[ntp:questions] Re: wireless routers beating on NTP servers

Richard B. Gilbert rgilbert88 at comcast.net
Sun Jan 18 04:05:08 UTC 2004

"Do not attribute to malice anything which is adequately explained by 

Remember that more than forty percent of the population has subnormal 
intelligence!!!  :-)

How about sentencing the perps to operate, at their own expense, a pool 
of stratum one servers sufficient to accommodate all the defective products?

David L. Mills wrote:

>Can you reveal the UDP source port number? Very likely it is the same in
>all units, at least in the same version. This is how the perps were
>detected in the Netgear incident. We should add a blacklist feature to
>the ntpd access controls where known perps would be discarded on the
>basis of UDP source port number.
>A skeptic might come to suspect this and the Netgear incident might be
>more sinister than first suspected and might conceivably be a terrorist
>plot. There might be a design team contracted by Linksys to construct an
>otherwise innocent program but actually indended to create a million
>zombies. A small number of these perps that light up a few times per
>minute might not be noticed, but the Netgear incident involved some
>750,000 perps all imploding on the same server.
>Who wants to argue me out of such evil thoughts? Call the FBI to chase
>down the outsource designers and verify their intentions? As in the
>Netgear incident, my recommendation is to prosecute Linksys as knowingly
>creating a theft-of-service attack on public infrastructure. Like
>knowingly selling dynamite to blow up bridges.
>"Wolfgang S. Rupprecht" wrote:
>>sully-usenet at stargazy.org (David Sullivan) writes:
>>>If this is just after poweron and it's running an embedded Linux it's
>>>possible it might be the normal ntp software doing it's initial dance.
>>>These devices may increase their polling interval and properly respect
>>>ignorance and KoD in the normal way (which at least might be something
>>>compared to the netgear and smc debacles).
>>This was after hours of being powered up.  I was monitoring it to see
>>if anyone would spot the powered up WEP-less AP.  All the packet
>>traffic was NTP, ARP and DNS.  Pages and pages of it.  (As an aside,
>>the darn thing needed to query DNS and re-ARP the same address every
>>couple of seconds.  It has got to have the shortest DNS and ARP
>>timeouts I've ever seen.  The NTP servers is not the only thing this
>>thing beats up on.)
>>Wolfgang S. Rupprecht                http://www.wsrcc.com/wolfgang/
>>       The above "From:" address is valid.  Don't mess with it.
>>Gripe to your senators about spam:  http://www.wsrcc.com/spam/senators.html

More information about the questions mailing list