[ntp:questions] Re: wireless routers beating on NTP servers

David L. Mills mills at udel.edu
Sun Jan 18 16:22:48 UTC 2004


Richard,

As one of the Netgear incident outcomes, Netgear has agreed to operate a
number of time servers for their customers. The ID makes explicit advice
on that point; do not under any circumstances drill into firmware any IP
address without prior permission of the service provider.

If forty percent of the population are subnormal, twenty percent are not
counted.

"Stupid" does not appear a correct label. Netgear sent packets at
one-second intervals; apparently, Linksys does this at intervals of a
few seconds. Interestingly enough, the poll interval claimed in packets
the ntpclient.c program sends is 4 (16 seconds) and references to
RFC-1305 are liberally sprinkled througout the sources. It seems they
have not seen RFC-2030 or its successor ID now in-pipe. The correct
punishment is to confine their corporate network on the nether side of a
9600-bps leased line.

Dave

"Richard B. Gilbert" wrote:
> 
> "Do not attribute to malice anything which is adequately explained by
> stupidity."
> 
> Remember that more than forty percent of the population has subnormal
> intelligence!!!  :-)
> 
> How about sentencing the perps to operate, at their own expense, a pool
> of stratum one servers sufficient to accommodate all the defective products?
> 
> David L. Mills wrote:
> 
> >Wolfgang,
> >
> >Can you reveal the UDP source port number? Very likely it is the same in
> >all units, at least in the same version. This is how the perps were
> >detected in the Netgear incident. We should add a blacklist feature to
> >the ntpd access controls where known perps would be discarded on the
> >basis of UDP source port number.
> >
> >A skeptic might come to suspect this and the Netgear incident might be
> >more sinister than first suspected and might conceivably be a terrorist
> >plot. There might be a design team contracted by Linksys to construct an
> >otherwise innocent program but actually indended to create a million
> >zombies. A small number of these perps that light up a few times per
> >minute might not be noticed, but the Netgear incident involved some
> >750,000 perps all imploding on the same server.
> >
> >Who wants to argue me out of such evil thoughts? Call the FBI to chase
> >down the outsource designers and verify their intentions? As in the
> >Netgear incident, my recommendation is to prosecute Linksys as knowingly
> >creating a theft-of-service attack on public infrastructure. Like
> >knowingly selling dynamite to blow up bridges.
> >
> >Dave
> >
> >"Wolfgang S. Rupprecht" wrote:
> >
> >
> >>sully-usenet at stargazy.org (David Sullivan) writes:
> >>
> >>
> >>>If this is just after poweron and it's running an embedded Linux it's
> >>>possible it might be the normal ntp software doing it's initial dance.
> >>>These devices may increase their polling interval and properly respect
> >>>ignorance and KoD in the normal way (which at least might be something
> >>>compared to the netgear and smc debacles).
> >>>
> >>>
> >>This was after hours of being powered up.  I was monitoring it to see
> >>if anyone would spot the powered up WEP-less AP.  All the packet
> >>traffic was NTP, ARP and DNS.  Pages and pages of it.  (As an aside,
> >>the darn thing needed to query DNS and re-ARP the same address every
> >>couple of seconds.  It has got to have the shortest DNS and ARP
> >>timeouts I've ever seen.  The NTP servers is not the only thing this
> >>thing beats up on.)
> >>
> >>-wolfgang
> >>--
> >>Wolfgang S. Rupprecht                http://www.wsrcc.com/wolfgang/
> >>       The above "From:" address is valid.  Don't mess with it.
> >>Gripe to your senators about spam:  http://www.wsrcc.com/spam/senators.html
> >>
> >>



More information about the questions mailing list