Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Netgear Routers DoS UWisc Time Server

michael posted more than 10 years ago | from the RISKs-fodder dept.

The Internet 447

numatrix writes "For the last few months, hundreds of thousands of netgear routers being sold had hardcoded values in their firmware for ntp synchronization, causing a major denial of service to the University of Wisconsin's network before it was filtered and eventually tracked down. Highlights how not to code embedded devices." A really excellent write-up of the incident.

cancel ×

447 comments

ha (-1, Offtopic)

viner! (212481) | more than 10 years ago | (#6766610)

ha

and now... (5, Funny)

Anonymous Coward | more than 10 years ago | (#6766611)

slashdot has hard coded a link to the UWisc CS server, sending a DoS to them too

oh, and fp.

Re:and now... (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#6766655)

If you hadn't wasted time trying to be on-topic, you might have succeeded. But as it is, YOU FAIL IT.

Re:and now... (2, Funny)

TenaciousPimple (614571) | more than 10 years ago | (#6766907)

Apparently one good DoS deserves another...

great (-1, Troll)

aldoman (670791) | more than 10 years ago | (#6766613)

stunning. another great article exclusive to /.

Obligatory Scooby Doo reference (5, Funny)

OneIsNotPrime (609963) | more than 10 years ago | (#6766614)

And we would have gotten away too, if it weren't for those meddling kids!

Re:Obligatory Scooby Doo reference (1)

OneIsNotPrime (609963) | more than 10 years ago | (#6766649)

Darn it, messed up the post. And I would have gotten away with it too, if it weren't for those meddling kids!

Re:Obligatory Scooby Doo reference (0)

Anonymous Coward | more than 10 years ago | (#6766890)

How the fsck did this get modded Redundant? Are you mods and SCO management sharing crack pipes again? Time for some bitchslap...er... M2ing.

Well then... (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#6766615)

Time to pour my self a nice, cool, tall, glass of FROSTY PIST!

Re:Well then... (-1)

Anonymous Coward | more than 10 years ago | (#6766674)

Shite.

One word on this one. (0)

Trigun (685027) | more than 10 years ago | (#6766619)

BWAH-HA-HA-HA-HA!

It sure seemed like a good idea at the time tho...

So who got fired? (3, Interesting)

eln (21727) | more than 10 years ago | (#6766622)

Simple mistake that should have easily been found and fixed during the testing phase. I hope whoever let this thing be released without following proper testing procedures got canned.

Yah right. Some hapless low level programmer probably got all the blame for putting test data in there in the first place.

Re:So who got fired? (2, Insightful)

Trigun (685027) | more than 10 years ago | (#6766661)

It would have never been picked up in the testing phase. It was only after having a huge install-base that this ever became an issue. It worked perfectly on the bench.

Re:So who got fired? (-1)

Anonymous Coward | more than 10 years ago | (#6766723)

You work for Netgear don't you?

Re:So who got fired? (2, Informative)

Trigun (685027) | more than 10 years ago | (#6766874)

NO, but I did get to play with a few of these (although I'm not certain if they had the hardcoded NTP servers or not), and they all did work great on the bench.

Re:So who got fired? (-1, Troll)

slash-tard (689130) | more than 10 years ago | (#6766703)

Why should someone get fired? Its a public service. If they are going to offer a public service they should upgrade their internet connection and servers.

Re:So who got fired? (2, Interesting)

(54)T-Dub (642521) | more than 10 years ago | (#6766868)

100 MBits/second !?!?!?!?! Do you have any idea how much bandwidth that is?

About once a month a link to my company goes up on the MSN home page (about 3 links down in the top news section). It's like a firehouse and that peaks at an insane 14MBits/second.

Expecting a public service to handle 100 MBits is ridiculous. It was an erroneous mistake by netgear and there should be severe reprecusions.

Re:So who got fired? (0, Offtopic)

El_Ge_Ex (218107) | more than 10 years ago | (#6766717)

So who got fired?

