12:10PM (#15084923) Journal
    The mac address is only visible on the local network. After the packet hits
    a gateway, the mac address is gone (only the IP address remains).

  • by MerlynEmrys67 ( 583469 ) on Friday April 07, 2006 @12:12PM (#15084944)
    Can you please show me where the Source MAC address exists in an IP packet that has been forwarded over the internet from (for example) the United States - to a server in Denmark?

    Now that you look at your ethernet sniffs (I assume you just went running off and ran ethereal) look at the source ethernet address... Hmmmmm - doesn't that look familiar, like maybe it looks kinda like your first hop routers MAC address.

    Nice try -

    Thank you, Come Again

    And please read either Stevens or Comer before posting on networking topics again

  • by wampus ( 1932 ) on Friday April 07, 2006 @12:19PM (#15085010) []

    These people may disagree. This doesn't change the fact that D-Link makes shitty firmware.
  • by Anonymous Coward on Friday April 07, 2006 @12:32PM (#15085138)

    Dear Sir or Madam,

    I have learned of your company's persistent unwillingness to deal with a serious design flaw in a growing range of your products. This flaw is disrupting internet services for a large number of users. You have been informed in detail of the problems you are causing, and you have done nothing of substance to resolve the issue and compensate those involved.

    The issue I refer to is described in the "open letter to D-Link", available at [].

    Until this problem has been resolved in a professional and universally satisfactory manner, I will not purchase any D-Link products and will act in my capacity as an I.T. professional to discourage others from doing so.


    Writing Style Nazi

    (I'm not a spelling nazi, so please check this again)
  • by Anil Purandare ( 631996 ) on Friday April 07, 2006 @12:55PM (#15085412)

    Ugh. I use one of those at home. I'm glad now that I set a default NTP server when I first set it up, but I doubt this is something most users would do. Here are the instructions for doing this []. I don't know if this applies to the other models listed above.

    This might also be useful: List of NTP Pool Servers []

  • cname isn't enough (Score:2, Informative)

    by Terje Mathisen ( 128806 ) on Friday April 07, 2006 @12:57PM (#15085436)
    PHK have (of course!) considered moving his box to a new DNS name, the problem lies in the way it is used:

    By moving it, he'll require every single BGP router in Denmark to be reconfigured, if you read his Open Letter you'll notice that he has considered and rejected this option as unworkable.

    (Who's been hosting windows ntp binaries for several years now, at [])
  • Email Addresses (Score:3, Informative)

    by wonkavader ( 605434 ) on Friday April 07, 2006 @01:22PM (#15085770)
  • by ajs ( 35943 ) <ajs AT ajs DOT com> on Friday April 07, 2006 @01:34PM (#15085920) Homepage Journal
    Someone else replied, but let me actually EXPLAIN. is a collection of volunteer NTP servers, served up via DNS. You should not expect to get meaningful results from pointing a Web browser at such a host name, but because it is random, you could end up hitting (assuming they volunteered) or some guy that just set up an Apache server. [] is what you meant, as a simple google search for "pool ntp" would have told you.

  • by jeavis ( 198354 ) on Friday April 07, 2006 @02:06PM (#15086233)
    The problem is that he gets a free ride at DIX based on his server using only a nominal amount of bandwidth. The UDP traffic he's receiving is more than DIX is willing to tolerate for gratis colocation, and there is no reasonable way to stop it on the receiving end.
  • Re:Easy fix (Score:3, Informative)

    by gstoddart ( 321705 ) on Friday April 07, 2006 @02:09PM (#15086265) Homepage
    How long do you think D-Link would take to remove his ntpd from the firmware if having his ntpd makes the D-Links look defective? Hint: Support phone calls cost D-Link $$$.

    How long do you think it would take most people to even notice? I bet most people have never heard of NTP.

    How many people do you think are likely to upgrade their firmware? The ones they've already shipped are doing this.

    Hint: If this is a default setting that people are unaware of, they will never cause a suppport call to happen, but they will continue to affect this guys bandwidth bill.

    As he pointed out, had D-Link done this differently, they could have redirected the NTP from within their own organization. As it is now, it's a burned in value that isn't likely to change.
  • Re:Moochers (Score:3, Informative)

    by mpe ( 36238 ) on Friday April 07, 2006 @02:27PM (#15086437)
    Startum 1 servers aren't "expensive" nor are they a limited resource; any time server that pulls its timebase from GPS, for example, is stratum 1.

