Personal computing discussed

Moderators: renee, Steel, notfred

 
EddieN120
Gerbil
Topic Author
Posts: 31
Joined: Tue Apr 11, 2006 11:57 am

Warning: DDoS Attacks from D-LINK Routers

Fri Apr 14, 2006 10:40 am

The firmware in certain routers from D-LINK are set up to constantly try and connect to NTP servers. This in itself is not so bad, but the downside of this is that it is affecting many NTP servers worldwide, and making the timing information that they return to be inaccurate.


Please go to the following links for more information on this problem:

"Open letter to D-LINK about their NTP vandalism" (the original person who was directly affected by the D-LINK router DDoS setup...apparently he tried writing to D-LINK to get them to make the necessary change to their routers, and was met with indifference, which forced him to issue this open letter)

Light Blue Touchpaper blog: "When Firmware Attacks! (DDoS by D-Link)"

BBC: "Net clocks suffering data deluge"
 
thegleek
Darth Gerbil
Posts: 7460
Joined: Tue Jun 10, 2003 11:06 am
Location: Detroit, MI
Contact:

Mon Apr 17, 2006 9:48 am

the DDoS attack that these routers are doing is nothng really that serious...NTP is just
a time check so that the time on the router is in sync with the specified NTP server...

from wiki:
Routers have also been known to create unintentional DoS attacks, as both D-Link
and Netgear routers have created NTP vandalism by flooding NTP servers
without respecting the restrictions of client types or geographical limitations.


from wiki:
The Network Time Protocol (NTP) is a protocol for synchronising the clocks
of computer systems over packet-switched, variable-latency data
networks. NTP uses UDP port 123 as its transport layer. It is designed
particularly to resist the effects of variable latency.
––•–√\/––√\/––•–– nostalgia is an emotion for people with no future ––•–√\/––√\/––•–-
 
Flying Fox
Gerbil God
Posts: 25690
Joined: Mon May 24, 2004 2:19 am
Contact:

Mon Apr 17, 2006 10:43 am

But it is a problem, since those servers are being flooded and cannot serve others, right? :roll:
 
thegleek
Darth Gerbil
Posts: 7460
Joined: Tue Jun 10, 2003 11:06 am
Location: Detroit, MI
Contact:

Mon Apr 17, 2006 10:48 am

Flying Fox wrote:
But it is a problem, since those servers are being flooded and cannot serve others, right? :roll:

there's thousands of public/private NTP servers to choose from.
––•–√\/––√\/––•–– nostalgia is an emotion for people with no future ––•–√\/––√\/––•–-
 
Shintai
Minister of Gerbil Affairs
Posts: 2369
Joined: Sat May 14, 2005 4:43 am
Location: Denmark

Mon Apr 17, 2006 10:55 am

Flying Fox wrote:
But it is a problem, since those servers are being flooded and cannot serve others, right? :roll:


Flood a timeserver? Maybe if its on a adsl connection. Each router checks what, once an hour or so? Most things change to day or week after they made sure they run correctly. How big is a time packet? 30-50bytes?

ok lets see, how many people can you serve on a 100mbit?

The issue with the BSD guy is basicly cry me a river symptoms. Pure PR BS for the usual attention and 15mins of fame. if you dont wanna make something public, then dont allow public access.

Try ask MS how much bandwidth their 2 timeservers use, for their couple of 100mio users at time.windows.com
 
Flying Fox
Gerbil God
Posts: 25690
Joined: Mon May 24, 2004 2:19 am
Contact:

Mon Apr 17, 2006 11:05 am

Well, he's a small time dude setting up an NTP server, but d-link basically made his server public in hundreds of thousands of unit. For him it costs him money in bandwidth costs.

While I agree there are so many servers out there may be he should just shut his down, you would think at least the NTP servers should be configurable on the devices in question? Or the list should only include really big and better funded servers like nist, nasa, navy, etc.?
 
Shintai
Minister of Gerbil Affairs
Posts: 2369
Joined: Sat May 14, 2005 4:43 am
Location: Denmark

Mon Apr 17, 2006 11:11 am

Flying Fox wrote:
Well, he's a small time dude setting up an NTP server, but d-link basically made his server public in hundreds of thousands of unit. For him it costs him money in bandwidth costs.

