[ntp:hackers] D-Links NTP server vandalism

Poul-Henning Kamp phk at phk.freebsd.dk
Fri Apr 7 12:43:43 UTC 2006


In message <44365C78.8000501 at ntp.isc.org>, Danny Mayer writes:
>Poul-Henning Kamp wrote:
>> http://people.freebsd.org/~phk/dlink/
>> 
>> Some of you guys may want to check if your servers are affected.
>> 
>
>You really should sue them and also file an injunction to stop them
>using your server. An injunction stopping them selling equipment with
>your NTP server address in it does wonders for getting the attention of
>management and the stock market.

After being given the "shut this guy up treatment" by their laywer
for 5 months, there is nothing I rather would love to do.  Unfortunately,
there is no way in hell I can afford it.

But if any of the other affected servers wants to go after them,
I'll be more than willing to deliver all the evidence necessary.

The D-LINK packets are very easy to recognize:

    tcpdump -i whatever -n udp dst port 123 and udp src port 60002

>You
>should also ignore their desire to deal with this in California since
>you are in Denmark and do not have any connection with the US, nor have
>you signed any agreement with D-Link. This issue has come up, time and
>time again and needs to be dealt with once and for all.

The trouble is that I can't sue the Danish office because the actual
products sold in Denmark are delivered directly from the UK company.
The Danish office is only a "representation", they are not "complicit
in the action".

So I would have to sue from Denmark, and at best in UK, but they would
most likely be able to deflect to their parent company, which is
either in Taiway or USA.

>In the US you could usually find a lawyer willing to take on such a
>case, but I don't know how things are in Denmark or how the courts deal
>with such issues.

In Denmark laywers are not allowed to work on contigency.  You get your
bill before the verdict.

>You might want to talk to DIX management about how to
>deal with this since it will affect them and they may be willing to at
>least get their own lawyers involved.

The DIX management have been very supportive, but there is no reason
for them to go as far as that for me and my server.

>Just remember, as we learned from the folks in Australia and Wisconsin,
>that pulling the plug can actually be worse and NTP traffic can actually
>increase when some of these misimplemented clients don't receive a response.

The silly thing is that I have not replied to the packets since the
CODE RED virus came around.  The CODE RED used my NTP server to
synchrnize attacks and I disabled all src_port!=123 access at that
time.

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk at FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.


More information about the hackers mailing list