The SCO rep. :)

No reason, they just didn't like him.

-B

Re:So who got fired? (1, Insightful)

MikeHunt69 (695265) | more than 10 years ago | (#6766764)

Which part of the testing phase do you thing this would get picked up in?

Im really not being a smartarse, Id really like to know.

Since a tester can only test off a spec and there was no spec (because if there was, somebody would have read it and this wouldn't have happened), then I can't see how using black-box testing techniques you can find this sort of problem.

Sure, you can do performance testing, but you wouldn't test multiuple instances of the hardware, you would test the throughput of a single instance of the hardware.

So I ask again.. where do you think this would have been picked up?

Re:So who got fired? (4, Insightful)

Cali Thalen (627449) | more than 10 years ago | (#6766870)

Simple mistake, sure. Barely a trickle of wasted bandwidth, hard to even believe it matters...

Bah.

This is one 'simple mistake' by one company that namaged to send a constant "250,000 packets-per-second (and over 150 megabits-per-second)".

Now I know Netgear is a pretty big outfit, but there are LOTS of companies like that out there, and these little mistakes can add up. How much network traffic could be avoided with proper programming?

Also, this kind of makes me think about the useless network activity my XP box (bleh) tries to send out. Multiply that by millions and millions, and you get a number a whole lot bigger than the one above.

Who pays for all that wasted bandwidth?

Re:So who got fired? (-1, Troll)

Anonymous Coward | more than 10 years ago | (#6766889)

Who pays for all that wasted bandwidth?

You. Your employer shall begin garnishing your wages immediately.

Poor uWisc (4, Funny)

mobiGeek (201274) | more than 10 years ago | (#6766623)

First the NTP flood.


Now the /. effect.

Bad form in general (4, Insightful)

Hayzeus (596826) | more than 10 years ago | (#6766627)

Highlights how not to code embedded devices

Or any other kind of software for that matter.

Now... (2, Funny)

Scalli0n (631648) | more than 10 years ago | (#6766628)

SCO claims that the offending code was copied from their kernel and most definitely MUST be paid for, including a $699 license fee for all people on planet earth owning any model netgear router.

Re:Now... (1)

rusty0101 (565565) | more than 10 years ago | (#6766690)

What do you mean netgear router? SCO will want that from any Netgear device including Access Points, Switches, Hubs, and any of the various nics. After all with minimal additional hardware even those devices that are not already infringing can be made to participate in an infringing product.

-Rusty

Indeed (4, Funny)

gilesjuk (604902) | more than 10 years ago | (#6766692)

The C comments in the netgear code were a giveaway, they match those in SCOs code.

"/* Huge Bodge */"

"/* Kludge */"

"/* Magic numbers are cool */"

Re:Indeed (3, Funny)

crawling_chaos (23007) | more than 10 years ago | (#6766806)

You forgot:

/* Too drunk -- debug later */

Re:Now... (1)

tsetem (59788) | more than 10 years ago | (#6766798)

Seriously, how would that play out?

If Netgear lifted code from Linux, and SCO is basically saying they own & want royalties from Linux, then couldn't they ask for royalties for any code that was once part of the Linux kernel? (Think userland drivers that were once in the kernel)

Boy, Just because code touched the kernel, would mean that SCO would/could own that code too. Hope SCO doesn't get any ideas about that...

Hello European Unioners (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#6766629)

Hello European Unioners

I'd like to take this moment to talk to the few of you out there. I understand you guys want to compete one-on-one with the United States. It takes no crystal ball to figure that out: there was no clearer omen than the development of a unified currency whose worth was initially inspired (you might say) by the value of one U.S. dollar. In creating a competing currency system, it is easy to suspect another one of your goals is to raise the ratio of cars, computers, and televisions per capita to a level on par with the U.S. For that reason, I believe you want to be just like the U.S., so I am offering you some suggestions how to set yourself, and your country, on the right track.

