D-Link Screws the time folks
Ohh I can't believe this. (held from friday by accident!)
To make this non technical, D-link screwed up big time.
They Hard coded the address of The tier 1 servers(Stratum1) Time servers into their Hardware products.
Quick Picture:
I'm back. Now. Let's think.
The first thing you need to do when you implement the NTP (network time protocol) at your site is a) decide on what platform, and b) what software to use, and THEN c) what servers to have YOUR machine point to.
This is EXPLICTLY discussed in GREAT DETAIL in a document called Rules of Engagement
If you read ANYTHING about the NTP time protocol, the diagram you just saw is made very clear, when it states that site 1 (time.example.com) should ONLY talk to Stratum 2 Servers.
If You actually READ the NTP implementation documentation it suggests that every LOCATION have a NTP server, and it should query that DOMAIN's tier 2 or tier 1(sometimes) server.
For example the ntp.sales.example.com server should NEVER query tick.mit.edu (US-Mass) because it is a Closed or Restricted access Tier 1 server.
Instead you either need to investigate if your company already has a tier1/2 server
(say maintic.example.com) or find a tier 2 server with OPEN access that is physically close to you!(say pool.ntp.org) or even europe.pool.ntp.org, or oceania.pool.ntp.org
So. D-link decided to hard code the Tier 1 NTP list in it.
This is not nice!
So what to do?
have 30,000 + devices update their firmware?
Pay the bill at the affected NTP tier 1 servers?
establish a tier 1 tickmaster.d-link.com ?
all the above?
Oh, and if you have more then 4-5 pc's on your lan (or like me in your HOUSE) then you most likely DO want to run a tier 3 or 4 NTP server on a (I recommend Linux) box, that ALL your PC's can hit for an accurate clock, so all get syncronized together!
Cheers;
Markbnj
Oh and allegedly, some sort of announcment will go out next week from D-link resolving this...
** updated sat nite 1030 EDT
I am getting sick over this... I read here how some guru detectives tracked this down to a D-link DI-624 wireless router.
. Typically the firmware contains a list of 50 or so NTP time servers and it will choose one at random and ask it for the time - by sending out a naively constructed NTPv1 packet. If there is no answer (because the remote server doesn’t reply, or the response is firewalled off) then after 30 seconds it will choose another server and try again. If it does get a reply then it won’t ask again for a hour or so.
Note that we're up to NTP version 3 (or Version 4).
The gurus continue
Consumer devices should ask one of their ISP’s time service machines (probably running at stratum 3), the ISP will synchronise these to a stratum 2 device that is firewalled off from customers, and that machine will chime with some nearby (same continent) stratum 1 machines.
They even say this ISN't the First time this problem has happened!
If this story sounds familiar then it is. Back in May 2003 the University of Wisconsin - Madison found itself under a DDoS attack of hundreds of thousands of packets a second. In that case it was Netgear routers that were configured to send Simple NTP (SNTP) packets to a single server.
Although no-one discusses legal negotiations in public, shortly after Dave Plonka worked out what was causing the incoming traffic, Netgear spontaneously made a generous gift of $375,000 over three years “to improve wireless security on campus and to build out our campus network”. Which was nice.
And our tech guru closes with this extra link to d-link
However, in the current case, D-Link don’t seem to be feeling quite so generous. Poul-Henning reports in an open letter to D-Link (which means that I can finally report the material above) “I have been accused of extortion. I have been told that I have no claim, been told that I exaggerate the claim.”
In my own opinion, shipping equipment that generates 37 packets a second to Poul-Henning (and hence about 2K packets/second to all of the stratum 1 servers as a whole — that’s about a T1 of traffic) is hardly trivial. If D-Link were running their own time servers, as in my opinion they should be, it would cost them about $1000/month for the bandwidth alone.
Hey. I only blogged it. I DO know MY NTP servers DONT hit a tier 1 server. I ain't THAT stupid!! hee hee
Markbnj
No comments:
Post a Comment