[ntp:questions] Re: wireless routers beating on NTP servers

David L. Mills mills at udel.edu
Sun Jan 18 00:31:21 UTC 2004


Wolfgang,

Can you reveal the UDP source port number? Very likely it is the same in
all units, at least in the same version. This is how the perps were
detected in the Netgear incident. We should add a blacklist feature to
the ntpd access controls where known perps would be discarded on the
basis of UDP source port number.

A skeptic might come to suspect this and the Netgear incident might be
more sinister than first suspected and might conceivably be a terrorist
plot. There might be a design team contracted by Linksys to construct an
otherwise innocent program but actually indended to create a million
zombies. A small number of these perps that light up a few times per
minute might not be noticed, but the Netgear incident involved some
750,000 perps all imploding on the same server.

Who wants to argue me out of such evil thoughts? Call the FBI to chase
down the outsource designers and verify their intentions? As in the
Netgear incident, my recommendation is to prosecute Linksys as knowingly
creating a theft-of-service attack on public infrastructure. Like
knowingly selling dynamite to blow up bridges.

Dave

"Wolfgang S. Rupprecht" wrote:
> 
> sully-usenet at stargazy.org (David Sullivan) writes:
> > If this is just after poweron and it's running an embedded Linux it's
> > possible it might be the normal ntp software doing it's initial dance.
> > These devices may increase their polling interval and properly respect
> > ignorance and KoD in the normal way (which at least might be something
> > compared to the netgear and smc debacles).
> 
> This was after hours of being powered up.  I was monitoring it to see
> if anyone would spot the powered up WEP-less AP.  All the packet
> traffic was NTP, ARP and DNS.  Pages and pages of it.  (As an aside,
> the darn thing needed to query DNS and re-ARP the same address every
> couple of seconds.  It has got to have the shortest DNS and ARP
> timeouts I've ever seen.  The NTP servers is not the only thing this
> thing beats up on.)
> 
> -wolfgang
> --
> Wolfgang S. Rupprecht                http://www.wsrcc.com/wolfgang/
>        The above "From:" address is valid.  Don't mess with it.
> Gripe to your senators about spam:  http://www.wsrcc.com/spam/senators.html



More information about the questions mailing list