Open Letter to D-Link about their NTP vandalism

Fri Apr 7 23:43:54 UTC 2006

On Apr 7, 2006, at 6:02 PM, Mark Boolootian wrote:

>
>
>> Its just NTP, I can't imagine that it is *really* enough traffic  
>> to care
>> all that much.
>
> You're kidding, right?  Do you know what happened to wisc.edu:
>
>   http://www.cs.wisc.edu/~plonka/netgear-sntp/

Correct me if I'm wrong, but... That was only "really" a problem for  
them because there was a flaw in the Netgear code that caused the  
devices to make requests every second. That's not (as far as I'm  
aware) happening here, so we're not talking huge amounts of bandwidth.

We intentionally run public NTP servers, which are even in the  
pool.ntp.org pool, as well as on some NTP lists. I've pegged about  
35,000 unique IPs using our North America server in the last 24  
hours, or about 175pps. Bandwidth usage is about 100Kbps per second  
on average. The occasional burst up to 250Kbps+, but those are pretty  
rare.

This link here: http://www.lightbluetouchpaper.org/2006/04/07/when- 
firmware-attacks-ddos-by-d-link/   says he's getting 37pps. NTP uses  
76 byte packets. 37pps * 76 byte packets = 22.4Kbps, or less than the  
amount of traffic a dialup user can spew. If you're running a semi- 
public server on the internet, and it can't handle a dialup user  
flooding it - you need a firewall anyway. :)

I can see how unwanted NTP traffic could be a nuisance, but not how  
it could possibly cost US$8,800 per year. Nor requiring the use of a  
US$5000 "external consultant" to track down the source of the  
traffic. Nor worthy of invoking the Slashdot masses in outrage. Let  
alone why an additional traffic load of less than a dialup user  
accessing your server in any way is worthy of caring. Bad on D-Link  
for what they've done, but total overreaction on the other side as well.

I think the lesson here is that any service you make available to the  
public (NTP, DNS, IRC, SMTP, whatever) is going to be used in ways  
that do not match with your desires. If you're not willing to ACL/ 
police the service, you're going to have to accept that people are  
going to use it in ways you'd rather they didn't.