Follow Slashdot stories on Twitter


Forgot your password?

D-Link Firmware Abuses Open NTP Servers 567

DES writes "FreeBSD developer and NTP buff Poul-Henning Kamp runs a stratum-1 NTP server specifically for the benefit of networks directly connected to the Danish Internet Exchange (DIX). Some time last fall, however, D-Link started including his server in a hardcoded list in their router firmware. Poul-Henning now estimates that between 75% and 90% of NTP traffic at his server originates from D-Link gear. After five months of fruitless negotiation with a D-Link lawyer (who alternately tried to threaten and bribe him), he has written an open letter to D-Link, hoping the resulting publicity will force D-Link to acknowledge the issue. There are obvious parallels to a previous story, though Netgear behaved far more responsibly at the time than D-Link seem to be."
This discussion has been archived. No new comments can be posted.

D-Link Firmware Abuses Open NTP Servers

Comments Filter:
  • Moochers (Score:5, Insightful)

    by suso ( 153703 ) * on Friday April 07, 2006 @10:39AM (#15084052) Homepage Journal
    Give people an inch and they take a mile. I don't see why D-Link and Netgear couldn't just make their own stratum-1 NTP servers. I mean, if you trust the brandname enough for your routing, don't you trust them enough for your time as well?
  • by MECC ( 8478 ) * on Friday April 07, 2006 @10:40AM (#15084065)
    I'd think they could just firewall off just their ntp servers, and only allow certain networks in - their networks. Of course, it wouldn't be open anymore, but with PHBs trolling around like daleks, opening things up the general internet public is getting more and more difficult.

  • by bersl2 ( 689221 ) on Friday April 07, 2006 @10:42AM (#15084074) Journal
  • (Score:3, Insightful)

    by martin ( 1336 ) <maxsec@gmail . c om> on Friday April 07, 2006 @10:44AM (#15084093) Journal
    Should be using surely........

    or am I being daft again..

  • Blacklist time (Score:4, Insightful)

    by phil reed ( 626 ) on Friday April 07, 2006 @10:45AM (#15084101) Homepage
    Time to add D-Link to the hardware vendor blacklist. Whenever you're asked by your non-tech friends what hardware they should buy, recommend anything BUT D-Link, and tell them to actively AVOID D-Link.
  • Re:Im confused (Score:5, Insightful)

    by 99BottlesOfBeerInMyF ( 813746 ) on Friday April 07, 2006 @10:49AM (#15084137)

    So let me get this straight... this guy hosts an NTP server and is pissed because... its being used as an NTP server?

    If I set up an NTP server, say for my university, and left it open for others, I also might think it a bit unorthodox if a multinational corporation hardcoded all there gear (which was deployed internationally) to query it. This is for several reasons. First, it generates unneeded bandwidth and violates convention by not using a local NTP server. Second, it means thousands of people are relying on one person for their gear to work properly, a person the company did not even bother to consult. What if he decides to change the time by five hours, just for fun? It is bloody irresponsible of the manufacturer to give him that option. And what happens if the server is deprecated or the hostname and IP changed in a reworking of the network? Tons of wasted traffic as they ping his IP space.

  • by Anonymous Coward on Friday April 07, 2006 @10:54AM (#15084178)
    He's not just any guy. He is one of the main FreeBSD developers. His work is used directly and indirectly by millions of people (yourself included) each day. It's even quite possible that D-Link uses FreeBSD.

    When we see how much this man gives to the community for free, and the extremely high-quality of his work, I can't but help support him in this matter.

    I, for one, would consider donating to a fund to help him battle this menace, even though I'm not a Danish citizen. I would hope that Netgear, Cisco and others would help him financially, as well.

  • Re:Easy fix (Score:3, Insightful)

    by gstoddart ( 321705 ) on Friday April 07, 2006 @10:54AM (#15084182) Homepage
    If he can detect that the majority of connections are from D-Link products, then he can detect which connections are from D-Link products. The easy solution? Whenever a D-Link product connects, report a very very wrong time. :)

    Except, he'd still end up paying the $8000 USD bandwidth fees for the privelege of lying to people he'd rather not be connecting to him in the first place.

    An awfully expensive practical joke, don't you think?

    So he's stuck paying the bill, unless he wants to disconnect his legitimate users.
  • Re:Fishy (Score:3, Insightful)

    by rycamor ( 194164 ) on Friday April 07, 2006 @10:54AM (#15084183)
    And it never occured to him to systematically unplug each device to see if it was the one causing the problem and then spend $99 on a new router? Something seems mighty fishy to me.