First of all, the most important way to elevate your country to the status of the U.S. is to implement intellectual property laws that essentially nullify the feasibility of implementing new ideas. If some company owns key patents necessary to implement new ideas, new jobs will be lost. That outcome seems bad at first, but it really is good as we will see below. Make sure companies have a monopoly on as many ideas as possible and make sure there are companies that monopolize an industry (or at least own a significant portion of one). Remember, large vertical companies result in efficiency by cutting down competition amongst industries. And competition is bad because it results in redundancy that wastes resources. Redundancy is not important in business and it's not important in the power distribution industry either. The blackouts that struck 7+ major U.S. and Canadian cities are a testament to that. One or two days downtime amongst years of decent service is more than good enough, don't you think? Once intellectual property rights are strengthened, your countries, too, will slide down into the latrine of recession as jobs divert elsewhere. Jobs going overseas is just one part of globalism, and globalism is good. So act like a good American would and help make it happen.

Next, you need to multiply the number violent crimes in your country. Although an abstract goal, it isn't difficult to increase the number of lawbreakers. For one, write new laws until everybody is a criminal for one reason or another. Then make sure enough of your citizens are peer-pressured into living the American Dream (or your country's equivalent)-- and failing-- that they end up falling into the welfare safety net that most first-world countries call prison. Once in prison, there's little hope of them not going downhill, thanks to credit and criminal records that last a lifetime and are difficult, if not impossible to repair. One out of 37 Americans has served jail time-- a testament to the success of America's strict police force. Next time you go to the store, look around you and estimate about how many of the people you see have spent time in the slammer. That's a lot of people! As an added bonus, high violent crime rate helps reduce life expectancy, which is another important factor in competing with the States. The U.S. is behind Germany and Japan, to name a couple of countries offhand whose citizens enjoy longer lifespans than the average American. Furthermore, Americans take pride in their life expectancy levels, owing them to a variety of geriatric and gluttony-related drugs such as Viagra, diet inhibiters, and cholesterol level limiters in addition to surgery. Americans enjoy spending their excessive salaries on expensive medical care instead of taking care of their bodies in the first place. Americans also enjoy plastic surgery to help them get jobs and friends, because looks are very important in the States. Case in point: Paula Jones. Before face lift surgery, she was nothing but an ugly nosy old hag. After surgery, she was still an old nosy hag but somehow more human. Sure there are casualties in plastic surgery, such as Michael Jackson, but that's not the norm. Our only major export industry is entertainment and actors' bodies must conform to strict standards of beauty. Every time we Americans turn on the tube we see nothing but beautiful faces sculpted by skilled craftsmen, and we like it that way. You might as well get used to it too.

Finally, be prepared to work 50+ hour weeks in high-turnover industries to design (and afford) the very luxuries that will make your lives so much easier. Because you too want a wonderfully high income for your household, make sure both parents work 40 hours minimum, just like Americans. The greater the income, the greater your happiness. Be prepared for job retraining every 4 - 8 years for the rest of your life. After all, technologies evolve at breakneck speed and you will need to keep up with the times. Also be sure that any company you work for only has 3 or 4 vacation days out of the year, like any good American company.. stay away from Jewish companies that tend to have many holidays. Any more than five days off and you won't be able to afford the wonderful time-saving technologies you've always wanted. Remember, technology means saving precious time, and you deserve to live your life to the fullest. Life has never been as good as it is now. Act American today!

- Profit Bob, Reverand of Truth

I did that to myself once (5, Funny)

eschasi (252157) | more than 10 years ago | (#6766637)

I did that to myself once. It was a piece of software that went to comp.sources.unix (or something similar) and was default-configured to send error mail to an alias that pointed to me. A patch was released very shortly afterwards.

If they did it to my NTP server... (5, Funny)

lightspawn (155347) | more than 10 years ago | (#6766640)

I'd just send the wrong time back to netgear routers. I bet they wouldn't try that again.

Re:If they did it to my NTP server... (1)

Ralph Wiggam (22354) | more than 10 years ago | (#6766699)

An impropperly formatted response, like "2/30/2003", would probably get people's attention.

