D-Links NTP server vandalism
I'm sure some of you thought time-signals were an risk-free hobby:
http://people.freebsd.org/~phk/dlink/
--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
On Apr 7, 2006, at 3:37 AM, Poul-Henning Kamp wrote:
I'm sure some of you thought time-signals were an risk-free hobby:
http://people.freebsd.org/~phk/dlink/
Geez, you'd think they'd have learned from Netgears mistake a few
years ago[1].
I look after the NTP Pool[2] system and having something like that
happen to say pool.ntp.org is one of my worries. Yikes.
While having hundreds of servers makes it more likely that it won't
impact it the system dramatically, we are already struggling to keep
up with the client growth.
The vandalism to your server is a good reminder that I need to get
the "If you are a vendor, ..." page on the NTP Pool site[3].
As I emailed you off-list, I hope my friend can help you get in touch
with someone more clueful at D-Link.
- ask
[1] http://www.cs.wisc.edu/~plonka/netgear-sntp/
[2] http://www.pool.ntp.org/
[3] I'm planning to offer service to vendors, but they have to use
$company.vendor.pool.ntp.org or something like that so it can be
turned off or pointed to their own servers or some variation of that
if/when their software turns out to be broken[1].
In message 829F2B39-85E9-4DDA-854B-48F9F34B8D4C@develooper.com, =?ISO-8859-1?
Q?Ask_Bj=F8rn_Hansen?= writes:
Geez, you'd think they'd have learned from Netgears mistake a few
years ago[1].
Yes, I have repeatedly pointed that out to D-Link.
[3] I'm planning to offer service to vendors, but they have to use
$company.vendor.pool.ntp.org or something like that so it can be
turned off or pointed to their own servers or some variation of that
if/when their software turns out to be broken[1].
D-Link would be an eminent posterboy for the need for that concept.
--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
Poul,
I wish you good luck. You have done nothing wrong, and D-Link appear to be
100% at fault here. If it will help, I as a fellow Time-Nut would be more
than willing to sign a petition if it would help support your claim.
Best
Rob Kimberley
-----Original Message-----
From: time-nuts-bounces@febo.com [mailto:time-nuts-bounces@febo.com] On
Behalf Of Poul-Henning Kamp
Sent: 07 April 2006 11:37
To: time-nuts@febo.com
Subject: [time-nuts] D-Links NTP server vandalism
I'm sure some of you thought time-signals were an risk-free hobby:
http://people.freebsd.org/~phk/dlink/
--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
time-nuts mailing list
time-nuts@febo.com
https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts
Hi Poul,
Submit your letter to http://slashdot.org. It is a board that is populated
by millions of uber geeks, probably including most of D-Link's programming
staff.
Do NOT submit a link to your website, unless you want to see your server turn to
rubble. It takes more than a T3 link just to handle the quick visits that
this group makes to links. Their influence to servers is so extreme that it
has caused the coining of the phrase "slashdot effect".
-Chuck Harris
Poul-Henning Kamp wrote:
I'm sure some of you thought time-signals were an risk-free hobby:
http://people.freebsd.org/~phk/dlink/
In message 4436658B.30801@erols.com, Chuck Harris writes:
Submit your letter to http://slashdot.org. It is a board that is populated
by millions of uber geeks, probably including most of D-Link's programming
staff.
I know slash-dot :-)
Two or three people have already told me that they submitted the
story...
Do NOT submit a link to your website, unless you want to see
your server turn to
rubble. It takes more than a T3 link just to handle the quick visits that
this group makes to links. Their influence to servers is so extreme that it
has caused the coining of the phrase "slashdot effect".
The FreeBSD server in question has more bandwidth than that, last
I heard it was pretty much on a GigE that had several Gig's of
bandwidth backing it. We've taken several slash-dottings in
the past with no trouble.
