TR Forums

The firmware in certain routers from D-LINK are set up to constantly try and connect to NTP servers. This in itself is not so bad, but the downside of this is that it is affecting many NTP servers worldwide, and making the timing information that they return to be inaccurate.


Please go to the following links for more information on this problem:

"Open letter to D-LINK about their NTP vandalism" (the original person who was directly affected by the D-LINK router DDoS setup...apparently he tried writing to D-LINK to get them to make the necessary change to their routers, and was met with indifference, which forced him to issue this open letter)

Light Blue Touchpaper blog: "When Firmware Attacks! (DDoS by D-Link)"

BBC: "Net clocks suffering data deluge"

the DDoS attack that these routers are doing is nothng really that serious...NTP is just
a time check so that the time on the router is in sync with the specified NTP server...

from wiki:
Routers have also been known to create unintentional DoS attacks, as both D-Link
and Netgear routers have created NTP vandalism by flooding NTP servers
without respecting the restrictions of client types or geographical limitations.

from wiki:
The Network Time Protocol (NTP) is a protocol for synchronising the clocks
of computer systems over packet-switched, variable-latency data
networks. NTP uses UDP port 123 as its transport layer. It is designed
particularly to resist the effects of variable latency.

But it is a problem, since those servers are being flooded and cannot serve others, right?

Flying Fox wrote:

But it is a problem, since those servers are being flooded and cannot serve others, right?

there's thousands of public/private NTP servers to choose from.

Flying Fox wrote:

But it is a problem, since those servers are being flooded and cannot serve others, right?

Flood a timeserver? Maybe if its on a adsl connection. Each router checks what, once an hour or so? Most things change to day or week after they made sure they run correctly. How big is a time packet? 30-50bytes?

ok lets see, how many people can you serve on a 100mbit?

The issue with the BSD guy is basicly cry me a river symptoms. Pure PR BS for the usual attention and 15mins of fame. if you dont wanna make something public, then dont allow public access.

Try ask MS how much bandwidth their 2 timeservers use, for their couple of 100mio users at time.windows.com

Well, he's a small time dude setting up an NTP server, but d-link basically made his server public in hundreds of thousands of unit. For him it costs him money in bandwidth costs.

While I agree there are so many servers out there may be he should just shut his down, you would think at least the NTP servers should be configurable on the devices in question? Or the list should only include really big and better funded servers like nist, nasa, navy, etc.?

Flying Fox wrote:

Well, he's a small time dude setting up an NTP server, but d-link basically made his server public in hundreds of thousands of unit. For him it costs him money in bandwidth costs.

While I agree there are so many servers out there may be he should just shut his down, you would think at least the NTP servers should be configurable on the devices in question? Or the list should only include really big and better funded servers like nist, nasa, navy, etc.?

No, what he didnt tell is that he got his server for free on the danish internet exchange. His bandwidth is free, since bandwidth cost nothing at the exchange. Only thing you pay for is rackspace.

And he can config filters for the people he wish for, but he just whines around it. He also says its only for people with permission, but with over 2000 users, that sounds hardly like its a close special server either. If it was a pure stratum1 server and you followed the rules and so forth, less than 10 other servers in denmark should use it.

Shintai wrote:

No, what he didnt tell is that he got his server for free on the danish internet exchange. His bandwidth is free, since bandwidth cost nothing at the exchange. Only thing you pay for is rackspace.

And he can config filters for the people he wish for, but he just whines around it. He also says its only for people with permission, but with over 2000 users, that sounds hardly like its a close special server either. If it was a pure stratum1 server and you followed the rules and so forth, less than 10 other servers in denmark should use it.

I thought there is a connection fee? Nothing is really free...

There may be less than 10 servers in Denmark, but since those d-link routers are shipped all over the world, wouldn't that be quite a bit if all those routers are going at it?

Flying Fox wrote:

Shintai wrote:

No, what he didnt tell is that he got his server for free on the danish internet exchange. His bandwidth is free, since bandwidth cost nothing at the exchange. Only thing you pay for is rackspace.

And he can config filters for the people he wish for, but he just whines around it. He also says its only for people with permission, but with over 2000 users, that sounds hardly like its a close special server either. If it was a pure stratum1 server and you followed the rules and so forth, less than 10 other servers in denmark should use it.

I thought there is a connection fee? Nothing is really free...

There may be less than 10 servers in Denmark, but since those d-link routers are shipped all over the world, wouldn't that be quite a bit if all those routers are going at it?

He never payed any fee to get his server there. Nor will he ever.
Also its not allowed to peer non danish traffic at the internet exchange. So if he got problems with foreign traffic, then he got more problems than that.

http://www.dix.dk/faq

Negotiations with the DIX management are ongoing, but the current theory is that I will have to close the GPS.DIX.dk server or pay a connection-fee of DKR 54.000,00 (approx USD 8,800) a year as long as the traffic is a significant fraction of total traffic to the server.

The guy is about to get whacked with huge bandwidth charges, because D-Link was stupid enough to hard code the name of his server into their firmware without his permission.

D-Link clearly **** up big-time.

Shintai wrote:

He never payed any fee to get his server there. Nor will he ever.

On what information do you base this claim? It sounds like he hasn't paid a fee yet, but will need to in the future if the traffic does not abate.

just brew it! wrote:

Shintai wrote:

He never payed any fee to get his server there. Nor will he ever.

On what information do you base this claim? It sounds like he hasn't paid a fee yet, but will need to in the future if the traffic does not abate.

You don´t make any contract for that since its not allowed to have any servers at the DIX, also he says there is 2 fee´s. One is taken right out in the air. The only thing you pay for at the DIX is rackspace and neutral net if you use it. Its also allowed for peers to peer directly individually so you avoid the fee. Rackspace is a yearly cost.

http://www.dix.dk will explain some of it.

