D-Link Firmware Abuses Open NTP Servers 567
DES writes "FreeBSD developer and NTP buff Poul-Henning Kamp runs a stratum-1 NTP server specifically for the benefit of networks directly connected to the Danish Internet Exchange (DIX). Some time last fall, however, D-Link started including his server in a hardcoded list in their router firmware. Poul-Henning now estimates that between 75% and 90% of NTP traffic at his server originates from D-Link gear. After five months of fruitless negotiation with a D-Link lawyer (who alternately tried to threaten and bribe him), he has written an open letter to D-Link, hoping the resulting publicity will force D-Link to acknowledge the issue. There are obvious parallels to a previous story, though Netgear behaved far more responsibly at the time than D-Link seem to be."
Moochers (Score:5, Insightful)
Couldn't they filter (Score:2, Insightful)
Hasn't anybody at D-Link heard of (Score:5, Insightful)
pool.ntp.org (Score:3, Insightful)
or am I being daft again..
Blacklist time (Score:4, Insightful)
Re:Im confused (Score:5, Insightful)
So let me get this straight... this guy hosts an NTP server and is pissed because... its being used as an NTP server?
If I set up an NTP server, say for my university, and left it open for others, I also might think it a bit unorthodox if a multinational corporation hardcoded all there gear (which was deployed internationally) to query it. This is for several reasons. First, it generates unneeded bandwidth and violates convention by not using a local NTP server. Second, it means thousands of people are relying on one person for their gear to work properly, a person the company did not even bother to consult. What if he decides to change the time by five hours, just for fun? It is bloody irresponsible of the manufacturer to give him that option. And what happens if the server is deprecated or the hostname and IP changed in a reworking of the network? Tons of wasted traffic as they ping his IP space.
He's not just any guy. (Score:2, Insightful)
When we see how much this man gives to the community for free, and the extremely high-quality of his work, I can't but help support him in this matter.
I, for one, would consider donating to a fund to help him battle this menace, even though I'm not a Danish citizen. I would hope that Netgear, Cisco and others would help him financially, as well.
Re:Easy fix (Score:3, Insightful)
Except, he'd still end up paying the $8000 USD bandwidth fees for the privelege of lying to people he'd rather not be connecting to him in the first place.
An awfully expensive practical joke, don't you think?
So he's stuck paying the bill, unless he wants to disconnect his legitimate users.
Re:Fishy (Score:3, Insightful)
Either this is a very weak attempt at a troll, or an incredible demonstration of ignorance.
Re:just change the DNS (Score:3, Insightful)
That is one of the dumbest things I have ever heard.
Using your twisted logic there is nothing wrong with spammers sending people hundreds of thousands of unsolicited commercial email a day. If people don't want spam then they should not have set up an email address right?
Re:Im confused (Score:5, Insightful)
You can learn all this and check the list to be sure you comply within 10 minutes thanks to the power of Google. Any responsible company would know this and do so. D-Link made a big mistake (not in terms of the impact on them, sadly) and is evidently refusing to own up.
As others have pointed out, it's not easy to implement the restrictions that would enforce the access policy. It's also sad, though not surprising, that one would have to. It'd be one thing if the server was the target of script kiddie DOS attacks, but a legitimate company selling network products really ought to know better (and care).
Comment removed (Score:5, Insightful)
Re:Moochers (Score:4, Insightful)
Re:Moochers (Score:4, Insightful)
Eh hem, at the risk of sounding like a troll, they apply to my business damnit and don't you forget that.
The problem is, when you do the right thing, like enforcing security over convience, customers don't always appretiate it.
Why not rename the server (Score:3, Insightful)
Stupid idea.... (Score:3, Insightful)
Brutal but (in theory) affective....
Jaj
Re:A couple of possibilities (Score:3, Insightful)
1) The name of the server is public
2) The address of the server is public
3) The access to the server is public
4) No attempt has been made to limit traffic.
To use your trespass analogy:
land that borders a public park without a fence without anything distinguishing it from the park.
More importantly the time doesn't meet the criteria:
(A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);
(B) information from any department or agency of the United States; or
(C) information from any protected computer if the conduct involved an interstate or foreign communication;
________
As for theft of service. No way. DLink would need control of the service. I assuming you mean criteria (b) below:
a) -- deception or threat
b) -- Knowingly or purposely diverts another's services to the actor's own benefit or to the benefit of a third person, when the actor has control over the disposition of services to another to which the actor is not entitled; or
c) -- holding personal property beyond the expiration of rental period without consent of the owner." He can't allege anything of the sort.