(Yes, FreeBSD is a good server OS :-)
--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
Poul-Henning Kamp wrote:
I'm sure some of you thought time-signals were an risk-free hobby:
http://people.freebsd.org/~phk/dlink/
The Inquirer has picked up the story:
http://www.theinquirer.net/?article=30855
Has it been established that D-Link actually has a programming staff?
So many businesses now consist of officers that want more money and
have some ideas on how to get it. There is no manufacturing or
programming staff, only lawyers that make sure all terms are favorable
to the company.
The only way to get such a company's attention is to have a significant
negative affect on sales. Their attention is only focused on money.
"Doing it right" is only for engineers, and look where it got them.
D-Link is mostly sold to people who can only remember three TLAs, and
NTP isn't one of them. The geeks rule slashdot, but they're a small
minority of D-Link's market.
From a different perspective, remember when TV was new and the 'geeks'
of TV talked about the wonderful educational opportunities opening up?
Fifty years later, TV is a commercial enterprise dedicated to selling
people things they don't need, including politicians.
Now the US gummint is talking about allowing broadband sources to charge
a premium for higher speed transmission. People are crying about the two-
tier Internet, where the most money buys the best access. At least the
second tier will still be there, unlike TV (for now).
If it was me, I'd take that NTP service off the air now. I would not
throw good money after bad by buying lawyers to sue D-Link.
Mr. Kamp, it's all part of the decrease in quality of life caused by the
competition to see who can have the most money on Earth. Move on, if you
don't want to play their enormously destructive game.
Regards,
Bill Hawkins
In message 001501c65a77$663cb360$0500a8c0@darius.domain.actdsltmp, "Bill Hawkins" wr
ites:
Mr. Kamp, it's all part of the decrease in quality of life caused by the
competition to see who can have the most money on Earth. Move on, if you
don't want to play their enormously destructive game.
I may indeed have to suffer, but it won't be silently while I have any voice.
--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
PHK,
So sorry to hear about your legal adventure.
Have a close look at "NTP" from the 1930's -- at just
5 cents a day [about $0.70 in today's dollar]:
http://www.leapsecond.com/history/usno.htm
Perhaps the problem with NTP (and email, and the
web, etc.) is that the servers do all the work & pay all
the bills and the clients ride for free. One can imagine
a world where time to the second on the net is free,
but the client pays more for ever increasing levels of
delivered precision from the server.
If millisecond NTP cost microcents, and microsecond
NTP cost millicents, then quality NTP sites such as
yours would be competing to have their hostnames
show up in embedded systems. Every stray packet
would be change in your pocket and a reward for the
quality of your implementation instead of a thankless
drain on your bottom line.
Back to your situation; it is possible this abuse by
the vendor gets them in trouble with strict California
spam laws?
/tvb
----- Original Message -----
From: "Poul-Henning Kamp" phk@phk.freebsd.dk
To: time-nuts@febo.com
Sent: Friday, April 07, 2006 03:37
Subject: [time-nuts] D-Links NTP server vandalism
I'm sure some of you thought time-signals were an risk-free hobby:
http://people.freebsd.org/~phk/dlink/
--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by
incompetence.
In message 000001c65b52$77ae5f00$5315f204@computer, "Tom Van Baak" writes:
PHK,
So sorry to hear about your legal adventure.
Have a close look at "NTP" from the 1930's -- at just
5 cents a day [about $0.70 in today's dollar]:
:-)
Back to your situation; it is possible this abuse by
the vendor gets them in trouble with strict California
spam laws?
No, I don't think so. But I've since found out that the abuse
pretty much all stratum 1 servers, including several .edu, .gov
and .mil servers.
Now they probably regret they didn't just pay off my claim from the
start.
--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
Poul-Henning Kamp said the following on 04/09/2006 02:07 AM:
No, I don't think so. But I've since found out that the abuse
pretty much all stratum 1 servers, including several .edu, .gov
and .mil servers.
Now they probably regret they didn't just pay off my claim from the
start.
I'm also sorry, Poul-Henning, that you are the latest victim of firmware
stupidity.