While I agree there are so many servers out there may be he should just shut his down, you would think at least the NTP servers should be configurable on the devices in question? Or the list should only include really big and better funded servers like nist, nasa, navy, etc.?


No, what he didnt tell is that he got his server for free on the danish internet exchange. His bandwidth is free, since bandwidth cost nothing at the exchange. Only thing you pay for is rackspace.

And he can config filters for the people he wish for, but he just whines around it. He also says its only for people with permission, but with over 2000 users, that sounds hardly like its a close special server either. If it was a pure stratum1 server and you followed the rules and so forth, less than 10 other servers in denmark should use it.
 
Flying Fox
Gerbil God
Posts: 25690
Joined: Mon May 24, 2004 2:19 am
Contact:

Mon Apr 17, 2006 11:20 am

Shintai wrote:
No, what he didnt tell is that he got his server for free on the danish internet exchange. His bandwidth is free, since bandwidth cost nothing at the exchange. Only thing you pay for is rackspace.

And he can config filters for the people he wish for, but he just whines around it. He also says its only for people with permission, but with over 2000 users, that sounds hardly like its a close special server either. If it was a pure stratum1 server and you followed the rules and so forth, less than 10 other servers in denmark should use it.
I thought there is a connection fee? Nothing is really free...

There may be less than 10 servers in Denmark, but since those d-link routers are shipped all over the world, wouldn't that be quite a bit if all those routers are going at it?
 
Shintai
Minister of Gerbil Affairs
Posts: 2369
Joined: Sat May 14, 2005 4:43 am
Location: Denmark

Mon Apr 17, 2006 11:27 am

Flying Fox wrote:
Shintai wrote:
No, what he didnt tell is that he got his server for free on the danish internet exchange. His bandwidth is free, since bandwidth cost nothing at the exchange. Only thing you pay for is rackspace.

And he can config filters for the people he wish for, but he just whines around it. He also says its only for people with permission, but with over 2000 users, that sounds hardly like its a close special server either. If it was a pure stratum1 server and you followed the rules and so forth, less than 10 other servers in denmark should use it.
I thought there is a connection fee? Nothing is really free...

There may be less than 10 servers in Denmark, but since those d-link routers are shipped all over the world, wouldn't that be quite a bit if all those routers are going at it?


He never payed any fee to get his server there. Nor will he ever.
Also its not allowed to peer non danish traffic at the internet exchange. So if he got problems with foreign traffic, then he got more problems than that.

http://www.dix.dk/faq
 
just brew it!
Administrator
Posts: 54499
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Mon Apr 17, 2006 11:29 am

Negotiations with the DIX management are ongoing, but the current theory is that I will have to close the GPS.DIX.dk server or pay a connection-fee of DKR 54.000,00 (approx USD 8,800) a year as long as the traffic is a significant fraction of total traffic to the server.

The guy is about to get whacked with huge bandwidth charges, because D-Link was stupid enough to hard code the name of his server into their firmware without his permission.

D-Link clearly **** up big-time.
Nostalgia isn't what it used to be.
 
just brew it!
Administrator
Posts: 54499
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Mon Apr 17, 2006 11:30 am

Shintai wrote:
He never payed any fee to get his server there. Nor will he ever.

On what information do you base this claim? It sounds like he hasn't paid a fee yet, but will need to in the future if the traffic does not abate.
Nostalgia isn't what it used to be.
 
Shintai
Minister of Gerbil Affairs
Posts: 2369
Joined: Sat May 14, 2005 4:43 am
Location: Denmark

Mon Apr 17, 2006 11:40 am

just brew it! wrote:
Shintai wrote:
He never payed any fee to get his server there. Nor will he ever.

On what information do you base this claim? It sounds like he hasn't paid a fee yet, but will need to in the future if the traffic does not abate.


You don´t make any contract for that since its not allowed to have any servers at the DIX, also he says there is 2 fee´s. One is taken right out in the air. The only thing you pay for at the DIX is rackspace and neutral net if you use it. Its also allowed for peers to peer directly individually so you avoid the fee. Rackspace is a yearly cost.

http://www.dix.dk will explain some of it.

