[ntp:questions] Re: wireless routers beating on NTP servers

David Sullivan sully-usenet at stargazy.org
Sun Jan 18 20:40:08 UTC 2004


"David L. Mills" <mills at udel.edu> wrote in message news:<4009D3D9.306F45D1 at udel.edu>...
> A skeptic might come to suspect this and the Netgear incident might be
> more sinister than first suspected and might conceivably be a terrorist
> plot. There might be a design team contracted by Linksys to construct an
> otherwise innocent program but actually indended to create a million
> zombies. A small number of these perps that light up a few times per
> minute might not be noticed, but the Netgear incident involved some
> 750,000 perps all imploding on the same server.
> 
> Who wants to argue me out of such evil thoughts? Call the FBI to chase
> down the outsource designers and verify their intentions? As in the
> Netgear incident, my recommendation is to prosecute Linksys as knowingly
> creating a theft-of-service attack on public infrastructure. Like
> knowingly selling dynamite to blow up bridges.
> 
> Dave

A bit more digging seems to indicate the origins of the code involved.

You can download the the source code for the software in this device
from:
http://www.linksys.com/support/gpl.asp

By trawling through the version 2 archive for wrt-54g you come accross
the following in WRT54G/release/src/router/rc/ntp.c:

/* for NTP */
int do_ntp(void)
{
        char ntp_servers[4][256] = {
                "time.nist.gov",
                "time.stdtime.gov.tw",
                "time.chttl.com.tw",
                "210.59.157.10",
         };

with the interesting comment at the top: "This is UNPUBLISHED
PROPRIETARY SOURCE CODE of CyberTAN Inc."

This code is also the basis for the "sveasoft" Linksys firmware though
they appear to have made their own modifications to make up for the
fact that the IP address in the above list is no longer operating an
ntp server as well as their other changes:

http://www.sveasoft.com/postp445.html

Though they seem to be hard coding IP addresses instead of
hostnames... erp

I'd be inclined to say it's down to lack of care and understanding of
the issues than malicious endeavour. Analysis of activity at root
nameservers have shown huge amounts of useless queries and updates due
to bad client design with the added disadvantage that changing address
or filtering is even less of an option than for ntp servers so I'd say
such attitudes are prevalent.

What's needed? Larger cluebats? More publicity? I'd throw in my ounce
of cynicism here and say some are looking to see how much money they
can make out of the Internet without giving anything back until
they're caught.

One or two time servers referenced by dns from these devices hosted by
the manufaturer as last resort timeservers (as for the Netgear fix),
which are in addition contributed to the public list and added to the
pool.ntp.org collective isn't a great deal to ask.

David.



More information about the questions mailing list