    The problems come where you have embedded devices which have a small number of (S)NTP servers hardcoded. This can easily create a distributed denial of service, especially since a coder likely do this is also likely to make other mistakes in their implimentation.
    If the idea is for the device to autoconfigure it needs to be picking randomly from a large list or able to discover which server(s) it should be using. e.g. DHCP, SLP, etc.
  • Re:Im confused (Score:2, Informative)

    by jonadab ( 583620 ) on Friday April 07, 2006 @02:29PM (#15086457) Homepage Journal
    It's a stratum-1 NTP server. Stratum-1 NTP servers are *ONLY* supposed to be used by other stratum-1 NTP servers and by stratum-2 NTP servers, *not* by any random device on the internet. A LAN router should *NEVER* be using a stratum-1 NTP server; it should be using a stratum-3 NTP server if possible, or *maybe* a stratum-2 server, with special permission, under unusual circumstances, if there is no stratum-3 server available. If D-Link won't do anything, this guy's going to have to notify everyone who runs a stratum-1 or stratum-2 server in Denmark, give them time to reconfigure, and then shut down the service.
  • Re:Email Addresses (Score:1, Informative)

    by Anonymous Coward on Friday April 07, 2006 @03:25PM (#15086947); (Steven Joe, ceo) (Brad Morse, vp of mktg) (William Brown, cto)

    800-326-1688 (try dialing "0")

  • Re:WTF??? (Score:5, Informative)

    by LurkerXXX ( 667952 ) on Friday April 07, 2006 @03:36PM (#15087055)
    I would have contacted a lawyer right after step four

    Right, because lawyers are cheap... right.

    I like how he doesn't mention any numbers.
    He already has dedicated hosting, do they charge him $1 per megabyte or something?

    If you'd bother to RTFA, once again, he answers how much the hosting is costing him. He talks about numbers all over the place.

    " because I offer this service free of charge and NTP is a low bandwidth protocol, the organization behind the DIX has graciously waived the normal DKR 27.000,00 (approx USD 4,400) connection fee."

    " the current theory is that I will have to close the server or pay a connection-fee of DKR 54.000,00 (approx USD 8,800) a year as long as the traffic is a significant fraction of total traffic to the server."

    " I owe $5000 to an external consultant who helped me track down where these packets came from."

    " I have already spent close to 120 non-billable hours (I'm an independent contractor) negotiating with D-Link's laywers and mitigating the effect of the packets on the services provided to the legitimate users of"

    " Finally I have spent approx DKR 15.000,00 (USD 2,500) on lawyers fees trying to get D-Link to negotiate in good faith."

    " If I closed the server right now, wrote off all the time I have spent myself, then my expenses would amount to between DKR 45.000,00 and DKR 99.000,00 (USD 7,300 to 16,000) and several hundered administrators throughout Denmark would have to spend time reconfiguring their servers.

    If on the other hand we assume I leave the service running and that the unauthorized packets from D-Link products continue for the next five years, the total cost for me will be around DKR 115.000,00 + 54.000,00 per year (approx USD 18,500 + USD 8,800 per year) or DKR 385.000,00 over the next five years (USD 62,000). " block the NTP traffic from anything outside his network if it is sooooo expensive for him. You can do that at the ISP level in most cases.

    He also mentions how blocking traffic is not feasible, and why, IF YOU'D BOTHER TO READ THE FUCKING ARTICLE. Learn how to read or STFU about him being an asshole.

  • by Jesus_666 ( 702802 ) on Friday April 07, 2006 @04:21PM (#15087435)
    I ended up writing a simple perl script to handle the updates instead.

    Here's a ready-made Perl-scripted daemon for this kind of stuff: []
  • by Anonymous Coward on Friday April 07, 2006 @04:53PM (#15087736)
    From the RFC website: []

    10. Best Practices

          NTP and SNTP clients can consume considerable network and server
          resources if they are not good network citizens. There are now
          consumer Internet commodity devices numbering in the millions that
          are potential customers of public and private NTP and SNTP servers.
          Recent experience strongly suggests that device designers pay
          particular attention to minimizing resource impacts, especially if
          large numbers of these devices are deployed. The most important
          design consideration is the interval between client requests, called
          the poll interval. It is extremely important that the design use the
          maximum poll interval consistent with acceptable accuracy.

          1. A client MUST NOT under any conditions use a poll interval less
                  than 15 seconds.

          2. A client SHOULD increase the poll interval using exponential
                  backoff as performance permits and especially if the server does
                  not respond within a reasonable time.

          3. A client SHOULD use local servers whenever available to avoid
                  unnecessary traffic on backbone networks.

          4. A client MUST allow the operator to configure the primary and/or
                  alternate server names or addresses in addition to or in place of
                  a firmware default IP address.

          5. If a firmware default server IP address is provided, it MUST be a
                  server operated by the manufacturer or seller of the device or
                  another server, but only with the operator's permission.

          6. A client SHOULD use the Domain Name System (DNS) to resolve the
                  server IP addresses, so the operator can do effective load
                  balancing among a server clique and change IP address binding to
                  canonical names.

          7. A client SHOULD re-resolve the server IP address at periodic
                  intervals, but not at intervals less than the time-to-live field
                  in the DNS response.

