[ntp:hackers] U Wisconsin

David L. Mills mills at udel.edu
Thu Jun 26 10:55:10 PDT 2003


Guys,

I find myself on the review team for an incident taking place at U
Wisconsin/Madison. Apparently, the Netgear folks have manufactured some
700,000 routers with embedded SNTP clients configured to use the public
U Wisconsin NTP server. The server address is unchangeable and the
client cannot be disabled. If that isn't bad enough, if the client gets
no replies, it starts sending packets at one-second intervals until
forever and without backoff.

The U Wisconsin folks determined some 285,000 different IP addresses are
now sending between 300 and 700 packets per second requiring between 150
and 400 megabits per second. Apparently, the rprincipal eason for this
flux is misconfiguration of the firewall component of the router. This
is costing them $266 per megabit per day.

The Netgear folks were slow to respond until U Wisconsin folks emailed
the entire senior management and others known to be U Wisconsin alum.
Netgear says they have no way to recall those routers and no way to
insure the products are updated from the web site. The products cost
between $20 and $40 depending on rebate.

U Wisconsin have considered several ways to deflect the tide, the most
promising may be noting the source port 23457 unique to these products
and tossing them at the doorstep. The products do not use DNS and are
not configurable. Another way considered is to configure a subnet
visible to BGP and convince the ISPs to punch holes in the routing
fabric. Send money.

I never thought it could get as bad as that. My reasoned recommendation
was to fire up the lawyers and sue the bastards for costs and punitive
damages and to injoin the company from selling any products until proved
safe. There is apparently some standards group that allegedly reviews
and certifies new products for Internet use. The Netgear products were
all certified, which surely says nothing about the standards group.

Include me in any replies; I am not on any ntp.org list.

Dave



More information about the hackers mailing list