    Either this is a very weak attempt at a troll, or an incredible demonstration of ignorance.
  • by thinkliberty ( 593776 ) on Friday April 07, 2006 @10:56AM (#15084198)
    if you dont want people to use your NTP server then logic would dictate dont set one up in the first place

    That is one of the dumbest things I have ever heard.

    Using your twisted logic there is nothing wrong with spammers sending people hundreds of thousands of unsolicited commercial email a day. If people don't want spam then they should not have set up an email address right?
  • Re:Im confused (Score:5, Insightful)

    by honkycat ( 249849 ) on Friday April 07, 2006 @10:57AM (#15084203) Homepage Journal
    He followed standard protocol for NTP servers, which is to list the restrictions on the use of your server with its entry on the NTP server list. System administrators are supposed to check this to make sure they're not making an unauthorized connection. They're also supposed to contact the NTP server administrator to let him know they're using the server, unless the server admin states otherwise.

    You can learn all this and check the list to be sure you comply within 10 minutes thanks to the power of Google. Any responsible company would know this and do so. D-Link made a big mistake (not in terms of the impact on them, sadly) and is evidently refusing to own up.

    As others have pointed out, it's not easy to implement the restrictions that would enforce the access policy. It's also sad, though not surprising, that one would have to. It'd be one thing if the server was the target of script kiddie DOS attacks, but a legitimate company selling network products really ought to know better (and care).
  • by MikeRT ( 947531 ) on Friday April 07, 2006 @11:02AM (#15084243)
    So why didn't they just own up to the mistake, update the firmware and cut him a check for his expenses plus a 5% or so to apologize for the inconvenience? Bureaucrats and lawyers who cannot admit that they are wrong only end up creating more public disgust with their behavior. When you find yourself digging a hole, stop digging!
  • Re:Moochers (Score:4, Insightful)

    by archen ( 447353 ) on Friday April 07, 2006 @11:05AM (#15084265)
    I mean why in the hell does cheap dlink crap need to connect to stratum-1 servers? Seriously these things should be running on stratum-3 or lower. I doubt the FBI will come into your home with national security at stake and the whole world ENDS because your $40 dlink router is off by half a second. Why doesn't dlink run their own damn ntp server off of the stratum-1 (making them stratum 2 - stratum 1 is sortof expensive). There is no need for these things to have this level of time precision - they just need ballpark correct time.
  • Re:Moochers (Score:4, Insightful)

    by suso ( 153703 ) * on Friday April 07, 2006 @11:06AM (#15084284) Homepage Journal
    I'm not considering good will, appreciation, or the right thing to do. None of these things apply to a business unfortunately.

    Eh hem, at the risk of sounding like a troll, they apply to my business damnit and don't you forget that.

    The problem is, when you do the right thing, like enforcing security over convience, customers don't always appretiate it.
  • by 91degrees ( 207121 ) on Friday April 07, 2006 @11:17AM (#15084404) Journal
    Change the DNS name. Granted, he gives reasons for not wanting to do this, but the only practical alternative is to shut down the server entirely. This will still require 2000 or so system administrators to reconfigure their servers, so he might as well provide a logical alternative.
  • Stupid idea.... (Score:3, Insightful)

    by JaJ_D ( 652372 ) on Friday April 07, 2006 @11:20AM (#15084434)
    ...why don't you change the one they (D-Link) use to (basically) lie about the time! Deliberatly send out the wrong information. Altered the config for the customers of dix and let the D-Link customers go mad at D-Link

    Brutal but (in theory) affective....

  • by jbolden ( 176878 ) on Friday April 07, 2006 @11:24AM (#15084471) Homepage
    I think unauthorized is going to be tough to prove.

    1) The name of the server is public
    2) The address of the server is public
    3) The access to the server is public
    4) No attempt has been made to limit traffic.

    To use your trespass analogy:

    land that borders a public park without a fence without anything distinguishing it from the park.

    More importantly the time doesn't meet the criteria:

    (A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);

    (B) information from any department or agency of the United States; or

    (C) information from any protected computer if the conduct involved an interstate or foreign communication;


    As for theft of service. No way. DLink would need control of the service. I assuming you mean criteria (b) below:

    a) -- deception or threat
    b) -- Knowingly or purposely diverts another's services to the actor's own benefit or to the benefit of a third person, when the actor has control over the disposition of services to another to which the actor is not entitled; or
    c) -- holding personal property beyond the expiration of rental period without consent of the owner." He can't allege anything of the sort.