          8. A client SHOULD support the NTP access-refusal mechanism so that
                  a server kiss-o'-death reply in response to a client request
                  causes the client to cease sending requests to that server and to
                  switch to an alternate, if available.

  • by brunson ( 91995 ) on Friday April 07, 2006 @05:24PM (#15087980) Homepage
    The right server to put in there is "". I would have hoped the someone at D-Link was aware of that DNS pool.
  • Re:WTF??? (Score:3, Informative)

    by phkamp ( 524380 ) on Friday April 07, 2006 @05:31PM (#15088026) Homepage
    Dear Zardo,

    I never use anonomity to hide behind, I have no opinions of which I am ashamed.

    You seem to be missing a very fundamental point in this: I live in Denmark.

    Danish lawyers are not allowed to work on contingency. You get your bill first, then the verdict.

    Therefore, $2500 in lawyers fees is actually not very much over here. If I tried to get this case in front of a judge, I would have to pay something like ten times that.

    Furthermore, you seem to question a lot of things you could have determined for yourself by reading the actual letter I wrote.

    Finally, I have probably done more for the internet and open source than you will ever be able to imagine so if you want to paint me as a simple extortionist, you may have a bit of trouble making people belive you.

    In all likelyhood, I wrote the function which protects your password.


  • Re:Email Addresses (Score:2, Informative)

    by bp+m_i_k_e ( 901456 ) on Friday April 07, 2006 @05:57PM (#15088167)
    Add the investor relations address ( which is attributed to a few different people.

    Gavin Lee
    Deputy Manager, Investor Relations & Corporate Communications

    Tracy Wang
    Media Contact, Investor Relations & Corporate Communications

    A.P. Chen
    (from sii&page=profiles&list=alphabet&alphabet=D [])
  • by Anonymous Coward on Friday April 07, 2006 @06:01PM (#15088189)
    1. D-Link update with a USER_AGENT of 'client/1.0' (how original). This violates all published dynamic DNS specifications, be it DynDNS, TZO.COM, no-ip etc
    2. DynDNS blacklists these D-Link routers (block all agents using 'client/1.0')
    3. D-Link responds by changing USER_AGENT to be '$username/1.0' (where $username is your ddns username).

    I'm NOT kidding you. They took the time to do a string change to circumvent blocking, but not solve the problem! Fuck, why not set the USER_AGENT to 'Mozilla' while you're at it. Jerks.
      (earth to D-Link... send at LEAST 'dlink_piece_of_shit/1.0'... or better yet send 'dlink [router:$routerver/firmware:$fwver]' so maybe only SOME of your routers get blacklisted. )

    DynDNS blocks D-link routers. TZO, and no-ip currently do not.

    Who pays for the customer's phone angst? Not D-Link... they've already set Support expectations SO LOW no professional will talk to them.

    I even put one of their fucking routers WAN ports under a packet sniffer, and SENT THEM A HOW-TO on fixing their router! My request was last seen in Mumbai-istan-dia by a script reader named 'Steve'. These people follow RFCs as well as Myspace or GoDaddy. Outsourced Customer service is not going to be proactive about protecting a reputation of their employer's employer.

    D-Link have 6 "OEM developers" who are outside contracters. When they have to fix a bug in one OEM's product, there is NO CODE SHARING with the other development teams. It's the customer's fault for not reporting the bug in every affected model, you see...

    Why should D-Link care about stealing anyone's bandwidth from their own firmware bugs?
    From their perspective, these things still fly off the shelf at Best Buy.

    You can enable dynamic DNS in a D-link, and if you do NOT set the username and password (meaning the DDNS will fail), they HAMMER on the update server. Oh gee, a failed update means RETRY right?
    The motherfucking OEM coders in Taiwan skip reading the specs because they are only written in English.
    If QA doesn't complain, ship it.

    Disclaimer: I work for one of these dynamic DNS companies. Avoid D-Link... go with Linksys or SMC or Buffalo or US Robotics. For the love of god stay away from D-Link PLEASE!
  • by Anonymous Coward on Friday April 07, 2006 @07:50PM (#15088743)
    Well I'm not sure about the others, but the nist servers are okay for anyone to use. That's what they're there for. []

    and their server list: (which is listed on.) tml []

    I'm using to set my clocks here.
  • by Bun ( 34387 ) on Friday April 07, 2006 @08:32PM (#15088927)
    5. If a firmware default server IP address is provided, it MUST be aserver operated by the
        manufacturer or seller of the device or another server, but only with the operator's

    Looks like D-Link is violating #5...
  • by Snaller ( 147050 ) on Saturday April 08, 2006 @04:55AM (#15090063) Journal
    The guy had help in finding out who it was who abused his service, by Richard Clayton, he writes in his blog about this: "on a typical day he'd receive 3.2 million bad packets (that's 37 a second!). "

    Here he explains how he traced down who was behind, what he calls a DDoS attack: His blog []

No problem is so large it can't be fit in somewhere.