D-Links NTP server vandalism
In message 000001c65b52$77ae5f00$5315f204@computer, "Tom Van Baak" writes:
PHK,
So sorry to hear about your legal adventure.
Have a close look at "NTP" from the 1930's -- at just
5 cents a day [about $0.70 in today's dollar]:
:-)
Back to your situation; it is possible this abuse by
the vendor gets them in trouble with strict California
spam laws?
No, I don't think so. But I've since found out that the abuse
pretty much all stratum 1 servers, including several .edu, .gov
and .mil servers.
Now they probably regret they didn't just pay off my claim from the
start.
--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
Poul-Henning Kamp said the following on 04/09/2006 02:07 AM:
No, I don't think so. But I've since found out that the abuse
pretty much all stratum 1 servers, including several .edu, .gov
and .mil servers.
Now they probably regret they didn't just pay off my claim from the
start.
I'm also sorry, Poul-Henning, that you are the latest victim of firmware
stupidity.
On a related note, I recently set up my external web/mail/etc. server to
be a stratum 2 timeserver and added it to pool.ntp.org, the volunteer
round-robin DNS system to share the NTP load. I've only been in the
pool for a couple of days, and only got my logging software working
yesterday, but it's quite amazing how many systems there are that sync
to me. I'm averaging about 500 active clients, but when, once a day or
so, my IP address gets entered into the DNS pool, that shoots up to a
couple of thousand (and then tails off very quickly; there must be many,
many machines that do a start-up time check but aren't running a full
NTP implementation).
I have graphs of that activity at
http://www.febo.com/time-freq/ntp/stats/clients/index.html, and others
showing the relative offsets of all my NTP servers (I have each PPS
source in the basement driving its own server) at
http://www.febo.com/time-freq/ntp/stats/index.html.
John
On Sat, 8 Apr 2006 13:53:40 -0700, "Tom Van Baak" tvb@leapsecond.com
wrote:
PHK,
So sorry to hear about your legal adventure.
Have a close look at "NTP" from the 1930's -- at just
5 cents a day [about $0.70 in today's dollar]:
And I bet there was the equivalent problem of open WiFi access points
- the guy across the street from a subscriber using a telescope to set
his clock(s) from the western union one :-)
Perhaps the problem with NTP (and email, and the
web, etc.) is that the servers do all the work & pay all
the bills and the clients ride for free. One can imagine
a world where time to the second on the net is free,
but the client pays more for ever increasing levels of
delivered precision from the server.
There'd first have to be an agreement that there IS a problem. From
my perspective both as a heavy net user and a former service provider,
I think the net and its financing model is working just fine.
I can just imagine the re-balkanizing of the net that charging for
services would cause. Anyone else remember the bad old days of
Tymenet and Telenet? Where mainly only large organizations had access
- and then the teletype was guarded like the company secrets? Where
the odd small businessman (that would be me back then) counted
characters and seconds to avoid extra charges. Where no one would
dare do anything interesting or outside strict job requirements
because of the costs involved?
Naw, I'll take the free and open net that we have now. The financing
model is working well.
John
John De Armond
See my website for my current email address
http://www.johngsbbq.com
Cleveland, Occupied TN
A foolish consistency is the hobgoblin of little minds.-Ralph Waldo Emerson
From: "Poul-Henning Kamp" phk@phk.freebsd.dk
Subject: Re: [time-nuts] D-Links NTP server vandalism
Date: Fri, 07 Apr 2006 15:17:47 +0200
Message-ID: 25079.1144415867@critter.freebsd.dk
Hi Poul-Henning!
It's a mess alright... :P
In message 4436658B.30801@erols.com, Chuck Harris writes:
Submit your letter to http://slashdot.org. It is a board that is populated
by millions of uber geeks, probably including most of D-Link's programming
staff.
I know slash-dot :-)
You don't say? ;o)
Two or three people have already told me that they submitted the
story...
Do NOT submit a link to your website, unless you want to see
your server turn to
rubble. It takes more than a T3 link just to handle the quick visits that
this group makes to links. Their influence to servers is so extreme that it
has caused the coining of the phrase "slashdot effect".
The FreeBSD server in question has more bandwidth than that, last
I heard it was pretty much on a GigE that had several Gig's of
bandwidth backing it. We've taken several slash-dottings in
the past with no trouble.
(Yes, FreeBSD is a good server OS :-)
Hohoum, why do I have the distinct feeling you are slightly biased?