Both he and I worked at the same ISP, and with 10years of experience as sysadm in the ISP business, I know abit about that place and how it looks etc ;)

If he actually had to pull the prices out of his ass, he could atleast have used the peering cost on neutral net ONLY, since its the only thing he would pay in extreme case:
A connection at the DIX with 10 or 100 Mbit/s ethernet has a yearly fee of DKK 27.000.
A connection at the DIX with 1000 Mbit/s Ethernet costs a yearly fee of DKK 38.700.

But again, its danish traffic. Not global, if its global the server should be removed nomatter what since it violates the rules.
 
thegleek
Darth Gerbil
Posts: 7460
Joined: Tue Jun 10, 2003 11:06 am
Location: Detroit, MI
Contact:

Mon Apr 17, 2006 12:38 pm

Shintai wrote:
You don´t make any contract for that since its not allowed to have any servers at the DIX, also he says there is 2 fee´s. One is taken right out in the air. The only thing you pay for at the DIX is rackspace and neutral net if you use it. Its also allowed for peers to peer directly individually so you avoid the fee. Rackspace is a yearly cost.

http://www.dix.dk will explain some of it.

Both he and I worked at the same ISP, and with 10years of experience as sysadm in the ISP business, I know abit about that place and how it looks etc ;)

If he actually had to pull the prices out of his ass, he could atleast have used the peering cost on neutral net ONLY, since its the only thing he would pay in extreme case:
A connection at the DIX with 10 or 100 Mbit/s ethernet has a yearly fee of DKK 27.000.
A connection at the DIX with 1000 Mbit/s Ethernet costs a yearly fee of DKK 38.700.

But again, its danish traffic. Not global, if its global the server should be removed nomatter what since it violates the rules.


just brew it! wrote:
On what information do you base this claim? It sounds like he hasn't paid a fee yet, but will need to in the future if the traffic does not abate.

hey jbi, i would say that this shintai has more credability on this scenario
then the entire internet at this point based off of his explanation above ^
––•–√\/––√\/––•–– nostalgia is an emotion for people with no future ––•–√\/––√\/––•–-
 
EddieN120
Gerbil
Topic Author
Posts: 31
Joined: Tue Apr 11, 2006 11:57 am

...yes, but...

Mon Apr 17, 2006 12:39 pm

...you have to agree that, whether we debate about how much if anything he is paying, it is definitely wrong for DLINK to set their equipment by default to bang at his NTP server without so much as a by-your-leave. They should do things properly, and point at one of their own self-owned NTP servers instead (at best) or at one of the nice public ones out there (at least).

I personally use a DLINK router that doesn't hit on his (or anyone else's) NTP server. But I can imagine how much of a pain it would be for some poor dude halfway across the world to be getting these pings at such large rates on his NTP server, unbidden. If this fellow's "whingeing" about his problem can cause DLINK, LinkSys, etc. to clean up their act, we all will benefit.
 
Shintai
Minister of Gerbil Affairs
Posts: 2369
Joined: Sat May 14, 2005 4:43 am
Location: Denmark

Re: ...yes, but...

Mon Apr 17, 2006 12:41 pm

EddieN120 wrote:
...you have to agree that, whether we debate about how much if anything he is paying, it is definitely wrong for DLINK to set their equipment by default to bang at his NTP server without so much as a by-your-leave. They should do things properly, and point at one of their own self-owned NTP servers instead (at best) or at one of the nice public ones out there (at least).

I personally use a DLINK router that doesn't hit on his (or anyone else's) NTP server. But I can imagine how much of a pain it would be for some poor dude halfway across the world to be getting these pings at such large rates on his NTP server, unbidden. If this fellow's "whingeing" about his problem can cause DLINK, LinkSys, etc. to clean up their act, we all will benefit.


Both yes and no, but remember it is a public NTP server. Rules are its not to be used for clients. And I would say a D-Link router is not a client, but a server, since it would serve the users behind the router.
 
thegleek
Darth Gerbil
Posts: 7460
Joined: Tue Jun 10, 2003 11:06 am
Location: Detroit, MI
Contact:

Mon Apr 17, 2006 12:48 pm

meh. still.

have 10,000 or 1 million ppl hit my NTP server, i could care less.