-B

That reminds me.... (0, Offtopic)

renehollan (138013) | more than 10 years ago | (#6766642)

I had gotten permission to sync my Linux boxen at home from a particular NTP server. I have since moved, and have not yet configured a closer server, sepite once again being online 24/7. The poor admin of my time source is probably wondering about the strange IP address requesting time. Gotta fix that.

morons interfere with corepirate nazi execrable.. (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#6766650)

distribution system. just doing our part.

that's right. all of the whoreabull payper liesense stock markup ?pr? ?firm? generated scriptdead bullshipping execrable will cease. that includes the terabytes of shilloneous stuff that doesn't matter at all, postdead buy va lairIE/robbIE et AL.

at least until the planet/population rescue program (formerly unknown as the oil for babies initiative) is lowered from crisis mode. pretending everything is duckey/a chance to peddle phonIE payper liesense garbage, doesn't help.

y'all can chortle/pretend more if you want to, but the dying/mutilated innocents aren't sharing your feigned ability to disregard unprecedented evile. any harm to the least of the innocents, is harm to all of you/us, & will require reparations by all of us.

that's right, after the walking dead finish exterminating themselves, & sadly enough, some of us, it won't take long to clean this cesspool of greed/fear execrable up.

the Godless wons are helping by continuing to show where their hearts lie.

fortunately, mr stallman et AL, etcetera, is now offering comparable/superior software, to the payper liesense spy/bug wear feechurned models, in almost every circumstance. there'll be few, if any more softwar billyonerrors, as if there's a need for even won. tell 'em robbIE. you are won of the last wons whois soul DOWt, right? .asp for va lairIE's whoreabull pateNTdead PostBlock(tm) devise?, used against the truth/to protect robbIE's payper liesense stock markup bosses/corepirate nazi 'sponsors'. yuk.

back on task.

what might happen to US if unprecedented evile/the felonious georgewellian southern baptist freemason fuddite rain of error, fails to be intervened on?

you already know that too. stop pretending. it doesn't help/makes things worse.

they could burn up the the main processor. that would be the rapidly heating planet/population, in case you're still pretending not to notice.

of course, having to badtoll va lairIE's whoreabully infactdead, pateNTdead PostBlock(tm) devise, robbIE's ego, the walking dead, etc..., doesn't slow us down a bit.

that's right. those foulcurrs best get ready to see the light. the WANing daze of the phonIE greed/fear/ego based, thieving/murdering payper liesense hostage taking stock markup FraUD georgewellian fuddite execrable are #ed. talk about a wormIE cesspool of deception? eradicating yOUR domestic corepirate nazi terrorist/gangsters will be the new national pastime.

communications will improve, using whatever power sources are available.

you gnu/software folks are to be commended. we'd be nearly doomed by now (instead, we're opening yet another isp service) without y'all. the check's in the mail again.

meanwhile... for those yet to see the light.

don't come crying to us when there's only won channel/os left.

nothing has changed since the last phonIE ?pr? ?firm? generated 'news' brIEf. lots of good folks/innocents are being killed/mutilated daily by the walking dead. if anything the situations are continuing to deteriorate. you already know that.

the posterboys for grand larcenIE/deception would include any & all of the walking dead who peddle phonIE stock markup payper to millions of hardworking conservative folks, & then, after stealing/spending/disappearing the real dough, pretend that nothing ever happened. sound familiar robbIE? these fauxking corepirate nazi larcens, want us to pretend along with them, whilst they continue to squander yOUR "investmeNTs", on their soul DOWt craving for excess/ego gratification. yuk

no matter their ceaseless efforts to block the truth from you, the tasks (planet/population rescue) will be completed.

the lights are coming up now.

you can pretend all you want. our advise is to be as far away from the walking dead contingent as possible, when the big flash occurs. you wouldn't want to get any of that evile on you.