--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Hohoum... :-D
Cheers,
Magnus
In message 20060410.215310.116759674.cfmd@bredband.net, Magnus Danielson writes:
The FreeBSD server in question has more bandwidth than that, last
I heard it was pretty much on a GigE that had several Gig's of
bandwidth backing it. We've taken several slash-dottings in
the past with no trouble.
(Yes, FreeBSD is a good server OS :-)
Hohoum, why do I have the distinct feeling you are slightly biased?
because I ran netstat(8) all along, and it had more traffic from
SSH than from HTTP :-)
The Slash-Dot effect is only real when people put a lot of graphics
on their page or if the page is served out of a content-managlement-system
which must lookup everything in a database.
For a "plain HTML in a single file" page like this one, the slash-dot
effect is non-existent.
--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
Poul-Henning Kamp wrote:
I'm sure some of you thought time-signals were an risk-free hobby:
http://people.freebsd.org/~phk/dlink/
I don't see the Dlink DWL-700AP wireless access point on your list, but I
strongly suspect my DWL-700AP is getting its time from an ntp server, as I can
find no way to set the time, yet it is correct.
I can't obviously see gps.dix.dk in there:
sparrow /downloads % grep -i "gps.dix.dk" dwl700AP_firmware_202.dlf
sparrow /downloads %
but that is not definitive.
It seems unlikely gps.dix.dk is the only one being used without permission. I
suspect other server owners will start checking their logs. This could well be
the tip of a very large iceburg.
No doubt some bright spark will write a virus that converts ntp lookups on
gps.dix.dk to http lookups on http://www.dlink.com/
In message 443B988C.6000407@onetel.net, "Dr. David Kirkby" writes:
Poul-Henning Kamp wrote:
I can't obviously see gps.dix.dk in there:
sparrow /downloads % grep -i "gps.dix.dk" dwl700AP_firmware_202.dlf
That is because in this case the firmware file is a compressed file
with a small uncompression program in front.
Try this:
dd if=dwl700AP_firmware_202.dlf bs=489 iseek=40 | gunzip | strings
It seems to contain these hardcoded IP numbers:
131.107.1.10 (time-nw.nist.gov.)
129.6.15.29 (time-b.nist.gov.)
209.0.72.7 (Somewhere in Level3)
207.126.103.202 (Somewhere (unused ?) in AboveNet)
128.138.140.44 (india.colorado.edu.)
192.43.244.18 (time.nist.gov.)
Poul-Henning
--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
Poul-Henning Kamp wrote:
In message 443B988C.6000407@onetel.net, "Dr. David Kirkby" writes:
Poul-Henning Kamp wrote:
I can't obviously see gps.dix.dk in there:
sparrow /downloads % grep -i "gps.dix.dk" dwl700AP_firmware_202.dlf
That is because in this case the firmware file is a compressed file
with a small uncompression program in front.
Try this:
dd if=dwl700AP_firmware_202.dlf bs=489 iseek=40 | gunzip | strings
Yes, that finds them as you say.
Looks like it uses a UNIX-like operating system (embedded linux?) too, with
names like /dev/uart0 and /dev/flash0
/dev/uart0
uart0
adm2
adm2
/dev/flash0
Error: Create node /dev/flash0 failed!
131.107.1.10
129.6.15.29
209.0.72.7
207.126.103.202
128.138.140.44
192.43.244.18
It seems to contain these hardcoded IP numbers:
131.107.1.10 (time-nw.nist.gov.)
That is interesting:
http://ntp.isc.org/bin/view/Servers/TimeNwNistGov
ServerLocation: Microsoft Corporation, Redmond, Washington
ServerContact: Judah Levine (jlevine@boulder.nist.gov) (303) 492-7785
It seems a bit odd, with a time-server located at M$, with the admin contact at
NIST.
129.6.15.29 (time-b.nist.gov.)
209.0.72.7 (Somewhere in Level3)
207.126.103.202 (Somewhere (unused ?) in AboveNet)
128.138.140.44 (india.colorado.edu.)
192.43.244.18 (time.nist.gov.)
All those have:
AccessPolicy: OpenAccess
AccessDetails: Open access for up to 20 queries per hour (one-day average) from
any one address, others by arrangement
so no problems with them, unless the server admins change their policy.
Poul-Henning
You might consider sending a few people letters asking them to cease using your
time server. They could then take them to a retailer and ask them to be fixed
and if no joy to a credit card company if they were purchased on a credit card.
Dlink would surly act if retailers were forced to give refunds or swap them for
units that are not affected.
dave