Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
The Internet Bug Programming IT Technology

Netgear Routers DoS UWisc Time Server 447

numatrix writes "For the last few months, hundreds of thousands of netgear routers being sold had hardcoded values in their firmware for ntp synchronization, causing a major denial of service to the University of Wisconsin's network before it was filtered and eventually tracked down. Highlights how not to code embedded devices." A really excellent write-up of the incident.
This discussion has been archived. No new comments can be posted.

Netgear Routers DoS UWisc Time Server

Comments Filter:
  • and now... (Score:5, Funny)

    by Anonymous Coward on Friday August 22, 2003 @12:24PM (#6766611)
    slashdot has hard coded a link to the UWisc CS server, sending a DoS to them too

    oh, and fp.
  • by OneIsNotPrime ( 609963 ) on Friday August 22, 2003 @12:24PM (#6766614)
    And we would have gotten away too, if it weren't for those meddling kids!
  • So who got fired? (Score:4, Interesting)

    by eln ( 21727 ) on Friday August 22, 2003 @12:25PM (#6766622)
    Simple mistake that should have easily been found and fixed during the testing phase. I hope whoever let this thing be released without following proper testing procedures got canned.

    Yah right. Some hapless low level programmer probably got all the blame for putting test data in there in the first place.
    • by Trigun ( 685027 )
      It would have never been picked up in the testing phase. It was only after having a huge install-base that this ever became an issue. It worked perfectly on the bench.
    • by Cali Thalen ( 627449 ) on Friday August 22, 2003 @12:46PM (#6766870) Homepage
      Simple mistake, sure. Barely a trickle of wasted bandwidth, hard to even believe it matters...

      Bah.

      This is one 'simple mistake' by one company that namaged to send a constant "250,000 packets-per-second (and over 150 megabits-per-second)".

      Now I know Netgear is a pretty big outfit, but there are LOTS of companies like that out there, and these little mistakes can add up. How much network traffic could be avoided with proper programming?

      Also, this kind of makes me think about the useless network activity my XP box (bleh) tries to send out. Multiply that by millions and millions, and you get a number a whole lot bigger than the one above.

      Who pays for all that wasted bandwidth?

      • by Malc ( 1751 ) on Friday August 22, 2003 @02:25PM (#6767780)
        Not their first simple mistake though. Ask the people behind dyndns.org what they think of the Netgear RT314's (and other products like the RT311????) implementation of the dyndns.org client. Trust me, they have nothing nice to say.
      • Well, it's not that bad, most of what XP churns out are NetBIOS broadcasts and other non-routable packets. Makes your LAN a bit noisy, but if you've got your own private subnet (a must for broadband), turn off automatic update checking, it stays pretty quiet on the other side of the router.
      • Windows Time Service (Score:4, Interesting)

        by Webmoth ( 75878 ) on Friday August 22, 2003 @03:55PM (#6768681) Homepage
        Both Windows 2000 and XP have the "Windows Time Service" which once per day query an NTP server to set the system clock. By default, Windows 2000 does not have an NTP server set, and XP looks to time.windows.com -- every blasted installation of Windows XP phones home every day to set its clock and who-knows-what-else.

        One would expect millions of XP boxes phoning home daily would overload a time server. For myself, I've changed the NTP server to a different server (which I will not name) and had somewhat more reliable time syncing.

        The commands are net time /setsntp:some.ntp.server and net time /querysntp, or in the Time and Date properties in XP there's the Internet Time tab.
        • by WoTG ( 610710 ) on Friday August 22, 2003 @07:42PM (#6770181) Homepage Journal
          Sure it's a lot of traffic for some organizations. But for Microsoft to run time.windows.com, it's a drop in the bucket. Lets see... let's say 100M installations (probably high, since it's only XP, and boxes on a domain sync with the domain server) times 1kB per day (again, probably high) is about 100 GB per day and pretty evenly spread out over a 24 hour day. This amounts to less than two T1's. Not a bad deal, considering that in one "simple" move, a big portion of the wrong PC clocks that are out there are fixed. I wouldn't bother switching NTP servers on my XP workstations... why bother if MS is willing to pick up the dime...
    • by Dr. Blue ( 63477 ) on Friday August 22, 2003 @01:34PM (#6767309)
      In the full description, you'll notice that they include the "strings" output from the netgear software, which includes hardcoded IP addresses.
      Netgear reported that the non-UW addresses were used for debugging by the developers.