  • by utexaspunk ( 527541 ) on Friday April 07, 2006 @11:28AM (#15084514)
    I had heard a lot of complaints like this about D-Link hardware and had thus avoided them when purchasing network products. But a few months ago, I was in the market for a wireless router. I started off with a Netgear router because I had good success with one of the old purple metal boxes I bought a long time ago. I live in an apartment with a lot of nearby wireless networks, so perhaps the SNR was just too small, but I was constantly losing the connection. Even the wired ethernet connection would drop off momentarily on a regular basis. I fiddled with it for a long time to no avail, so I figured maybe they've gone downhill since moving to the pretty white boxes. When I lived with my parents for a year after college, they had a Linksys WRT54G that seemed really reliable and powerful (although their aluminum siding and roof probably didn't hurt) so I exchanged the Netgear for a Linksys. No problem with the wired connection, but again the wireless problems persisted.

    I decided I'd get smart about it and look at reviews online and I saw a lot of good reviews for the D-Link DI-634M []. I was a little wary because of what I'd heard before, but I went ahead and gave it a shot. Let me tell you- this thing is GREAT. Set up was a breeze, I didn't have to fiddle with anything, the signal is strong and steady from all over the apartment and in our courtyard downstairs -enough even the wired connection is noticably faster. Maybe the company has had a turnaround, or maybe this product is just an exception, or maybe it's due to fail on me at any minute, but so far I've been quite impressed with this product. YMMV.
  • by spatenbrau ( 926486 ) on Friday April 07, 2006 @11:30AM (#15084528)
    I'm surprised phk is screwing around writing long-winded letters. Much faster would have been to just add a dns A-record entry by the name of for the legit users and have them use that server. The old entry should be made into a CNAME for That would put the crushing levels of ntp traffic back where it belonged -- right on Dlink's doorstep.
  • by rAiNsT0rm ( 877553 ) on Friday April 07, 2006 @11:30AM (#15084530) Homepage
    Whoa, Whoa, Whoa here! You tryin to get yourself sued or have men in black suits show up at your door?!?

    let's get this straight, businesses taking responsibility for their mistakes, paying restitution to the poor bastard who was wronged with a little extra compensation *instead* of paying four times the amount to a lawyer and the guy getting a check for $40 and a free happy meal? Preposterous!!!

    Seriously, between this and the paper I read about tying congressional pay raises directly to minimum wage increases it almost seems like Americans are finally waking up and starting to get tired of being walked all over like a doormat. Nah, must just be April Fools.
  • Block it and watch (Score:2, Insightful)

    by mOOzilla ( 962027 ) on Friday April 07, 2006 @11:31AM (#15084538)
    Block it and watch as the chaos follows with consumers returning "defective" products :)
  • by tehwebguy ( 860335 ) on Friday April 07, 2006 @11:38AM (#15084584) Homepage
    ATTN: President & CEO
    17595 Mt. Herrmann St
    Fountain Valley, CA 92708

    I have recently read an open letter to D-Link available at the following URL: []

    I must say that I am disgusted with D-Link's poor choice of action. D-Link may
    think that abuse such as this will go un-noticed, but that is not the case.

    While I don't expect my actions to bring your corporation to its knees, I am the
    "geek" of my family, and I have taken a personal stand by ordering Linksys
    products to replace any and all of the D-Link networking gear that my parents,
    siblings, cousins, and roomates are using. I hope that my sacrifice puts a dent
    in the damage your corporate negligence has caused Mr. Kamp.
  • by b1t r0t ( 216468 ) on Friday April 07, 2006 @11:53AM (#15084753)
    After all, wouldn't everyone else not be affected since the NTP pool can re-route the traffic to the new server?

    What the hell are you babbling about? There's no such thing as an "NTP pool" that can "re-route" anything. The D-Link just has a hardcoded list and keeps trying whichever ones it feels like until it gets a response.

    And if he renames his server, he just breaks it for the people who are supposed to be using it. He could try creating an alias for his server and convincing his users to switch over a period of time, but the abuse would still keep coming during that time. And that still doesn't stop the DNS queries. Also note that in the Netgear case, IP numbers were hard-coded, so no "renaming" could be done, and it was nearly impossible to filter the traffic early enough to make a difference.

  • by TubeSteak ( 669689 ) on Friday April 07, 2006 @11:55AM (#15084767) Journal
    Big companies tend to treat certain groups of people like terrorists (we don't negotiate with terrorists) because they're afraid that if they give money to one of them, more will come out of the woodwork.

    Your solution might be obvious to us, but when it's your money... you might do what they did and just hope the guy goes away. Like TFA says, he can't afford to sue them, so other than publicly shaming D-Link, all he can do is bugger off.

