Netgear Routers DoS UWisc Time Server

numatrix writes "For the last few months, hundreds of thousands of netgear routers being sold had hardcoded values in their firmware for ntp synchronization, causing a major denial of service to the University of Wisconsin's network before it was filtered and eventually tracked down. Highlights how not to code embedded devices." A really excellent write-up of the incident.

and now...

[Anonymous Coward]

slashdot has hard coded a link to the UWisc CS server, sending a DoS to them too

oh, and fp.

Obligatory Scooby Doo reference

[OneIsNotPrime]

And we would have gotten away too, if it weren't for those meddling kids!

Poor uWisc

[mobiGeek]

First the NTP flood.

Now the /. effect.

Now...

[Scalli0n]

SCO claims that the offending code was copied from their kernel and most definitely MUST be paid for, including a $699 license fee for all people on planet earth owning any model netgear router.

I did that to myself once

[eschasi]

I did that to myself once. It was a piece of software that went to comp.sources.unix (or something similar) and was default-configured to send error mail to an alias that pointed to me. A patch was released very shortly afterwards.

If they did it to my NTP server...

[lightspawn]

I'd just send the wrong time back to netgear routers. I bet they wouldn't try that again.

Hasn't /. learned?

[ndogg]

It's not nice to kick someone when they're down.

In other news at the University...

[BMonger]

"Quick! Block port 80!"

Delicious irony

[ryanvm]

I love the irony of trying to read an article about a DoS from a site that's experiencing one because of the article. Yummy.

Indeed

[gilesjuk]

The C comments in the netgear code were a giveaway, they match those in SCOs code.

"/* Huge Bodge */"

"/* Kludge */"

"/* Magic numbers are cool */"

blaster

[briancollins]

Maybe windowsupdate.com changed their DNS to point to the University of Wisconsin. :)

Ouch!

[MarkGriz]

I'd hate to be working in Netgear's accounts payable dept. when the bandwidth usage bill arrives.

Re:Err why ?

[Anonymous Coward]

do you have any idea how ports and routers work?

And then, on friday august 22 2003..

[192939495969798999]

And then we got a ridiculous number of HTTP requests about the problem, which caused our server to explode and rain tiny bits of hazardous material into Lake Michigan. Fortunately, the indigenous wildlife was not affected, because nothing lives in Lake Michigan.

Simple Fix

[Boss, Pointy Haired]

UWisc hard codes the date/time on their time time server to 2038-19-01 03:14:00.

After 6 seconds, the netgear will crash and burn as a result of the Y2K38 problem and the requests will be no more.

Re:Indeed

[crawling_chaos]

You forgot:

/* Too drunk -- debug later */

Re:It's not about just embedded devices...

[tommck]

Of course if the gravitational constant changes, we've got bigger problems than updating your high school programming assignments! :-)

Poor UWisc

[EmagGeek]

First the time server

Then the e-mail server (from the helpdesk requests)

Then the webserver (from /.)

What next?

Re:and now...

[TenaciousPimple]

Apparently one good DoS deserves another...

Re:Now did NetGear get permission

[mahdi13]

Check out the NTPd man pages- I believe this server is a second echelon mirror.

Didn't you mean to say stratum?
Unless NTP is really a cover up to a top secret government information collection service =)
...now that I think about it...
Where's my tin foil hat?

Re:It's not about just embedded devices...

[jeffy124]

that is indeed still the case today. This past spring I was a TA for a freshman programming course, and was instructed to deduct points for those who didnt follow such practices -- pi, hours/day, minutes/hour, etc. On exams, the prof would write "-5 - use of magic numbers."

oh, and we laughed long and hard at the guy who put down:

const int SIXTY = 60;
const int TWENTY_FOUR = 24;

Re:Our usage graph...You Jerks!

[ClippyHater]

Oh yeah?! Well, we just /.'d that one, too!

Go ahead, give us another, I dare ya! :)

What

[Pvt_Waldo]

Nobody figured how to blame Microsoft yet? Come on you "M$" people - get cracking!

DoS

[smatt-man]

Sweet! I have a Netgear router, does this mean I'm a hacker now?

Re:And then, on friday august 22 2003..

[Xenoproctologist]

Nothing organic, anyway. However, the hot microchip fragments could be the spark that triggers the genesis of a new race of chemo-silicon-based lifeforms.

Re:How do you get the router fixed?

[stratjakt]

1) It's a stratum 1 server, which means it ultimately sets the clocks of millions of other machines, not netgear routers.

2) How many people with a home router (internet savvy or not) spend all that much time reading the logs, let alone making sure the time stamps are valid?

I know you probably do, but I dont. Because I'm just a simple caveman home networker, and your logs and timestamps frighten and confuse me.

hey, now...

[ed.han]

don't you know you're supposed to call us "insensitive clods"?

honestly... :D

ed

Re:Poor UWisc

[NulDevice]

You should see how the UW sysadmins drink. That explains a lot about the ranking.

Re:Our usage graph...You Jerks!

[Just Some Guy]

You really just linked to content that

1. is dynamic and has to be generated every time?
2. is graphic?

ShortSpecialBus, eh? ;-)

Re:If they did it to my NTP server...

[charon_on_acheron]

Right. So just figure out what number represents how many seconds would add up to Febuary 30, 2003. Basically, it would be the same value as March 2, 2003, but you have to remember to set the evil bit. That'll do it every time.

Nah, that's not a problem

[multipartmixed]

> const int SIXTY = 60.2;

The programmer would catch on pretty quick when it didn't compile. Now, if he declared it as a float, on the other hand...