On a related note, I recently set up my external web/mail/etc. server to
be a stratum 2 timeserver and added it to pool.ntp.org, the volunteer
round-robin DNS system to share the NTP load. I've only been in the
pool for a couple of days, and only got my logging software working
yesterday, but it's quite amazing how many systems there are that sync
to me. I'm averaging about 500 active clients, but when, once a day or
so, my IP address gets entered into the DNS pool, that shoots up to a
couple of thousand (and then tails off very quickly; there must be many,
many machines that do a start-up time check but aren't running a full
NTP implementation).
I have graphs of that activity at
http://www.febo.com/time-freq/ntp/stats/clients/index.html, and others
showing the relative offsets of all my NTP servers (I have each PPS
source in the basement driving its own server) at
http://www.febo.com/time-freq/ntp/stats/index.html.
John
On Sat, 8 Apr 2006 13:53:40 -0700, "Tom Van Baak" tvb@leapsecond.com
wrote:
PHK,
So sorry to hear about your legal adventure.
Have a close look at "NTP" from the 1930's -- at just
5 cents a day [about $0.70 in today's dollar]:
And I bet there was the equivalent problem of open WiFi access points
- the guy across the street from a subscriber using a telescope to set
his clock(s) from the western union one :-)
Perhaps the problem with NTP (and email, and the
web, etc.) is that the servers do all the work & pay all
the bills and the clients ride for free. One can imagine
a world where time to the second on the net is free,
but the client pays more for ever increasing levels of
delivered precision from the server.
There'd first have to be an agreement that there IS a problem. From
my perspective both as a heavy net user and a former service provider,
I think the net and its financing model is working just fine.
I can just imagine the re-balkanizing of the net that charging for
services would cause. Anyone else remember the bad old days of
Tymenet and Telenet? Where mainly only large organizations had access
- and then the teletype was guarded like the company secrets? Where
the odd small businessman (that would be me back then) counted
characters and seconds to avoid extra charges. Where no one would
dare do anything interesting or outside strict job requirements
because of the costs involved?
Naw, I'll take the free and open net that we have now. The financing
model is working well.
John
John De Armond
See my website for my current email address
http://www.johngsbbq.com
Cleveland, Occupied TN
A foolish consistency is the hobgoblin of little minds.-Ralph Waldo Emerson
From: "Poul-Henning Kamp" phk@phk.freebsd.dk
Subject: Re: [time-nuts] D-Links NTP server vandalism
Date: Fri, 07 Apr 2006 15:17:47 +0200
Message-ID: 25079.1144415867@critter.freebsd.dk
Hi Poul-Henning!
It's a mess alright... :P
In message 4436658B.30801@erols.com, Chuck Harris writes:
Submit your letter to http://slashdot.org. It is a board that is populated
by millions of uber geeks, probably including most of D-Link's programming
staff.
I know slash-dot :-)
You don't say? ;o)
Two or three people have already told me that they submitted the
story...
Do NOT submit a link to your website, unless you want to see
your server turn to
rubble. It takes more than a T3 link just to handle the quick visits that
this group makes to links. Their influence to servers is so extreme that it
has caused the coining of the phrase "slashdot effect".
The FreeBSD server in question has more bandwidth than that, last
I heard it was pretty much on a GigE that had several Gig's of
bandwidth backing it. We've taken several slash-dottings in
the past with no trouble.
(Yes, FreeBSD is a good server OS :-)
Hohoum, why do I have the distinct feeling you are slightly biased?
--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Hohoum... :-D
Cheers,
Magnus
In message 20060410.215310.116759674.cfmd@bredband.net, Magnus Danielson writes:
The FreeBSD server in question has more bandwidth than that, last
I heard it was pretty much on a GigE that had several Gig's of
bandwidth backing it. We've taken several slash-dottings in
the past with no trouble.
(Yes, FreeBSD is a good server OS :-)
Hohoum, why do I have the distinct feeling you are slightly biased?
because I ran netstat(8) all along, and it had more traffic from
SSH than from HTTP :-)
The Slash-Dot effect is only real when people put a lot of graphics
on their page or if the page is served out of a content-managlement-system
which must lookup everything in a database.
