[ntp:questions] Re: wireless routers beating on NTP servers

David L. Mills mills at udel.edu
Mon Jan 19 04:07:34 UTC 2004


Great detective work. There's not a lot of smokejumping either you or I
can do about it other than to encourage victims listed in the
configuration file to take serious action with Cisco, the apparent
parent/guardian of Linksys. In any case, I don't expect much of anything
to come of my rather pointy honk to the Linksys support box.

I'm keeping all the evidence on the possibility I may be deposed by
lawyers. I hope so.


David Sullivan wrote:
> "David L. Mills" <mills at udel.edu> wrote in message news:<4009D3D9.306F45D1 at udel.edu>...
> > A skeptic might come to suspect this and the Netgear incident might be
> > more sinister than first suspected and might conceivably be a terrorist
> > plot. There might be a design team contracted by Linksys to construct an
> > otherwise innocent program but actually indended to create a million
> > zombies. A small number of these perps that light up a few times per
> > minute might not be noticed, but the Netgear incident involved some
> > 750,000 perps all imploding on the same server.
> >
> > Who wants to argue me out of such evil thoughts? Call the FBI to chase
> > down the outsource designers and verify their intentions? As in the
> > Netgear incident, my recommendation is to prosecute Linksys as knowingly
> > creating a theft-of-service attack on public infrastructure. Like
> > knowingly selling dynamite to blow up bridges.
> >
> > Dave
> A bit more digging seems to indicate the origins of the code involved.
> You can download the the source code for the software in this device
> from:
> http://www.linksys.com/support/gpl.asp
> By trawling through the version 2 archive for wrt-54g you come accross
> the following in WRT54G/release/src/router/rc/ntp.c:
> /* for NTP */
> int do_ntp(void)
> {
>         char ntp_servers[4][256] = {
>                 "time.nist.gov",
>                 "time.stdtime.gov.tw",
>                 "time.chttl.com.tw",
>                 "",
>          };
> with the interesting comment at the top: "This is UNPUBLISHED
> This code is also the basis for the "sveasoft" Linksys firmware though
> they appear to have made their own modifications to make up for the
> fact that the IP address in the above list is no longer operating an
> ntp server as well as their other changes:
> http://www.sveasoft.com/postp445.html
> Though they seem to be hard coding IP addresses instead of
> hostnames... erp
> I'd be inclined to say it's down to lack of care and understanding of
> the issues than malicious endeavour. Analysis of activity at root
> nameservers have shown huge amounts of useless queries and updates due
> to bad client design with the added disadvantage that changing address
> or filtering is even less of an option than for ntp servers so I'd say
> such attitudes are prevalent.
> What's needed? Larger cluebats? More publicity? I'd throw in my ounce
> of cynicism here and say some are looking to see how much money they
> can make out of the Internet without giving anything back until
> they're caught.
> One or two time servers referenced by dns from these devices hosted by
> the manufaturer as last resort timeservers (as for the Netgear fix),
> which are in addition contributed to the public list and added to the
> pool.ntp.org collective isn't a great deal to ask.
> David.

More information about the questions mailing list