      Here's the interesting part: at least two of those are 12.* addresses --- cablemodems with attbi.com. So if you want to know who the developer responsible is, it might be a reasonable guess it's whoever lives at those IP addresses! :-)

  • Poor uWisc (Score:5, Funny)

    by mobiGeek ( 201274 ) on Friday August 22, 2003 @12:25PM (#6766623)
    First the NTP flood.


    Now the /. effect.

  • by Hayzeus ( 596826 ) on Friday August 22, 2003 @12:25PM (#6766627) Homepage
    Highlights how not to code embedded devices

    Or any other kind of software for that matter.

  • Now... (Score:2, Funny)

    by Scalli0n ( 631648 )
    SCO claims that the offending code was copied from their kernel and most definitely MUST be paid for, including a $699 license fee for all people on planet earth owning any model netgear router.

    • What do you mean netgear router? SCO will want that from any Netgear device including Access Points, Switches, Hubs, and any of the various nics. After all with minimal additional hardware even those devices that are not already infringing can be made to participate in an infringing product.

      -Rusty
    • Indeed (Score:5, Funny)

      by gilesjuk ( 604902 ) <giles DOT jones AT zen DOT co DOT uk> on Friday August 22, 2003 @12:29PM (#6766692)
      The C comments in the netgear code were a giveaway, they match those in SCOs code.

      "/* Huge Bodge */"

      "/* Kludge */"

      "/* Magic numbers are cool */"
    • Seriously, how would that play out?

      If Netgear lifted code from Linux, and SCO is basically saying they own & want royalties from Linux, then couldn't they ask for royalties for any code that was once part of the Linux kernel? (Think userland drivers that were once in the kernel)

      Boy, Just because code touched the kernel, would mean that SCO would/could own that code too. Hope SCO doesn't get any ideas about that...
  • by eschasi ( 252157 ) on Friday August 22, 2003 @12:26PM (#6766637)
    I did that to myself once. It was a piece of software that went to comp.sources.unix (or something similar) and was default-configured to send error mail to an alias that pointed to me. A patch was released very shortly afterwards.
  • by lightspawn ( 155347 ) on Friday August 22, 2003 @12:26PM (#6766640) Homepage
    I'd just send the wrong time back to netgear routers. I bet they wouldn't try that again.
    • An impropperly formatted response, like "2/30/2003", would probably get people's attention.

      -B
    • Alas, not true... (Score:5, Informative)

      by OmniGeek ( 72743 ) on Friday August 22, 2003 @01:01PM (#6767016)
      The problem is, if one reads the article (nudge, nudge), that 1) at least some of the routers do this with NO operator interface or settability, and 2) some older routers would keep hitting the hardcoded server address even when configured to use some other address. Plus 3) there were some fixes that weren't. The routers in question accept ANY response, even if it isn't an NTP packet! Sending the wrong time would have zero impact. (Why does a home-network router need a clock so badly, anyway? It's not like they do useful remote logging or anything...)

      This is a case of ill-designed, badly written, poorly debugged, wretchedly tested code. The article details the testing of a code fix that still didn't fix things properly. On the bright side, Netgear is trying to Do The Right Thing now, and they deserve credit for that.
  • by ndogg ( 158021 ) <the.rhorn@nOsPAm.gmail.com> on Friday August 22, 2003 @12:27PM (#6766654) Homepage Journal
    It's not nice to kick someone when they're down.
  • by BMonger ( 68213 ) on Friday August 22, 2003 @12:27PM (#6766662)
    "Quick! Block port 80!"
  • by Jammer@CMH ( 117977 ) on Friday August 22, 2003 @12:27PM (#6766666)
    Were this a Haxor attack, there would be criminal liability. I'm willing to believe that it was a simple mistake, with no criminal intent, but would NetGear be liable civilly?
  • by eaddict ( 148006 ) on Friday August 22, 2003 @12:28PM (#6766669)
    to hardcode an address into thier systems? Do you need permission? There was a law a few years ago about 'deep-linking' and even linking... isn't getting the time somewhat the same thing?
  • by joeldg ( 518249 ) on Friday August 22, 2003 @12:28PM (#6766673) Homepage
    Wow, that list of Analysis Tools used for tracking this down had a bunch that I was not familiar with.