as to the free unlimited energy plan, as the lights come up, more&more folks will stop being misled into sucking up more&more of the infant killing barrolls of crudeness, & learn that it's more than ok to use newclear power generated by natural (hydro, solar, etc...) methods. of course more information about not wasting anything/behaving less frivolously is bound to show up, here&there.

cyphering how many babies it costs for a barroll of crudeness, we've decided to cut back, a lot, on wasteful things like giving monIE to felons, to help them destroy the planet/population.

no matter. the #1 task is planet/population rescue. the lights are coming up. we're in crisis mode. you can help.

the unlimited power (such as has never been seen before) is freely available to all, with the possible exception of the aforementioned walking dead.

consult with/trust in yOUR creator. more breathing. vote with yOUR wallet. seek others of non-aggressive intentions/behaviours. that's the spirit, moving you.

pay no heed/monIE to the greed/fear based walking dead.

each harmed innocent carries with it a bad toll. it will be repaid by you/us. the Godless felons will not be available to make reparations.

pay attention. that's definitely affordable, plus, collectively, you might develop skills which could prevent you from being misled any further by phonIE ?pr? ?firm? generated misinformation.

good work so far. there's still much to be done. see you there. tell 'em robbIE.

as has been noted before, lookout bullow.

Hasn't /. learned? (4, Funny)

ndogg (158021) | more than 10 years ago | (#6766654)

It's not nice to kick someone when they're down.

In other news at the University... (4, Funny)

BMonger (68213) | more than 10 years ago | (#6766662)

"Quick! Block port 80!"

Our usage graph...You Jerks! (5, Interesting)

ShortSpecialBus (236232) | more than 10 years ago | (#6766906)

want to see what the usage graph for a slashdotting looks like?

http://www.cs.wisc.edu/cgi-bin/cricket/grapher.cgi ?target=%2Fweb-servers%2Fwww;ranges=d%3Aw;view=Acc ess [wisc.edu]

Yeah, I work at the CSL at UW Computer Sciences, and the tracking of this netgear issue was quite an interesting tale. Had us stumped for quite some time.

Good followup. (-1, Redundant)

AGSHender (696890) | more than 10 years ago | (#6766663)

Way to go. First their NTP servers get DOS'ed, now we /. their web servers. Can't we just give these guys a break?

Re:Good followup. (1)

chef_raekwon (411401) | more than 10 years ago | (#6766726)

Can't we just give these guys a break?

what doesn't kill you, will only make you stronger.

Re:Good followup. (1)

Tumbleweed (3706) | more than 10 years ago | (#6766877)

> what doesn't kill you, will only make you stronger.

Yeah, or cripple you for life, or make you go broke, or, or, or... There are more than two outcomes... :)

I wonder what NetGear's liability is. (5, Interesting)

Jammer@CMH (117977) | more than 10 years ago | (#6766666)

Were this a Haxor attack, there would be criminal liability. I'm willing to believe that it was a simple mistake, with no criminal intent, but would NetGear be liable civilly?

Re:I wonder what NetGear's liability is. (5, Insightful)

HBI (604924) | more than 10 years ago | (#6766775)

Of course there is liability - liability means that 'is Party X responsible for the damage'. Netgear quite clearly was responsible for the damage. Even if they allege negligence on the part of their employee, it hardly matters: Netgear had a duty to assure that the software would not cause material harm to others. This is a classic product liability case, far as I can see.

As for the damages, those are somewhat vague. Sure, maybe they could be made to pay for the bandwidth used. The big hit would probably be punitive damages unrelated to the actual loss.

This would be a fun case and I would encourage them to sue. So many frivolous lawsuits floating around - this one would actually have some merit.

Re:I wonder what NetGear's liability is. (4, Interesting)

seanadams.com (463190) | more than 10 years ago | (#6766924)

They probably would be liable. What surprised me was that the article made no mention of the financial impact of the flood... are the guys who run the network so far removed from the guys who pay the bills that they have no idea, or do the universities get such sweet deals on bandwidth that it doesn't matter?