    Either way, I hope some idiot programmer(s) gets fired at D-Link. You shouldn't have someone writing firmware if they don't know best practices & I don't know of many companies that wouldn't fire someone who screwed up so visibly.
  • by Anonymous Coward on Friday April 07, 2006 @12:04PM (#15084850)
    I would get a new DNS entry, use my existing IP address for NTP, and have all my clients pointing to a new IP for NTP purposes. Next, I would purposely keep my existing NTP server running yet have it feed totally erroneous time information. Or maybe I would find a D-Link address and point my old NTP name to that address. More and more I find these days that people respect something they can physically touch or experience; they dont aprpeciate nor care to take the time to understand knowledge.
  • by plague3106 ( 71849 ) on Friday April 07, 2006 @12:25PM (#15085072)
    I have to disagree; I have nothing be dlink routers and wireless adapaters, and they all work fine for me. I never had a problem with them.
  • by SatanicPuppy ( 611928 ) <> on Friday April 07, 2006 @12:33PM (#15085143) Journal
    The real issue is, as no one seems to be recognizing, that you have to set your desktop machine to connect to the router, and sync the time.

    And since D-Link is not a brand with a great reputation in the segment of the population who knows HOW to do that, all we're going to end up with is a bunch of routers with crewy internal time, and a bunch of clueless users who will never know it.
  • by Spaceman40 ( 565797 ) <(gro.mca) (ta) (sknilb)> on Friday April 07, 2006 @12:39PM (#15085217) Homepage Journal
    I figured - I mean, it depends on how they store their strings, definitely. At the very least, you could open up a plaintext editor (vim or whatever) and change it to another name with the same length, but you'd have to make sure you changed it wherever it appeared.

    Even so, it doesn't fix the underlying problem: D-Link is using level (my vocab escapes me) 1 NTP servers for mass-produced client hardware, with only a firmware way of changing them. There are several problems just there that won't be fixed by changing this one name.
  • by imp ( 7585 ) on Friday April 07, 2006 @01:14PM (#15085653) Homepage

    Anyway, my point is that the guy concentrated more on exposing his problems and demanding payment for his expenses than detailing the problem itself, which would be healthier to his servers, as this would prompt at least some more people to update their routers.

    Actually, you haven't read the letter, have you? In it he outlines the problem fairly well. He lists the actual expenses that he's incurred because this bone-headed dlink stunt has cost him a ton of money. He'd be very happy if dlink just said 'ok, we were wrong, here's the fixed firmware, sorry for the hassle'. He does present the '' solution there.

    When corprate customer misbehave and abuse system resources, it costs people actual money. In this case, a lot of money, as well as jeorpodizing a service to the users in denmark that Poul-Henning has been providing to them out of the kindness of his heart. Now to have some evil company come in and abuse that is bad enough. But to paint him as a money grubbing scum is over the top.

  • Re:WTF??? (Score:3, Insightful)

    by LurkerXXX ( 667952 ) on Friday April 07, 2006 @01:18PM (#15085708)
    Why not just take the money and be satisfied?

    If you'd bother to read the article, you'd see that their offer didn't even cover his most direct expenses, let alone all the inderects this thing has/will cause.

    If you make an open NTP server you don't have any legal rights other than to turn it off

    His NTP server lists it's terms of service. D-link is breaking those. I think a court is better suited to say if this is illegal than some idiot on /. who can't even RTFA.

  • by ajs ( 35943 ) < minus berry> on Friday April 07, 2006 @01:47PM (#15086066) Homepage Journal
    I don't get why D-Link doesn't just solve the problem. All they need to do is put up an with a simple mock DNS server that checks the requesting IP, and returns the closest known, public (or authorized for that network) NTP server as a CNAME. In most of the cases, that's going to be the IP's ISP-provided NTP server, which D-Link could easily compile a list of from ISP Web-sites. It's like 2 weeks of one person's work to write the server, gather data, and solve 80% of the problem (and avoid doing this to companies that CAN afford to sue in the future). This would also allow organizations to request special listings in D-Link's table.

    Even in the case where the request comes from a recursive lookup, it should (in almost all cases) come from a DNS server which indicates the rough location (in terms of Internet topography) of the client.

    Of course, they could also obey DHCP responses (either to the device or to a directly connected IP) as a fallback, solving even more of the problem.
  • by mpe ( 36238 ) on Friday April 07, 2006 @03:20PM (#15086897)
    I can see some D-link manager make a checkmark in their pocket book: "Remember to not visit Denmark under true name".

    Can't that easily be re-written to "Remember not to visit the European Union"?
  • Re:WTF??? (Score:1, Insightful)

    by Anonymous Coward on Friday April 07, 2006 @03:35PM (#15087048)
    Just read the freaking article, asshole.

    Either that, or you work for D-Link yourself.