    RRGrapher, FlowScan and Cflow being ones I have never messed with..

    Cool.. new tools to play with!

  • by ryanvm ( 247662 ) on Friday August 22, 2003 @12:28PM (#6766679)
    I love the irony of trying to read an article about a DoS from a site that's experiencing one because of the article. Yummy.
  • Err why ? (Score:3, Insightful)

    by Archfeld ( 6757 ) * <treboreel@live.com> on Friday August 22, 2003 @12:29PM (#6766684) Journal
    why does a router need to sync time anyways ??
    especially a home router....sounds like another port open for someone to hack at for no real gain....
    • Re:Err why ? (Score:5, Insightful)

      by NetJunkie ( 56134 ) <`jason.nash' `at' `gmail.com'> on Friday August 22, 2003 @12:34PM (#6766735)
      Logging. You want your log files to have the right time. I've used my router log files many times.
    • DHCP lease durations? Acting as a NTP cache so you can point your internal PC's to the router to get time? Getting the date so the webserver can tell you to check for updates? All of those and more can be done if the device autoconfigures itself with current date and time on bootup.
    • Re:Err why ? (Score:5, Interesting)

      by rusty0101 ( 565565 ) on Friday August 22, 2003 @12:42PM (#6766821) Homepage Journal
      Routers tend to log activities such as access, configuration changes, firewall violation detection, etc. and it is often handy to know when that event occured.

      Home centric routers do not tend to have their clocks set before shipping as there is no assurance that a battery keeping that clock powered will be doing so ver the entire span of time from manufacture to customer plugging it in. Even if it did the drift involved would give some inaccuracy as well.

      There are two correct solutions. One is that Netgear should operate their own time server and hard code that server as a secondary or fallback time server. The primary time server should be aquired from the internet service provider when they get their network ip address via dhcp.

      -Rusty
  • Does anyone else think that Netgear owes the UW reparations? Bandwidth costs, time spent by the admins, loss of service, etc. seems like a good place to start... (trying in vain for a good Badger or "When you say Weh-scahn-sen, you said it all" joke, but it just ain't happening today)
    • Netgear doesn't owe them anything more than Slashdot does for linking to the article. When you join this public internet of networks and offer publicly facing services (especially ones which are advertised broadly as being public like a major NTP reflector) you take on the responsibility and liabilty of offering those services and incur the costs at your own risk.
    • Re:Who pays? (Score:3, Interesting)

      It seems UofW is putting a "redundant fault tolerant server" at the border of their network to handle the traffic. Perhaps, Netgear should compensate them for the cost of the machine and the bandwidth...

      Just a suggestion.

  • by jefbed ( 666411 ) on Friday August 22, 2003 @12:31PM (#6766706) Homepage
    It is foolish to code code dependencies on servers in firmware. There are two problems that result from this. The first is that specified in the article, the denial of service. The second is the high potential for broken network dependencies if, for example the hardcoded site goes offline or the ip address changes. Technically each site should be running their own ntpd to ease the load on the primary servers. ntp syncronization should not be the job of the router, but instead the job of the network administrator.
    • or the ip address changes

      hate to nitpick (or is it knitpick?), but this doesn't matter does it? especially if the code uses the hostname...

      infact, when I was learning about NTP(date) a little while back -- i found a few pages detailing Wisonsin's Uni as a good sync for your time....

      makes one wonder if the guys at Netgear read the same pages...and hardcoded it in ....

      hmmmm/.

      • It's "nitpick". It refers to the action of removing clusters of louse eggs (nits) from hair. Since louse eggs are so tiny, this requires meticulous precision. Thus, the word came to be associated with finding (often unnecessarily) the smallest defects in anything.