I mean, we're talking 150+ Mbps here, for months on end. That's $15K/mo in bandwidth, assuming they have a really good deal and pay only $100/Mbps/mo.

Now did NetGear get permission (3, Interesting)

eaddict (148006) | more than 10 years ago | (#6766669)

to hardcode an address into thier systems? Do you need permission? There was a law a few years ago about 'deep-linking' and even linking... isn't getting the time somewhat the same thing?

Re:Now did NetGear get permission (5, Informative)

jenkin sear (28765) | more than 10 years ago | (#6766707)

Not in this case- it's a public time server. If it wasn't, they'd be able to just block inbound UDP for the ntp port at the firewall.

Check out the NTPd man pages- I believe this server is a second echelon mirror.

Re:Now did NetGear get permission (2, Funny)

mahdi13 (660205) | more than 10 years ago | (#6766948)

Check out the NTPd man pages- I believe this server is a second echelon mirror.

Didn't you mean to say stratum?
Unless NTP is really a cover up to a top secret government information collection service =)
...now that I think about it...
Where's my tin foil hat?

Analysis Tools used in this article.. (4, Interesting)

joeldg (518249) | more than 10 years ago | (#6766673)

Wow, that list of Analysis Tools used for tracking this down had a bunch that I was not familiar with.

RRGrapher, FlowScan and Cflow being ones I have never messed with..

Cool.. new tools to play with!

Delicious irony (4, Funny)

ryanvm (247662) | more than 10 years ago | (#6766679)

I love the irony of trying to read an article about a DoS from a site that's experiencing one because of the article. Yummy.

Err why ? (3, Insightful)

Archfeld (6757) | more than 10 years ago | (#6766684)

why does a router need to sync time anyways ??
especially a home router....sounds like another port open for someone to hack at for no real gain....

Re:Err why ? (4, Insightful)

NetJunkie (56134) | more than 10 years ago | (#6766735)

Logging. You want your log files to have the right time. I've used my router log files many times.

Re:Err why ? (1)

syle (638903) | more than 10 years ago | (#6766739)

Logging timestamps?

Re:Err why ? (1, Funny)

Anonymous Coward | more than 10 years ago | (#6766743)

do you have any idea how ports and routers work?

Re:Err why ? (1)

afidel (530433) | more than 10 years ago | (#6766769)

DHCP lease durations? Acting as a NTP cache so you can point your internal PC's to the router to get time? Getting the date so the webserver can tell you to check for updates? All of those and more can be done if the device autoconfigures itself with current date and time on bootup.

Re:Err why ? (4, Interesting)

rusty0101 (565565) | more than 10 years ago | (#6766821)

Routers tend to log activities such as access, configuration changes, firewall violation detection, etc. and it is often handy to know when that event occured.

Home centric routers do not tend to have their clocks set before shipping as there is no assurance that a battery keeping that clock powered will be doing so ver the entire span of time from manufacture to customer plugging it in. Even if it did the drift involved would give some inaccuracy as well.

There are two correct solutions. One is that Netgear should operate their own time server and hard code that server as a secondary or fallback time server. The primary time server should be aquired from the internet service provider when they get their network ip address via dhcp.

-Rusty

Re:Err why ? (1)

Trigun (685027) | more than 10 years ago | (#6766930)

There are two correct solutions. One is that Netgear should operate their own time server and hard code that server as a secondary or fallback time server.

Did you read the damage that this little messup did? It saturated a 100Mbit pipe. There's no way Netgear is going to pull that stunt willingly with their own bandwidth.

I do agree with the second one though. As long as the ISP's actually start providing ntp as part of their DHCP leases. Mine never bothered.

How about a verb in that headline? (1)

badboy_tw2002 (524611) | more than 10 years ago | (#6766693)

It took me a few seconds to figure out what was going on there. :)

Re:How about a verb in that headline? (2)

leviramsey (248057) | more than 10 years ago | (#6766900)

"DoS" is the verb...