For a "plain HTML in a single file" page like this one, the slash-dot
effect is non-existent.
--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
Poul-Henning Kamp wrote:
I'm sure some of you thought time-signals were an risk-free hobby:
http://people.freebsd.org/~phk/dlink/
I don't see the Dlink DWL-700AP wireless access point on your list, but I
strongly suspect my DWL-700AP is getting its time from an ntp server, as I can
find no way to set the time, yet it is correct.
I can't obviously see gps.dix.dk in there:
sparrow /downloads % grep -i "gps.dix.dk" dwl700AP_firmware_202.dlf
sparrow /downloads %
but that is not definitive.
It seems unlikely gps.dix.dk is the only one being used without permission. I
suspect other server owners will start checking their logs. This could well be
the tip of a very large iceburg.
No doubt some bright spark will write a virus that converts ntp lookups on
gps.dix.dk to http lookups on http://www.dlink.com/
In message 443B988C.6000407@onetel.net, "Dr. David Kirkby" writes:
Poul-Henning Kamp wrote:
I can't obviously see gps.dix.dk in there:
sparrow /downloads % grep -i "gps.dix.dk" dwl700AP_firmware_202.dlf
That is because in this case the firmware file is a compressed file
with a small uncompression program in front.
Try this:
dd if=dwl700AP_firmware_202.dlf bs=489 iseek=40 | gunzip | strings
It seems to contain these hardcoded IP numbers:
131.107.1.10 (time-nw.nist.gov.)
129.6.15.29 (time-b.nist.gov.)
209.0.72.7 (Somewhere in Level3)
207.126.103.202 (Somewhere (unused ?) in AboveNet)
128.138.140.44 (india.colorado.edu.)
192.43.244.18 (time.nist.gov.)
Poul-Henning
--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
Poul-Henning Kamp wrote:
In message 443B988C.6000407@onetel.net, "Dr. David Kirkby" writes:
Poul-Henning Kamp wrote:
I can't obviously see gps.dix.dk in there:
sparrow /downloads % grep -i "gps.dix.dk" dwl700AP_firmware_202.dlf
That is because in this case the firmware file is a compressed file
with a small uncompression program in front.
Try this:
dd if=dwl700AP_firmware_202.dlf bs=489 iseek=40 | gunzip | strings
Yes, that finds them as you say.
Looks like it uses a UNIX-like operating system (embedded linux?) too, with
names like /dev/uart0 and /dev/flash0
/dev/uart0
uart0
adm2
adm2
/dev/flash0
Error: Create node /dev/flash0 failed!
131.107.1.10
129.6.15.29
209.0.72.7
207.126.103.202
128.138.140.44
192.43.244.18
It seems to contain these hardcoded IP numbers:
131.107.1.10 (time-nw.nist.gov.)
That is interesting:
http://ntp.isc.org/bin/view/Servers/TimeNwNistGov
ServerLocation: Microsoft Corporation, Redmond, Washington
ServerContact: Judah Levine (jlevine@boulder.nist.gov) (303) 492-7785
It seems a bit odd, with a time-server located at M$, with the admin contact at
NIST.
129.6.15.29 (time-b.nist.gov.)
209.0.72.7 (Somewhere in Level3)
207.126.103.202 (Somewhere (unused ?) in AboveNet)
128.138.140.44 (india.colorado.edu.)
192.43.244.18 (time.nist.gov.)
All those have:
AccessPolicy: OpenAccess
AccessDetails: Open access for up to 20 queries per hour (one-day average) from
any one address, others by arrangement
so no problems with them, unless the server admins change their policy.
Poul-Henning
You might consider sending a few people letters asking them to cease using your
time server. They could then take them to a retailer and ask them to be fixed
and if no joy to a credit card company if they were purchased on a credit card.
Dlink would surly act if retailers were forced to give refunds or swap them for
units that are not affected.
dave