  • I hope they fired the guy that wrote the firmware for the routers... And I hope netgear reimbursed the university for its time and network usage.
  • blaster (Score:2, Funny)

    Maybe windowsupdate.com changed their DNS to point to the University of Wisconsin. :)
  • Ouch! (Score:3, Funny)

    by MarkGriz ( 520778 ) on Friday August 22, 2003 @12:34PM (#6766734)
    I'd hate to be working in Netgear's accounts payable dept. when the bandwidth usage bill arrives.
  • by sczimme ( 603413 ) on Friday August 22, 2003 @12:36PM (#6766750)

    Highlights how not to code embedded devices

    I think this highlights a "how not to code" idea, period. In 1986, when I was taking a BASIC (boo, hiss) course in high school, I learned that values should be expressed as variables even if the coder does not expect them to change. So instead of using (32 feet/second^2), one should instead declare g once, using whatever units are appropriate, and thereafter refer to g instead of a hardcoded value. If g changes, the coder need only update one line.

    Note: I am not a programmer/coder/developer in any sense of any of the words, so technical nits should remain unpicked; however, if I am completely out in left field, please feel free to point that out.
    • by Bryan Ischo ( 893 ) * on Friday August 22, 2003 @12:43PM (#6766829) Homepage
      Good point, but irrelevent. Even if you declare a global variable, you still have to hardcode its value. The fact that the IP address only showed up 1 time in their string search of the binary would indicate that they did exactly what you said.

      So you're not in left field, it's just that the developer who wrote the software apparently did exactly what you said, which was not relevent to the mistake at hand, which was more about the faulty implementation of the NTP service, and the fact that it was hardcoded to a single IP address.

    • by lightspawn ( 155347 ) on Friday August 22, 2003 @12:44PM (#6766832) Homepage
      The (official) reason "Alien Front Online" (a game with the word "Online" in the title!) went offline less than a year after its release is that SEGA developers hard coded the server's IP address, and did not provide any means of changing it. When the company hosting the server went under (gameloft?) it couldn't be moved to a different company since it wouldn't have the same address. Hence, buy a game advertised as "online", never be able to play it online.

      It's not a new story, but I think it bears repeating as a showcase of stupidity.

    • by tommck ( 69750 ) on Friday August 22, 2003 @12:44PM (#6766839) Homepage
      Of course if the gravitational constant changes, we've got bigger problems than updating your high school programming assignments! :-)

    • by jeffy124 ( 453342 ) on Friday August 22, 2003 @12:56PM (#6766965) Homepage Journal
      that is indeed still the case today. This past spring I was a TA for a freshman programming course, and was instructed to deduct points for those who didnt follow such practices -- pi, hours/day, minutes/hour, etc. On exams, the prof would write "-5 - use of magic numbers."

      oh, and we laughed long and hard at the guy who put down:
      const int SIXTY = 60;
      const int TWENTY_FOUR = 24;
  • by Phil John ( 576633 ) <phil@NOSpAM.webstarsltd.com> on Friday August 22, 2003 @12:36PM (#6766751)
    IMHO, since this is blatantly a case of Netgear cocking up their appliance they should not only a)refund any monies spent by the university in this problem and b)send out patches, at their own cost, to all users of affected routers. For heavens sake, so many people don't have anti-virus software installed, don't patch, why would they with a router? They just think "I plug this in to my cable modem, plug my computer in and I dun got thar intarnet workun" why would they know that they need to upgrade the products firmware?
  • With the state of uni bugets out this way,
    i think net gear should be thankfull that
    it wasnt sued for the bandwidth costs and
    the reduced levels of service for the uni..
  • And then we got a ridiculous number of HTTP requests about the problem, which caused our server to explode and rain tiny bits of hazardous material into Lake Michigan. Fortunately, the indigenous wildlife was not affected, because nothing lives in Lake Michigan.
  • Simple Fix (Score:5, Funny)

    by Boss, Pointy Haired ( 537010 ) on Friday August 22, 2003 @12:40PM (#6766795)
    UWisc hard codes the date/time on their time time server to 2038-19-01 03:14:00.

    After 6 seconds, the netgear will crash and burn as a result of the Y2K38 problem and the requests will be no more.
  • Think Strata (Score:5, Informative)

    by n9fzx ( 128488 ) on Friday August 22, 2003 @12:40PM (#6766796) Homepage Journal
    Dave Mill's original clock distribution architecture ala NTP was based loosely on the Bell System's inverted tree structure. Only the top level servers are locked to the national servers; the next level is locked to the top level, and so on. In theory, it's a perfectly scalable infrastructure, with terrific fan-out.