Think, McFly, think.

The Press Release about new pa1mOne name change fo (-1, Troll)

Anonymous Coward | more than 10 years ago | (#6766701)

OUR BRAND PROMIES IS SO WAL UNDERS2D BY DA MARK3TPLAEC TAHT DA CONCEPT OF ONE IN OUR NU NME WAS IMEDIAETLY COMPELNG11!!11!! WTF LOL ONE IS A POW3RFUL ADITION 2 TEH INSTANT BRAND R3COGNITION AND IEDNTITY OF DA PALM TEH1!!!1 WTF RED/ORANGE COMBINATION IS A BOLD D3PARTURE FROM TEH BLU3 TAHT PALM HAS USAD FOR MANY YEARS AND BUILDS ON OUR NU SUBRANDS AN3RGY ANTHUSIASM POWER AND INOVATION COM3 ACROS MUCH STRONGAR IN OUR NU COMBINATION

OUR!1!1!1!! NU NME ALSO SIGNALS A NU BGINNG AT PALM1!!1!!!! OMG WTF BUILDNG ON OUR MOMENTUM IN TEH HANDH3LD COMPUTNG SPAEC WORLDWIED AND COMPLEMANTNG IT WIT TEH AXPACTAD INT3GRATION OF DA AWARD-WINNG TR3O LIEN OF SMARTPHONES FROM HANDSPRNG WIL GIEV PALMONE TEH BROAEDST PORTFOLIO OF HANDHELD COMPUTARS AND SMARTPHON3 PRODUCTS LAD BY DA MOST AXPAREINC3D TEM IN DA INDUSTRY 11!!1 WTF LOL

Who pays? (1)

Skyshadow (508) | more than 10 years ago | (#6766702)

Does anyone else think that Netgear owes the UW reparations? Bandwidth costs, time spent by the admins, loss of service, etc. seems like a good place to start... (trying in vain for a good Badger or "When you say Weh-scahn-sen, you said it all" joke, but it just ain't happening today)

Re:Who pays? (1)

diamondc (241058) | more than 10 years ago | (#6766759)

why? it was a public server, right?

Re:Who pays? (1)

afidel (530433) | more than 10 years ago | (#6766801)

Netgear doesn't owe them anything more than Slashdot does for linking to the article. When you join this public internet of networks and offer publicly facing services (especially ones which are advertised broadly as being public like a major NTP reflector) you take on the responsibility and liabilty of offering those services and incur the costs at your own risk.

NTP should be responsibility of network server (5, Informative)

jefbed (666411) | more than 10 years ago | (#6766706)

It is foolish to code code dependencies on servers in firmware. There are two problems that result from this. The first is that specified in the article, the denial of service. The second is the high potential for broken network dependencies if, for example the hardcoded site goes offline or the ip address changes. Technically each site should be running their own ntpd to ease the load on the primary servers. ntp syncronization should not be the job of the router, but instead the job of the network administrator.

Re:NTP should be responsibility of network server (1)

chef_raekwon (411401) | more than 10 years ago | (#6766787)

or the ip address changes

hate to nitpick (or is it knitpick?), but this doesn't matter does it? especially if the code uses the hostname...

infact, when I was learning about NTP(date) a little while back -- i found a few pages detailing Wisonsin's Uni as a good sync for your time....

makes one wonder if the guys at Netgear read the same pages...and hardcoded it in ....

hmmmm/.

Re:NTP should be responsibility of network server (1)

Troed (102527) | more than 10 years ago | (#6766908)

I like time.nist.gov - the ".gov" part makes me believe it has good uptime. There's also a few ".mil" listed in TimeRC (which I use to sync time with).

I hope... (1)

ajiva (156759) | more than 10 years ago | (#6766710)

I hope they fired the guy that wrote the firmware for the routers... And I hope netgear reimbursed the university for its time and network usage.