Re:Never buying D-Link again! (Score:3, Insightful)
I decided I'd get smart about it and look at reviews online and I saw a lot of good reviews for the D-Link DI-634M [dlink.com]. I was a little wary because of what I'd heard before, but I went ahead and gave it a shot. Let me tell you- this thing is GREAT. Set up was a breeze, I didn't have to fiddle with anything, the signal is strong and steady from all over the apartment and in our courtyard downstairs -enough even the wired connection is noticably faster. Maybe the company has had a turnaround, or maybe this product is just an exception, or maybe it's due to fail on me at any minute, but so far I've been quite impressed with this product. YMMV.
cname to the rescue (Score:4, Insightful)
Re:They're clearly wrong here (Score:3, Insightful)
let's get this straight, businesses taking responsibility for their mistakes, paying restitution to the poor bastard who was wronged with a little extra compensation *instead* of paying four times the amount to a lawyer and the guy getting a check for $40 and a free happy meal? Preposterous!!!
Seriously, between this and the paper I read about tying congressional pay raises directly to minimum wage increases it almost seems like Americans are finally waking up and starting to get tired of being walked all over like a doormat. Nah, must just be April Fools.
Block it and watch (Score:2, Insightful)
someone proof read my letter plz (Score:3, Insightful)
17595 Mt. Herrmann St
Fountain Valley, CA 92708
I have recently read an open letter to D-Link available at the following URL:
http://people.freebsd.org/~phk/dlink/ [freebsd.org]
I must say that I am disgusted with D-Link's poor choice of action. D-Link may
think that abuse such as this will go un-noticed, but that is not the case.
While I don't expect my actions to bring your corporation to its knees, I am the
"geek" of my family, and I have taken a personal stand by ordering Linksys
products to replace any and all of the D-Link networking gear that my parents,
siblings, cousins, and roomates are using. I hope that my sacrifice puts a dent
in the damage your corporate negligence has caused Mr. Kamp.
Re:Couldn't they filter (Score:3, Insightful)
What the hell are you babbling about? There's no such thing as an "NTP pool" that can "re-route" anything. The D-Link just has a hardcoded list and keeps trying whichever ones it feels like until it gets a response.
And if he renames his server, he just breaks it for the people who are supposed to be using it. He could try creating an alias for his server and convincing his users to switch over a period of time, but the abuse would still keep coming during that time. And that still doesn't stop the DNS queries. Also note that in the Netgear case, IP numbers were hard-coded, so no "renaming" could be done, and it was nearly impossible to filter the traffic early enough to make a difference.
Re:They're clearly wrong here (Score:3, Insightful)
Your solution might be obvious to us, but when it's your money... you might do what they did and just hope the guy goes away. Like TFA says, he can't afford to sue them, so other than publicly shaming D-Link, all he can do is bugger off.
Either way, I hope some idiot programmer(s) gets fired at D-Link. You shouldn't have someone writing firmware if they don't know best practices & I don't know of many companies that wouldn't fire someone who screwed up so visibly.
If It Happened To Me... (Score:1, Insightful)
Re:Never buying D-Link again! (Score:2, Insightful)
Re:wrong easy fix. try this... (Score:3, Insightful)
And since D-Link is not a brand with a great reputation in the segment of the population who knows HOW to do that, all we're going to end up with is a bunch of routers with crewy internal time, and a bunch of clueless users who will never know it.
Re:Poul-Henning clarifies (Score:3, Insightful)
Even so, it doesn't fix the underlying problem: D-Link is using level (my vocab escapes me) 1 NTP servers for mass-produced client hardware, with only a firmware way of changing them. There are several problems just there that won't be fixed by changing this one name.
Re:List of Affected Products: (Score:3, Insightful)
Actually, you haven't read the letter, have you? In it he outlines the problem fairly well. He lists the actual expenses that he's incurred because this bone-headed dlink stunt has cost him a ton of money. He'd be very happy if dlink just said 'ok, we were wrong, here's the fixed firmware, sorry for the hassle'. He does present the 'ntp.dlink.com' solution there.