    Unfortunately, the code droids seem to think that there's something magical about being at Stratum 2 instead of Stratum 3 or Stratum 4; also, they seem perfectly willing to take advantage of a nonprofit consortium (the owners/operators of public Strat 1 clocks) instead of spending the $500 or so on hardware to service their own customers, who presumably paid them for something.

    Anyone else remember the Good Old Days when it was considered polite to ask first before using someone else's clock?

    [Truechiming since 1987...]

    • Re:Think Strata (Score:3, Insightful)

      Unfortunately, the code droids seem to think that there's something magical about being at Stratum 2 instead of Stratum 3 or Stratum 4;

      If you're running a large network where clock synchronization is important, you are MUCH better off running your own time server than having you clients talk to someone else's, regardless of stratum. Otherwise the amount of jitter with all your NTP clients going longer distances to fetch the time will actually result in less consistent times overall.
      • Re:Think Strata (Score:3, Interesting)

        by eaddict ( 148006 )
        Which is exactly what we did. We have a smallish IS shop: 200+ MS/Novell server, 100+ HP midrange servers, and bazillions of PCs. We put our own time server up which ALL of our corporate systems hit. That server then hits a service available via satellite. It is a lot cleaner and 'nicer' to do things in house than rely on some not-for-profit organizations generosity. I even have my PC at home hit my work time server (when I use the VLAN to connect).

        Just my $0.02
    • by Merk ( 25521 ) on Friday August 22, 2003 @01:22PM (#6767199) Homepage

      Actually, Netgear was using a stratum 2 time server [gvsu.edu], namely ntp1.cs.wisc.edu [wisc.edu].

      As for spending $500 on hardware to service their own customers, as the wisconsin people can tell you, it is costing them a little more than that. It's isn't just the hardware, it's the pipe to which it's attached.

      I agree that Netgear should have been the ones to provide a time server if they were going to hard-code one. On the other hand, what if they weren't the ones who wrote the code? Maybe they just bought a "router kit" from some small company, slapped a "Netgear" logo on it, and shipped it out? That small company probably wouldn't know what NTP server NetGear provides. They may also have lots of other customers who each would need their own time server. Obviously though, the answer is not to hard-code the value.

      As for the Good Old Days when it was considered polite to ask, the policy [os2site.com] for UWisc's time server was "open access", not "open access; please send a message to notify". So... they didn't ask to be notified. Now I'm sure they're going to change that policy, and I'm also sure they would have wanted to know if their site was being set as the default on tens of thousands of routers.

      Routers are standalone devices that are meant to operate without user input, so it doesn't make sense to require the user to manually configure the NTP server. On the other hand, there's currently no good way of providing a default NTP server, unless you provide it yourself. For commercial devices like a router, providing it yourself is reasonable. The bandwidth cost of providing a time server should be offset by the profits they make on the hardware. I suppose the other option is to provide a one-time service that will provide a random NTP server. Each time you hard-reset the router, and out of the box, it would check that service and then know what NTP server it should use.

  • by James_G ( 71902 ) <jamesNO@SPAMglobalmegacorp.org> on Friday August 22, 2003 @12:44PM (#6766836)
    I can't get to the article, so in the meantime, here's the text of an email about this with some details that was sent to an ntp.org mailing list back in June:

    David L. Mills wrote on 2003-06-26 10:55:

    > Guys,
    >
    > I find myself on the review team for an incident taking place at U Wisconsin/Madison. Apparently, the Netgear folks have manufactured some 700,000 routers with embedded SNTP clients configured to use the public U Wisconsin NTP server. The server address is unchangeable and the client cannot be disabled. If that isn't bad enough, if the client gets no replies, it starts sending packets at one-second intervals until forever and without backoff.
    >
    > The U Wisconsin folks determined some 285,000 different IP addresses are now sending between 300 and 700 packets per second requiring between 150 and 400 megabits per second. Apparently, the principal eason for this flux is misconfiguration of the firewall component of the router. This is costing them $266 per day.
    >
    > The Netgear folks were slow to respond until U Wisconsin folks emailed the entire senior management and others known to be U Wisconsin alum. Netgear says they have no way to recall those routers and no way to insure the products are updated from the web site. The products cost between $20 and $40 depending on rebate.
    >
    > U Wisconsin have considered several ways to deflect the tide, the most promising may be noting the source port 23457 unique to these products and tossing them at the doorstep. The products do not use DNS and are not configurable. Another way considered is to configure a subnet visible to BGP and convince the ISPs to punch holes in the routing fabric. Send money.
    >
    > I never thought it could get as bad as that. My reasoned recommendation was to fire up the lawyers and sue the bastards for costs and punitive damages and to injoin the company from selling any products until proved safe. There is apparently some standards group that allegedly reviews and certifies new products for Internet use. The Netgear products were all certified, which surely says nothing about the standards group.
    >
    > Include me in any replies; I am not on any ntp.org list.
    >
    > Dave
  • Poor UWisc (Score:5, Funny)