1:44pm[[email protected] thegleek] netstat -anp | grep 123

udp        0      0 192.168.0.3:123         0.0.0.0:*               LISTEN      336/ntpd
udp        0      0 127.0.0.1:123           0.0.0.0:*               LISTEN      336/ntpd
udp        0      0 0.0.0.0:123             0.0.0.0:*               LISTEN      336/ntpd


a cable 6mbit pipe can handle all that measly traffic.
––•–√\/––√\/––•–– nostalgia is an emotion for people with no future ––•–√\/––√\/––•–-
 
Shintai
Minister of Gerbil Affairs
Posts: 2369
Joined: Sat May 14, 2005 4:43 am
Location: Denmark

Mon Apr 17, 2006 12:51 pm

thegleek wrote:
meh. still.

have 10,000 or 1 million ppl hit my NTP server, i could care less.

1:44pm[[email protected] thegleek] netstat -anp | grep 123

udp        0      0 192.168.0.3:123         0.0.0.0:*               LISTEN      336/ntpd
udp        0      0 127.0.0.1:123           0.0.0.0:*               LISTEN      336/ntpd
udp        0      0 0.0.0.0:123             0.0.0.0:*               LISTEN      336/ntpd


a cable 6mbit pipe can handle all that measly traffic.


Exactly. Its a hurricane in a glass of water.
 
Flying Fox
Gerbil God
Posts: 25690
Joined: Mon May 24, 2004 2:19 am
Contact:

Mon Apr 17, 2006 12:53 pm

If you are capped at a ridiculously low level then you care about every byte on your pipe. :-?
 
Stripe7
Gerbil Team Leader
Posts: 247
Joined: Mon Oct 06, 2003 5:08 pm

Mon Apr 17, 2006 12:56 pm

DLinks does not ship thousands of these routers I think the count is in the hundreds of thousands if not over a million. Also there is a locale specification that if respected means only danish users access his time service. If he blocks the all but Danish ip's on his server will the routers still hit his server before moving down to the next one on their hard coded lists? One request an hour from one machine is not too bad, one request an hour from a million is a little too much.
 
Shintai
Minister of Gerbil Affairs
Posts: 2369
Joined: Sat May 14, 2005 4:43 am
Location: Denmark

Mon Apr 17, 2006 1:22 pm

Stripe7 wrote:
DLinks does not ship thousands of these routers I think the count is in the hundreds of thousands if not over a million. Also there is a locale specification that if respected means only danish users access his time service. If he blocks the all but Danish ip's on his server will the routers still hit his server before moving down to the next one on their hard coded lists? One request an hour from one machine is not too bad, one request an hour from a million is a little too much.


if he gets global traffic on the DIX, then something is already wrong.
 
just brew it!
Administrator
Posts: 54499
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Mon Apr 17, 2006 1:34 pm

Shintai wrote:
if he gets global traffic on the DIX, then something is already wrong.

So there is something "wrong" when I access the FAQ you linked above (which is hosted on a .dix.dk server)?

I'm not sure what you mean by "something is wrong". Either you can route to .dix.dk addresses from outside the country, or you can't.
Nostalgia isn't what it used to be.
 
Shintai
Minister of Gerbil Affairs
Posts: 2369
Joined: Sat May 14, 2005 4:43 am
Location: Denmark

Tue Apr 18, 2006 3:47 am

just brew it! wrote:
Shintai wrote:
if he gets global traffic on the DIX, then something is already wrong.

So there is something "wrong" when I access the FAQ you linked above (which is hosted on a .dix.dk server)?

I'm not sure what you mean by "something is wrong". Either you can route to .dix.dk addresses from outside the country, or you can't.


No, if you traced http://www.dix.dk you would know its not hosted at the DIX, unlike gps.dix.dk

Remember DNS is just DNS, the same name can be anywhere and got nothing about routing to or the like.

http://www.dix.dk is hosted at uni-c.dk

Who is online

Users browsing this forum: No registered users and 1 guest
GZIP: On