When corprate customer misbehave and abuse system resources, it costs people actual money. In this case, a lot of money, as well as jeorpodizing a service to the users in denmark that Poul-Henning has been providing to them out of the kindness of his heart. Now to have some evil company come in and abuse that is bad enough. But to paint him as a money grubbing scum is over the top.
Warner
Re:WTF??? (Score:3, Insightful)
If you'd bother to read the article, you'd see that their offer didn't even cover his most direct expenses, let alone all the inderects this thing has/will cause.
If you make an open NTP server you don't have any legal rights other than to turn it off
His NTP server lists it's terms of service. D-link is breaking those. I think a court is better suited to say if this is illegal than some idiot on /. who can't even RTFA.
Re:List of Affected Products: (Score:4, Insightful)
Even in the case where the request comes from a recursive lookup, it should (in almost all cases) come from a DNS server which indicates the rough location (in terms of Internet topography) of the client.
Of course, they could also obey DHCP responses (either to the device or to a directly connected IP) as a fallback, solving even more of the problem.
Re:Poul-Henning clarifies (Score:4, Insightful)
Can't that easily be re-written to "Remember not to visit the European Union"?
Re:WTF??? (Score:1, Insightful)
Either that, or you work for D-Link yourself.
Re:List of Affected Products: (Score:3, Insightful)
Most users of routers these days have no idea what NTP means, nor what an NTP server is...nor even what firmware is. Do you really expect that him putting hours of work into researching which routers are and are not effected, then posting those on a website that a tiny percentage of users even know about will bring any measurable mitigative effect on the current problem? How will the majority of D-Link users even know about this issue? I can assure you that most of them do not read slashdot or even know who this dude is. Going directly to the source of the problem (ie, D-Link) really is the only way to get this corrected.
Re:WTF??? (Score:3, Insightful)
Have you ever worked as a sysadmin or worked admin'ing servers at an ISP? Hell, worked on anything big that has something to do with the internet? Your cable / DSL line doesn't count here.
Poul-Henning clarifies more (Score:3, Insightful)
The place where the service restriction is clearly written out, the "stratum 1 list" is the only place where DLink can have found the name of the NTP server in the first place.
As several posters have pointed out: consumer devices like these have no need to query stratum 1 servers.
As I said clearly in my letter: filtering will not prevent me from getting hit with bandwidth charges of $8800/year.
I have not tried sending any bogus return packets because that would hit innocent consumers who bought D-Links defficient products.
And for the people who could have identified the source of these packets so much faster and easier: Drop me an email, I'll be sure to ask for your help next time.
Finally, I can see that more than 40 people at D-Link Irwine (192.152.81.0/24) have read the open letter now, please guys: get somebody to call me or email me so we can get this matter settled. (both email and phone# is in the open letter)
Poul-Henning
Re:Blacklist time (Score:3, Insightful)
I always wonder about something whenever someone suggests boycotting an entire company's products like this because of a few little problems. Namely, which perfect heart-warming angel company am I supposed to shop with from now on? Don't Linksys, Netgear, Belkin, IOGear, etc. all have their own problems? Last time I checked Belkin was building some seriously boneheaded ideas into their routers, and got burned for it pretty bad. Are we supposed to build our own routers out of Linux boxen or something to satisfy your outrage over some technical glitches? Please get over yourself unless you can provide us with a good argument that Company X is somehow immensely more evil than companies A, B, and C. We have to get our cheapo networking equipment somewhere.
Re:List of Affected Products: (Score:3, Insightful)
Violating a RFC may make you a bad person, and certainly it looks like D-link is in the wrong here, but it's not like there's anybody out there enforcing RFCs in any way beyond `you shouldn't be doing that!' (unless they're kooks, of course.
Now, maybe you could sue somebody for violating a RFC, and perhaps that's what Mr. Kamp should do, but I'm no lawyer and he's already spoken with many about this, so I suspect he has considered it. But it's not likely that any actual laws are being broken here.
Now, if Mr Kamp wanted to play hardball, he could have his legitimate users of his NTP server move to another name, and then modify the GPS.dix.dk server to return a totally bogus time, which would probably help get the current users of the routers to upgrade their firmware. I suspect that only a small fraction of the users would even notice, but those that do would call D-Link, and those calls would cost D-Link money ...
Yes, Mr Kamp shouldn't have to do this, and maybe the /. effect (which does go beyond mere web traffic) will prompt D-Link to do what they can to fix the problem they've caused, but it's always an option, one which he's probably already considered.