    by EmagGeek ( 574360 ) on Friday August 22, 2003 @12:46PM (#6766867) Journal
    First the time server

    Then the e-mail server (from the helpdesk requests)

    Then the webserver (from /.)

    What next?
  • by AchmedHabib ( 696882 ) on Friday August 22, 2003 @12:46PM (#6766871)
    One of the others was an IP address previously used by the "dyndns.org" dynamic DNS name service.
    I really hope they did not include that IP while it was used by dyndns.org. If they did, I'd say they are the biggest assholes alive for generating tons of traffic to a free service. But then again they have already proved that now.
  • by Anonymous Coward on Friday August 22, 2003 @12:51PM (#6766911)
    This didn't only generate trouble for U of Wisconsin, it also generated a lot of cost for some people using the router. Since the server was down, the Firmware has been trying to connect to the time server constantly, thereby keeping the connection from timing out. (Who wrote that algorithm?) For people whos connections are on metered internet access, this ment the connnection was never closed and they are stuck with the bill.

    Aparently there are a lot of Netgear users in Germany who are stuck with horrendous bills now. I wonder if Netgear is going to pick those bills up?
  • Spytime (Score:4, Insightful)

    by aero6dof ( 415422 ) <aero6dof@yahoo.com> on Friday August 22, 2003 @01:03PM (#6767036) Homepage
    Now if NetGear had coded it to their own NTP server it might have been a nice method to estimate how many products you have deployed on the open internet. Of course, Slashdot might then have complained about the company spying on its users. :)
  • What (Score:4, Funny)

    by Pvt_Waldo ( 459439 ) on Friday August 22, 2003 @01:04PM (#6767041)
    Nobody figured how to blame Microsoft yet? Come on you "M$" people - get cracking!
  • by altek ( 119814 ) on Friday August 22, 2003 @01:38PM (#6767353) Homepage
    This is funny - one of the head sysadmins for UW's network ops gave a firewall talk in one of my grad classes last semester. I remember him saying that they recently put a packet filter on their FW to block NTP requests because they started getting high numbers of them..

    They thought that maybe somewhere someone had published a net time server in a document or whatever and that an IT department was deploying it on workstations or there was a document floating around telling people to set it up as their time server...

    Looks like they finally got to the bottom of it!
  • Someone on the coding team at Netgear needs to be taken outside and shot; they never seem to learn their lesson about abusing other people's services.

    Story:
    I used to work/volunteer for DynDNS.org. The Netgear firmware client for DynDNS tried to update regularly (I believe every 5 minutes) whether or not the IP address had actually changed AND whether or not it got a response. Once enough of these got out into the market, this became quite a problem for DynDNS, especially with users complaining that we "blocked" their hostnames updated with the Netgear client when their router advertised specifically that it worked with our service.

    I believe after a year or so of nagging the Netgear people, they finally released a firmware update that actually fixed the problem.
  • by sphealey ( 2855 ) * on Friday August 22, 2003 @01:50PM (#6767447)
    After receiving no response for days, I called Netgear's headquarters, leaving messages with two executives explaining the seriousness of the situation. I also emailed members of Netgear's executive team by guessing their email addresses, based upon their email naming convention. I included a "Return-Receipt-To" header, and their Mail-eXchanger notified me that all were delivered successfully. Here's a portion of that message:
    Guys, there is this thing call the "US Postal Service", which has a wonderful product called "Registered Mail" with an optional "Return Receipt Requested" feature. When you have a serious problem of this nature, physically mail a paper letter to the senior executive of the organization, with a cc to the address where the organization accepts legal correspondence (determinable from State records) and also cc "Chief Legal Counsel at...". That will get to the right place faster than guessing random e-mail addresses.

    sPh

  • by pascalb3 ( 514151 ) on Friday August 22, 2003 @02:33PM (#6767880)
    I can't find any articles on it, but I do remember my college having this problem. They kept seeing similar-sized traffic heading to the same IP address every -- I don't exactly remember -- 30 minutes or so. At first they thought they had been infiltrated by a virus that was launching zombies against the IP in a DDoS attack. After sniffing the traffic, it turned out that they were basically ping packets all being sent to the same URL.

