Slashdot Log In
Netgear Routers DoS UWisc Time Server
Posted by
michael
on Fri Aug 22, 2003 12:23 PM
from the RISKs-fodder dept.
from the RISKs-fodder dept.
numatrix writes "For the last few months, hundreds of thousands of netgear routers being sold had hardcoded values in their firmware for ntp synchronization, causing a major denial of service to the University of Wisconsin's network before it was filtered and eventually tracked down. Highlights how not to code embedded devices." A really excellent write-up of the incident.
Related Stories
[+]
Your Rights Online: D-Link Firmware Abuses Open NTP Servers 567 comments
DES writes "FreeBSD developer and NTP buff Poul-Henning Kamp runs a stratum-1 NTP server specifically for the benefit of networks directly connected to the Danish Internet Exchange (DIX). Some time last fall, however, D-Link started including his server in a hardcoded list in their router firmware. Poul-Henning now estimates that between 75% and 90% of NTP traffic at his server originates from D-Link gear. After five months of fruitless negotiation with a D-Link lawyer (who alternately tried to threaten and bribe him), he has written an open letter to D-Link, hoping the resulting publicity will force D-Link to acknowledge the issue. There are obvious parallels to a previous story, though Netgear behaved far more responsibly at the time than D-Link seem to be."
This discussion has been archived.
No new comments can be posted.
Netgear Routers DoS UWisc Time Server
|
Log In/Create an Account
| Top
| 447 comments
(Spill at 50!) | Index Only
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
|
2
and now... (Score:5, Funny)
oh, and fp.
Obligatory Scooby Doo reference (Score:5, Funny)
So who got fired? (Score:4, Interesting)
Yah right. Some hapless low level programmer probably got all the blame for putting test data in there in the first place.
Re:So who got fired? (Score:4, Insightful)
QA isn't just for spell checking.
Re:So who got fired? (Score:5, Insightful)
(http://www.thalen.net/)
Bah.
This is one 'simple mistake' by one company that namaged to send a constant "250,000 packets-per-second (and over 150 megabits-per-second)".
Now I know Netgear is a pretty big outfit, but there are LOTS of companies like that out there, and these little mistakes can add up. How much network traffic could be avoided with proper programming?
Also, this kind of makes me think about the useless network activity my XP box (bleh) tries to send out. Multiply that by millions and millions, and you get a number a whole lot bigger than the one above.
Who pays for all that wasted bandwidth?
Re:So who got fired? (Score:5, Insightful)
Windows Time Service (Score:4, Interesting)
(http://slashdot.org/)
One would expect millions of XP boxes phoning home daily would overload a time server. For myself, I've changed the NTP server to a different server (which I will not name) and had somewhat more reliable time syncing.
The commands are net time
Re:Windows Time Service (Score:4, Insightful)
(http://print-bingo.com/ | Last Journal: Monday August 04 2003, @12:43AM)
Re:So who got fired? (Score:5, Insightful)
Netgear reported that the non-UW addresses were used for debugging by the developers.
Here's the interesting part: at least two of those are 12.* addresses --- cablemodems with attbi.com. So if you want to know who the developer responsible is, it might be a reasonable guess it's whoever lives at those IP addresses!
Re:So who got fired? (Score:5, Insightful)
(http://www.nulldevice.com/)
This was a big screwup - when an NTP query fails, you don't start retrying every second until it comes back. You don't hardcode a single server address for it. And you don't put this in 700,000 pieces of released hardware.
Poor uWisc (Score:5, Funny)
Now the
Bad form in general (Score:5, Insightful)
(http://www.swampgas.com/)
Or any other kind of software for that matter.
Indeed (Score:5, Funny)
"/* Huge Bodge */"
"/* Kludge */"
"/* Magic numbers are cool */"
Re:Indeed (Score:4, Funny)
(http://localhost/)
/* Too drunk -- debug later */
I did that to myself once (Score:5, Funny)
If they did it to my NTP server... (Score:5, Funny)
(http://domain.broken...registrar.joker.com/)
Alas, not true... (Score:5, Informative)
This is a case of ill-designed, badly written, poorly debugged, wretchedly tested code. The article details the testing of a code fix that still didn't fix things properly. On the bright side, Netgear is trying to Do The Right Thing now, and they deserve credit for that.
Hasn't /. learned? (Score:5, Funny)
(http://supercheetah.livejournal.com/ | Last Journal: Friday March 04 2005, @03:24AM)
In other news at the University... (Score:5, Funny)
Our usage graph...You Jerks! (Score:5, Interesting)
(http://www.cs.wisc.edu/~stefan)
http://www.cs.wisc.edu/cgi-bin/cricket/grapher.cg
Yeah, I work at the CSL at UW Computer Sciences, and the tracking of this netgear issue was quite an interesting tale. Had us stumped for quite some time.
Re:Our usage graph...You Jerks! (Score:5, Funny)
(Last Journal: Thursday August 25 2005, @10:23PM)
Go ahead, give us another, I dare ya!
Re:Our usage graph...You Jerks! (Score:4, Insightful)
(Last Journal: Thursday January 10 2002, @10:55AM)
don't get me wrong, I love the irony, but your network admins are having enough troubles on a Friday already.