  • by sp0rk173 ( 609022 ) on Friday April 07, 2006 @04:00PM (#15087268)
    Simple or not for a slashdotter, i know several users who can't even figure out the default password to their routers, despite it being plainly stated in their operating manuals (the particular case i'm thinking of is a relative of mine who called me asking what his linksys wireless router's password was. The manual clearly states that it is "admin" in several places).

    Most users of routers these days have no idea what NTP means, nor what an NTP server is...nor even what firmware is. Do you really expect that him putting hours of work into researching which routers are and are not effected, then posting those on a website that a tiny percentage of users even know about will bring any measurable mitigative effect on the current problem? How will the majority of D-Link users even know about this issue? I can assure you that most of them do not read slashdot or even know who this dude is. Going directly to the source of the problem (ie, D-Link) really is the only way to get this corrected.
  • Re:WTF??? (Score:3, Insightful)

    by bernywork ( 57298 ) * <[moc.liamg] [ta] [notelpatsb]> on Friday April 07, 2006 @04:06PM (#15087321) Journal
    Who cares what they were going to pay him? It was less than his costs. It still doesn't solve the issue of what they are going to do about the problem given that they caused it.

    Have you ever worked as a sysadmin or worked admin'ing servers at an ISP? Hell, worked on anything big that has something to do with the internet? Your cable / DSL line doesn't count here.
  • by phkamp ( 524380 ) on Friday April 07, 2006 @05:08PM (#15087852) Homepage
    We are not talking HTTP here. Robots.txt does not apply.

    The place where the service restriction is clearly written out, the "stratum 1 list" is the only place where DLink can have found the name of the NTP server in the first place.

    As several posters have pointed out: consumer devices like these have no need to query stratum 1 servers.

    As I said clearly in my letter: filtering will not prevent me from getting hit with bandwidth charges of $8800/year.

    I have not tried sending any bogus return packets because that would hit innocent consumers who bought D-Links defficient products.

    And for the people who could have identified the source of these packets so much faster and easier: Drop me an email, I'll be sure to ask for your help next time.

    Finally, I can see that more than 40 people at D-Link Irwine ( have read the open letter now, please guys: get somebody to call me or email me so we can get this matter settled. (both email and phone# is in the open letter)

  • Re:Blacklist time (Score:3, Insightful)

    by RedBear ( 207369 ) <> on Friday April 07, 2006 @05:18PM (#15087938) Homepage
    Time to add D-Link to the hardware vendor blacklist. Whenever you're asked by your non-tech friends what hardware they should buy, recommend anything BUT D-Link, and tell them to actively AVOID D-Link.

    I always wonder about something whenever someone suggests boycotting an entire company's products like this because of a few little problems. Namely, which perfect heart-warming angel company am I supposed to shop with from now on? Don't Linksys, Netgear, Belkin, IOGear, etc. all have their own problems? Last time I checked Belkin was building some seriously boneheaded ideas into their routers, and got burned for it pretty bad. Are we supposed to build our own routers out of Linux boxen or something to satisfy your outrage over some technical glitches? Please get over yourself unless you can provide us with a good argument that Company X is somehow immensely more evil than companies A, B, and C. We have to get our cheapo networking equipment somewhere.

  • by dougmc ( 70836 ) <> on Saturday April 08, 2006 @02:47AM (#15089865) Homepage
    From the RFC website: []
    Yes, and that's a relevant thing to add to this discussion, but you should keep in mind (or mention if it's already in mind) that RFC stands for `Request for Comments', not `Rules that must never be broken' or even `Follow these or you'll be sent to Gitmo.'

    Violating a RFC may make you a bad person, and certainly it looks like D-link is in the wrong here, but it's not like there's anybody out there enforcing RFCs in any way beyond `you shouldn't be doing that!' (unless they're kooks, of course.

    Now, maybe you could sue somebody for violating a RFC, and perhaps that's what Mr. Kamp should do, but I'm no lawyer and he's already spoken with many about this, so I suspect he has considered it. But it's not likely that any actual laws are being broken here.

    Now, if Mr Kamp wanted to play hardball, he could have his legitimate users of his NTP server move to another name, and then modify the server to return a totally bogus time, which would probably help get the current users of the routers to upgrade their firmware. I suspect that only a small fraction of the users would even notice, but those that do would call D-Link, and those calls would cost D-Link money ...

    Yes, Mr Kamp shouldn't have to do this, and maybe the /. effect (which does go beyond mere web traffic) will prompt D-Link to do what they can to fix the problem they've caused, but it's always an option, one which he's probably already considered.

Bell Labs Unix -- Reach out and grep someone.