|
|
Dlink products creating a DDOS attack against time servers worldwide
|
|
|
|
Moderator Emeritus
Join Date: Dec 2000
Location: College Park, MD
Status:
Offline
|
|
It has been discovered that Dlink is violating access policies for Stratum-1 NTP servers worldwide.
If you have a Dlink router or WAP or such, please update to the latest firmware to at least help the one server talked about below, until Dlink recognizes and corrects their problem.
Link to the full story: http://people.freebsd.org/%7Ephk/dlink/
|
|
|
|
|
|
|
|
|
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status:
Offline
|
|
That's awful! Even WINDOWS defaults to Microsoft's time server, and it also lets you choose your own; I like time.nist.gov myself.
Dumb, D-Link, VERY dumb. Thanks for the tip!
|
Glenn -----OTR/L, MOT, Tx
|
|
|
|
|
|
|
|
Admin Emeritus
Join Date: Oct 1999
Location: Zurich, Switzerland
Status:
Offline
|
|
And it's not the first time a router maker did something this dumb: Netgear did the exact same thing a few years ago, too!!
tooki
|
|
|
|
|
|
|
|
|
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status:
Offline
|
|
I thought it sounded familiar; now I remember reading about Netgear's goofs. You posted on that, didn't you, tooki?
Very dumb indeed.
|
Glenn -----OTR/L, MOT, Tx
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Oct 2005
Location: Houston, TX
Status:
Offline
|
|
Why not add a firewall or routing rule to drop all connections from outside .dk?
|
|
|
|
|
|
|
|
|
Admin Emeritus
Join Date: Oct 1999
Location: Zurich, Switzerland
Status:
Offline
|
|
Read the link in the OP, it explains why that can't be done. As for the details, I'm sure that anyone on a network intended only for BGP routers knows far more about networking and firewalls than you and me combined.
tooki
|
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Oct 2005
Location: Houston, TX
Status:
Offline
|
|
I read the article, and the following made it sound like their are some technical solutions, but they're difficult to implement:
"Quite a lot of people suggests ways in which I can technically mitigate for D-Links incompetence. I think this misses the point: I do not want to waste more time cleaning up after D-Link. I want D-Link to spend time & money cleaning up after their incompetence."
I was more wondering why a simple technical solution (like firewall rules) wouldn't work to at least mitigate the problem until D-link does something. It seems that the technical solution is so difficult that instead he's decided to make a point and let his service suffer so he can give D-link a bigger black eye.
Here's to hoping who knows more about BGP, core routers, and such will chime in.
|
|
|
|
|
|
|
|
|
Moderator Emeritus
Join Date: Dec 2000
Location: College Park, MD
Status:
Offline
|
|
Originally Posted by mduell
I read the article, and the following made it sound like their are some technical solutions, but they're difficult to implement:
"Quite a lot of people suggests ways in which I can technically mitigate for D-Links incompetence. I think this misses the point: I do not want to waste more time cleaning up after D-Link. I want D-Link to spend time & money cleaning up after their incompetence."
I was more wondering why a simple technical solution (like firewall rules) wouldn't work to at least mitigate the problem until D-link does something. It seems that the technical solution is so difficult that instead he's decided to make a point and let his service suffer so he can give D-link a bigger black eye.
Here's to hoping who knows more about BGP, core routers, and such will chime in.
Filtering the D-Link packets requires inspection of fields which are not simple to implement in Cisco routers, and in particular such filtering seems to send all packets on the interface through the CPU instead of fast switching, so ingress filtering the packets at the ingress of AS1835 is totally out of the question.
Basically, firewall rules won't work because to tell the routers to monitor the packets slows down the network a TON because the router CPUs have to inspect every packet. Core routers don't have the level of CPU for that, their design is to switch quickly, not filter.
Also, realize that while this is the story of one server, Dlink is violating a ton of server policies. Finally, their products should never be hitting stratum 1 servers, period.
|
|
|
|
|
|
|
|
|
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status:
Offline
|
|
Home users' equipment using a stratum 1 resource is kind of like calling the President of the United States to complain about a small pot hole right outside your driveway; WAY too high for the application. As the OP points out, his server is supposed to work with ISPs and the backbone of the Internet, NOT Joe User's little network. The RFCs for time servers and interactions between different levels of networks require that user-level networks communicate at much lower levels. Doing otherwise violates the standards the Internet is based on.
|
Glenn -----OTR/L, MOT, Tx
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Oct 2005
Location: Houston, TX
Status:
Offline
|
|
The issue has been resolved. Mr. Kamp has authorized access for all existing products and D-link has agreed to use a different NTP server for new products.
D-Link and Poul-Henning Kamp announced today that they have amicably resolved their dispute regarding access to Mr. Kamp's GPS.Dix.dk NTP Time Server site. D-Link's existing products will have authorized access to Mr. Kamp's server, but all new D-Link products will not use the GPS.Dix.dk NTP timeserver. D-Link is dedicated to remaining a good corporate and network citizen.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Rules
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|