    What had happened was the ingenious engineers at HP decided to hardcode some poor soul's URL into their new Internet-enabled keyboards -- you know, the ones with the hotkeys. The point was that every so often (which ended-up being very often) the keyboards would send this ping-esque packet to the URL and if it received a response it would know it's still connected to the Internet.

    Unfortunately, there were some lapses in the plan. Number one, HP thought this was a good idea, but I guess not good enough of an idea to have them ping their own site. Secondly, with this keyboard a part of new HP systems, these systems turned into DDoS machines on this poor guy's domain. The tricky part was the domain they were sent to wasn't any other company's site, just some apparently random URL the HP team picked; that guy must of thought he was the luckiest person with all the traffic he received, and all the bandwidth he was charged. We are a small college, and even we saw a hit on our network traffic from these keyboards, imagine what he was seeing at the focal point!

    The point is, sometimes lack of common sense can have drastic consequences.

    Coda: We tracked the IPs of our computer systems pinging the site and told those who owned them to disable the Internet keyboard.
  • by Luminous Coward ( 445673 ) on Friday August 22, 2003 @02:36PM (#6767916)
    According to Netgear, only RP614, RP614v2, DG814, MR814 and HR314 NETGEAR routers are affected. Patched firmware [netgear.com] can be downloaded from Netgear's support website.
  • by SamMichaels ( 213605 ) on Friday August 22, 2003 @02:48PM (#6768037)
    Seriously. THANK YOU for not filing law suits, hiring the FBI, CIA, Marines, calling upon Patriot Act, etc.

    To Netgear, THANK YOU for not calling upon the DMCA, filing NDA law suits, etc.

    It was resolved in a diplomatic and professional manner...and the write up explaining the entire incident was educational and informative.

    Now, if it had been SCO or Microsoft involved......
  • by whterbt ( 211035 ) <m6d07iv02@sneakemail.com> on Friday August 22, 2003 @02:52PM (#6768067)

    I took a Unix course at the University of Colorado in Fall 2001, I think. We had a guest lecture from Evi Nemeth [amazon.com], who is a professor emeritus at CU.

    She had done some work on a couple of the DNS root servers, G and H if memory serves. She showed a rate of query graphs for those servers. There was a huge jump in the middle of the graphs that corresponded neatly with the release of Windows 2000.

    Turns out Win2000 had it hard-coded to consult the DNS root servers every time it wanted to run a nslookup!

  • by MojoRilla ( 591502 ) on Friday August 22, 2003 @02:53PM (#6768076)
    We had customers complain that they couldn't connect to our streaming application. After much head scratching and wasted time, we discovered that the customers MR814 wireless router wasn't working properly.

    After a lot of research on the internet, I discovered that this was a well known problem with the MR814, fixed with an update to its firmware. It was strange because I asked the user if he had updated his firmware, which he said he did.

    It turns out that the firmware was only released on the Austrilian version of the NetGear website. Downloading and installing that version fixed the users problem.

    I sent a polite note to NetGear technical support informing them of this on April 7th. I got back a note on 4/8 saying that it would be forwarded to the appropriate people. On April 17th I sent a more harshly worded note. On April 20th I got back a note saying again that my request would be forwarded to engineering.

    I gave up. It wasn't worth it.
    Just for fun on May 13th I checked their site again. They had finally updated the software.

    This runaround was all to just make a solution to a problem that they had already fixed available. Imagine the hassle trying to get them to actually fix a problem?
  • by Krellan ( 107440 ) <`krellan' `at' `krellan.com'> on Friday August 22, 2003 @07:38PM (#6770163) Homepage Journal
    That's pretty nasty that Netgear would hardcode a NTP time server into their product, without even telling U-Wisc about it.

    When I configure my computers to use someone else's NTP server, I always send them an email to let them know (or whatever else they request that people do).