Re:Our usage graph...You Jerks! (Score:5, Informative)
(http://www.cs.wisc.edu/~stefan)
The load is fine. It's already subsiding. We can handle slashdottings, heh.
Look at the weekly graph, we had 2 this week already!
Just slows down for a while, but doesn't break anything.
Re:Our usage graph...You Jerks! (Score:5, Funny)
(http://honeypot.net/ | Last Journal: Thursday November 15, @11:49AM)
ShortSpecialBus, eh? ;-)
I wonder what NetGear's liability is. (Score:5, Interesting)
Re:I wonder what NetGear's liability is. (Score:5, Insightful)
(http://www.eyemud.com/ | Last Journal: Thursday August 02, @11:28AM)
As for the damages, those are somewhat vague. Sure, maybe they could be made to pay for the bandwidth used. The big hit would probably be punitive damages unrelated to the actual loss.
This would be a fun case and I would encourage them to sue. So many frivolous lawsuits floating around - this one would actually have some merit.
Re:I wonder what NetGear's liability is. (Score:5, Insightful)
It would probably be deductable, passing some of the cost on to we taxpayers; but would sit alot better with public perceptions of the company.
Set up a few CS scholarships or funding a chair at the University would help.
They could turn it into a publicity coup and end up paying out less in the long run (and screw the lawyers too). Some (not all) insurance companies have finally discovered that it's usually cheaper to negotiate with the plaintiff right away, avoiding all of the sabre rattling and lopping off a third (or more) of the total probable cost.
Litigation is rarely the best answer.
Re:I wonder what NetGear's liability is. (Score:5, Interesting)
(http://www.seanadams.com/)
I mean, we're talking 150+ Mbps here, for months on end. That's $15K/mo in bandwidth, assuming they have a really good deal and pay only $100/Mbps/mo.
Re:I wonder what NetGear's liability is. (Score:5, Informative)
(http://www.upl.cs.wisc.edu/~zimage)
Re:I wonder what NetGear's liability is. (Score:5, Informative)
(http://www.cs.wisc.edu/~stefan)
Now did NetGear get permission (Score:4, Interesting)
(http://www.dailykos.com/user/eAddict)
Re:Now did NetGear get permission (Score:5, Informative)
(http://www.wdogsystems.com/ | Last Journal: Thursday October 06 2005, @10:10AM)
Check out the NTPd man pages- I believe this server is a second echelon mirror.
Analysis Tools used in this article.. (Score:5, Interesting)
(http://blog.peoplesdns.com/)
RRGrapher, FlowScan and Cflow being ones I have never messed with..
Cool.. new tools to play with!
Delicious irony (Score:5, Funny)
Err why ? (Score:3, Insightful)
(http://slashdot.org/ | Last Journal: Friday August 20 2004, @12:38PM)
especially a home router....sounds like another port open for someone to hack at for no real gain....
Re:Err why ? (Score:5, Insightful)
Re:Err why ? (Score:5, Interesting)
(http://www.beresourceful.net/ | Last Journal: Wednesday January 07 2004, @12:40PM)
Home centric routers do not tend to have their clocks set before shipping as there is no assurance that a battery keeping that clock powered will be doing so ver the entire span of time from manufacture to customer plugging it in. Even if it did the drift involved would give some inaccuracy as well.
There are two correct solutions. One is that Netgear should operate their own time server and hard code that server as a secondary or fallback time server. The primary time server should be aquired from the internet service provider when they get their network ip address via dhcp.
-Rusty
NTP should be responsibility of network server (Score:5, Informative)
(http://www.nongnu.org/antiright)
Ouch! (Score:3, Funny)
It's not about just embedded devices... (Score:5, Insightful)
Highlights how not to code embedded devices
I think this highlights a "how not to code" idea, period. In 1986, when I was taking a BASIC (boo, hiss) course in high school, I learned that values should be expressed as variables even if the coder does not expect them to change. So instead of using (32 feet/second^2), one should instead declare g once, using whatever units are appropriate, and thereafter refer to g instead of a hardcoded value. If g changes, the coder need only update one line.
Note: I am not a programmer/coder/developer in any sense of any of the words, so technical nits should remain unpicked; however, if I am completely out in left field, please feel free to point that out.
Re:It's not about just embedded devices... (Score:5, Insightful)
(http://www.ischo.com/)
So you're not in left field, it's just that the developer who wrote the software apparently did exactly what you said, which was not relevent to the mistake at hand, which was more about the faulty implementation of the NTP service, and the fact that it was hardcoded to a single IP address.
SEGA's online game servers (Score:5, Insightful)
(http://domain.broken...registrar.joker.com/)
It's not a new story, but I think it bears repeating as a showcase of stupidity.
Re:It's not about just embedded devices... (Score:5, Funny)
(http://slashdot.org/)
Re:It's not about just embedded devices... (Score:5, Funny)
(http://slashdot.org/my/amigos | Last Journal: Sunday July 25 2004, @02:59PM)
oh, and we laughed long and hard at the guy who put down:
Netgear should bear the cost... (Score:5, Insightful)
And then, on friday august 22 2003.. (Score:5, Funny)