Both he and I worked at the same ISP, and with 10years of experience as sysadm in the ISP business, I know abit about that place and how it looks etc

If he actually had to pull the prices out of his ass, he could atleast have used the peering cost on neutral net ONLY, since its the only thing he would pay in extreme case:
A connection at the DIX with 10 or 100 Mbit/s ethernet has a yearly fee of DKK 27.000.
A connection at the DIX with 1000 Mbit/s Ethernet costs a yearly fee of DKK 38.700.

But again, its danish traffic. Not global, if its global the server should be removed nomatter what since it violates the rules.

Shintai wrote:

You don´t make any contract for that since its not allowed to have any servers at the DIX, also he says there is 2 fee´s. One is taken right out in the air. The only thing you pay for at the DIX is rackspace and neutral net if you use it. Its also allowed for peers to peer directly individually so you avoid the fee. Rackspace is a yearly cost.

http://www.dix.dk will explain some of it.

Both he and I worked at the same ISP, and with 10years of experience as sysadm in the ISP business, I know abit about that place and how it looks etc

If he actually had to pull the prices out of his ass, he could atleast have used the peering cost on neutral net ONLY, since its the only thing he would pay in extreme case:
A connection at the DIX with 10 or 100 Mbit/s ethernet has a yearly fee of DKK 27.000.
A connection at the DIX with 1000 Mbit/s Ethernet costs a yearly fee of DKK 38.700.

But again, its danish traffic. Not global, if its global the server should be removed nomatter what since it violates the rules.

just brew it! wrote:

On what information do you base this claim? It sounds like he hasn't paid a fee yet, but will need to in the future if the traffic does not abate.

hey jbi, i would say that this shintai has more credability on this scenario
then the entire internet at this point based off of his explanation above ^

...you have to agree that, whether we debate about how much if anything he is paying, it is definitely wrong for DLINK to set their equipment by default to bang at his NTP server without so much as a by-your-leave. They should do things properly, and point at one of their own self-owned NTP servers instead (at best) or at one of the nice public ones out there (at least).

I personally use a DLINK router that doesn't hit on his (or anyone else's) NTP server. But I can imagine how much of a pain it would be for some poor dude halfway across the world to be getting these pings at such large rates on his NTP server, unbidden. If this fellow's "whingeing" about his problem can cause DLINK, LinkSys, etc. to clean up their act, we all will benefit.

EddieN120 wrote:

...you have to agree that, whether we debate about how much if anything he is paying, it is definitely wrong for DLINK to set their equipment by default to bang at his NTP server without so much as a by-your-leave. They should do things properly, and point at one of their own self-owned NTP servers instead (at best) or at one of the nice public ones out there (at least).

I personally use a DLINK router that doesn't hit on his (or anyone else's) NTP server. But I can imagine how much of a pain it would be for some poor dude halfway across the world to be getting these pings at such large rates on his NTP server, unbidden. If this fellow's "whingeing" about his problem can cause DLINK, LinkSys, etc. to clean up their act, we all will benefit.

Both yes and no, but remember it is a public NTP server. Rules are its not to be used for clients. And I would say a D-Link router is not a client, but a server, since it would serve the users behind the router.

meh. still.

have 10,000 or 1 million ppl hit my NTP server, i could care less.



a cable 6mbit pipe can handle all that measly traffic.

thegleek wrote:

meh. still.

have 10,000 or 1 million ppl hit my NTP server, i could care less.

Code: Select all

1:44pm[[email protected] thegleek] netstat -anp | grep 123

udp        0      0 192.168.0.3:123         0.0.0.0:*               LISTEN      336/ntpd
udp        0      0 127.0.0.1:123           0.0.0.0:*               LISTEN      336/ntpd
udp        0      0 0.0.0.0:123             0.0.0.0:*               LISTEN      336/ntpd

a cable 6mbit pipe can handle all that measly traffic.

Exactly. Its a hurricane in a glass of water.

If you are capped at a ridiculously low level then you care about every byte on your pipe.

DLinks does not ship thousands of these routers I think the count is in the hundreds of thousands if not over a million. Also there is a locale specification that if respected means only danish users access his time service. If he blocks the all but Danish ip's on his server will the routers still hit his server before moving down to the next one on their hard coded lists? One request an hour from one machine is not too bad, one request an hour from a million is a little too much.

Stripe7 wrote:

DLinks does not ship thousands of these routers I think the count is in the hundreds of thousands if not over a million. Also there is a locale specification that if respected means only danish users access his time service. If he blocks the all but Danish ip's on his server will the routers still hit his server before moving down to the next one on their hard coded lists? One request an hour from one machine is not too bad, one request an hour from a million is a little too much.

if he gets global traffic on the DIX, then something is already wrong.

Shintai wrote:

if he gets global traffic on the DIX, then something is already wrong.

So there is something "wrong" when I access the FAQ you linked above (which is hosted on a .dix.dk server)?

I'm not sure what you mean by "something is wrong". Either you can route to .dix.dk addresses from outside the country, or you can't.

just brew it! wrote:

Shintai wrote:

if he gets global traffic on the DIX, then something is already wrong.

So there is something "wrong" when I access the FAQ you linked above (which is hosted on a .dix.dk server)?

I'm not sure what you mean by "something is wrong". Either you can route to .dix.dk addresses from outside the country, or you can't.

No, if you traced http://www.dix.dk you would know its not hosted at the DIX, unlike gps.dix.dk

Remember DNS is just DNS, the same name can be anywhere and got nothing about routing to or the like.

http://www.dix.dk is hosted at uni-c.dk