    What's worse is that Netgear hardcoded the address, in a way that can't easily be changed without a firmware upgrade (something that very few of the intended Netgear firewall customers will do: these customers are looking for a plug-it-in-and-forget-it box, and are either unwilling or unable to learn how to set up a firewall box themselves). And then, on top of that, Netgear botches the implementation of the protocol, causing it to rapid-fire out requests in certain circumstances!

    NTP is a very, very low-profile protocol. It uses UDP, so that connection state doesn't have to be maintained. It sends out packets very rarely, at most every few minutes while being set up, and then once time has been established and clocks are in sync, roughly one packet every few days. Netgear's botched programming caused a NTP flood of one packet per second! This is a ridiculous rate several orders of magnitude above what is normally seen in a functioning NTP implementation.

    And Netgear sold hundreds of thousands of these things....

    I'm amazed that U-Wisc put up with this effective DoS attack on their servers for so long. They showed great patience waiting several months for their request to crawl through Netgear's channels. Companies really need to have a quick method of access into their corporate structure for people who report major flaws like this! Because Netgear's traditional channels of customer feedback (tech support, etc.) weren't set up for this, U-Wisc's requests kept getting lost in Netgear's bureaucracy. Is Netgear so arrogant to believe that all of their products are and will always be 100% flawless?

    There really needs to be a special method of access when people report security holes and such. Microsoft, surprisingly, is starting to come around with this, maintaining a special point of contact for people who have discovered security-related issues or major flaws like this. I hope that more companies do this in the future.

    If Netgear would do these three things, I would be happy:

    1) Set up their own NTP master servers (stratum 1, using a GPS receiver or atomic clock), at Netgear itself. They would use Netgear's own bandwidth, not U-Wisc or anyone else's. Netgear's future products would then default to using these servers, and they would put out a patch so that hopefully some fraction of older products would also use these servers. That way, if there is a flaw in the future, Netgear will eat their own dogfood! I am pleased to see that Netgear is already taking steps in this direction.

    2) Change their corporate structure to be more receptive to outsiders who report serious design flaws or major issues caused by their products (such as this NTP flood), going beyond normal tech support, so that quick action can be taken to avert damage. Tech support is really only set up to handle questions about an individual device owned by the person calling in about it, and not set up to handle serious technical or security issues about all devices in an entire product line.

    3) Reimburse U-Wisc for the cost of banwidth consumed by these buggy Netgear devices. If U-Wisc isn't blocking incoming NTP entirely by now, pay for robust NTP servers to handle the high volume of traffic. If Netgear had targeted pretty much any private company instead of U-Wisc, I'm sure they would have sued for damages by now!

    And remember, ask first before using someone else's NTP server, especially if you plan to hardcode the address into your product :)
  • by wacko-Netgear ( 700822 ) on Friday August 22, 2003 @08:34PM (#6770429)
    First off i would like to disclaim that my views do not represent the company's views. With that said, I can say that I worked at Netgear for a short period of time in the area of support.

    This specific issues was raised back in may... I can say within that same week they had already started testing firmware to fix the issue. The issue comes with the huge break between Netgear engineers and Netgear support. Umm often times the supports reps do not know of the release of the product until like 2 days or 3 days after its already hit the market. On top of that there is very little communication between the two on firmware and whats the latest version. Its been only in the past couple weeks have they really started to communicate.

    Along with that Netgear did not have a device testing program until i would say about 3-4 months ago, before that it was just people there who had the time to test products... woudl test them. I know being one of those who has and still does test there products, that the communication is not very stable and that sometimes issues like these get short-cutted for other major issues such as security and hardware stability.

    I am also sure anyone in the hardware market understands the rush that sometimes comes with products; in netgear this is not different. I can this was an issue that was not expected and was fixed as soon as it was reported. It should have never gone out as is and the products should have been tested throughly in the consumer enviorment. But, to Netgear's credit the company does sell pretty good products and there customer support although you may not always be able to get your answer to the issue or may not be able to sometimes understand the reps any and all issues do esclate to people who can fix them. If you issues are not getting fixed at that point the president of the company does read your mail and does forward them to the Head of the customer support. I can say that issues like these will become less of a problem now that Netgear has started a beta program and engineers are required to speak to support engineers on a regualr basis

/earth: file system full.

Working...