Open Letter to D-Link about their NTP vandalism

Sat Apr 8 01:47:12 UTC 2006

Ok let me answer two at once here:

On Fri, Apr 07, 2006 at 06:57:50PM -0400, Steven M. Bellovin wrote:
> 
> Did you read the posting?  His ISP is charging him.  He's also put in
> a fair amount of time trying to get this resolved.  As for transit --
> NTP works much better with short RTTs, which is precisely why it's
> good to have a server in Denmark. 

Actually, no. Incase it wasn't clear, the IP (192.38.7.240) is out of an 
IX subnet for the DIX. Even if you didn't know this particular block, 
looking at the reverse DNS for nearby IPs makes it painfully obvious.

See: http://www.peeringdb.com/dns-scan/192-38-7-0-24.txt

The real issue here is that DIX used a /24 from an aggregate block which 
is announced in BGP (198.38.0.0/17) for their IX space, thus making it 
reachable from anywhere on the Internet. Incase anyone didn't know this 
before, now you do, this is a Bad Idea (tm).

The prices phk mentions appear to be the cost of a DIX port. According to 
their website:

A connection at the DIX with 10 or 100 Mbit/s ethernet has a yearly fee of 
DKK 27.000.
A connection at the DIX with 1000 Mbit/s Ethernet costs a yearly fee of 
DKK 38.700.

According to the service description, this NTP server was intended to be 
used only by DIX connected networks. If the /24 had been pulled from a 
direct /24 allocation or EP.net space, this would never be a problem, 
because the /24 for the IX shouldn't be propagated globally. In this 
particular case they could filter packets coming in via AS1835's border 
links, but since the block is announced globally already this may create 
further problems from people who don't know they need to carry the /24 and 
propagate it to their customers.

Personally I'm not sure what to be more appalled by, that DIX would want 
to charge him for something that is clearly a service which benefits only 
them and which they should probably be paying HIM for (and which wouldn't 
cost them a dime if not for their poorly implemented architecture), or 
that a consultant charged $5000 to track this down. Both concepts are 
actually more repulsive to me than dlink picking 25 publicly accessable 
nameservers.

On Sat, Apr 08, 2006 at 01:30:31AM +0100, Per Gregers Bilse wrote:
> I know phk personally (give or take a little, we're from the same
> country, and have both participated vigorously in the same UNIX user
> group [yes, there have been such entities]); for those who are unaware
> of his credentials, let me cut and paste the following from the FreeBSD
> GBDE manual page:

Yes thank you everyone knows who phk is (or at least I hope they do), that 
is the only reason anyone is giving this a second glance, the reason it 
made it to slashdot, etc. However, that doesn't change the facts here. 
This is a non-issue, and there are many many easy ways to fix it. I'm 
perfectly ok with calling out dlink for their stupidity, but I think 
expecting them (or phk) to pay $62k or more for this is ridiculous.

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)