Re:I hope... (1)

mark_lybarger (199098) | more than 10 years ago | (#6766786)

yep, i know myself i always go completely through the code before i deploy it to the QA folks searching for those //TODO:'s and @todo's. please... people make mistakes. as for the QA folks, well, you can't actually QA 100,000 units for "stress" testing now.

yes, i do think that netgear should own the uni some $$ for their time/resources.

blaster (2, Funny)

briancollins (700695) | more than 10 years ago | (#6766730)

Maybe windowsupdate.com changed their DNS to point to the University of Wisconsin. :)

Ouch! (3, Funny)

MarkGriz (520778) | more than 10 years ago | (#6766734)

I'd hate to be working in Netgear's accounts payable dept. when the bandwidth usage bill arrives.

It's not about just embedded devices... (5, Insightful)

sczimme (603413) | more than 10 years ago | (#6766750)


Highlights how not to code embedded devices

I think this highlights a "how not to code" idea, period. In 1986, when I was taking a BASIC (boo, hiss) course in high school, I learned that values should be expressed as variables even if the coder does not expect them to change. So instead of using (32 feet/second^2), one should instead declare g once, using whatever units are appropriate, and thereafter refer to g instead of a hardcoded value. If g changes, the coder need only update one line.

Note: I am not a programmer/coder/developer in any sense of any of the words, so technical nits should remain unpicked; however, if I am completely out in left field, please feel free to point that out.

Re:It's not about just embedded devices... (5, Insightful)

Bryan Ischo (893) | more than 10 years ago | (#6766829)

Good point, but irrelevent. Even if you declare a global variable, you still have to hardcode its value. The fact that the IP address only showed up 1 time in their string search of the binary would indicate that they did exactly what you said.

So you're not in left field, it's just that the developer who wrote the software apparently did exactly what you said, which was not relevent to the mistake at hand, which was more about the faulty implementation of the NTP service, and the fact that it was hardcoded to a single IP address.

SEGA's online game servers (4, Insightful)

lightspawn (155347) | more than 10 years ago | (#6766832)

The (official) reason "Alien Front Online" (a game with the word "Online" in the title!) went offline less than a year after its release is that SEGA developers hard coded the server's IP address, and did not provide any means of changing it. When the company hosting the server went under (gameloft?) it couldn't be moved to a different company since it wouldn't have the same address. Hence, buy a game advertised as "online", never be able to play it online.

It's not a new story, but I think it bears repeating as a showcase of stupidity.

Re:It's not about just embedded devices... (5, Funny)

tommck (69750) | more than 10 years ago | (#6766839)

Of course if the gravitational constant changes, we've got bigger problems than updating your high school programming assignments! :-)

Re:It's not about just embedded devices... (1, Insightful)

watzinaneihm (627119) | more than 10 years ago | (#6766921)

Note that he was talking about g, Not G , he even mentioned the units of acceleration. This g changes from place to place and even change at the same place due to a lot of reasons. G on the other hand is taken constant and does not have units of acceleration (accelaration*distance*distance/mass ??)

Re:It's not about just embedded devices... (1)

Troed (102527) | more than 10 years ago | (#6766860)

I am a Software Engineer/Software Developer/Consultant/Embedded blabla. Values in code is called "magic numbers" and is frowned upon. They're usually found when doing code reviews and the programmer will have to go back and make them into variables.

The only "allowed" values tend to be 0 and -1, sometimes 1 also. They have a historical clear meaning, and quite often you won't make the code clearer by substituting them with defines/typedefs/variables.

Re:It's not about just embedded devices... (1)

nomadic (141991) | more than 10 years ago | (#6766902)

If g changes, the coder need only update one line.

If g changes, god help us all.

Re:It's not about just embedded devices... (1)

forrestt (267374) | more than 10 years ago | (#6766945)

You're not out in left field...

...At least as long as
g doesnt change!!!

Netgear should bear the cost... (5, Insightful)

Phil John (576633) | more than 10 years ago | (#6766751)

IMHO, since this is blatantly a case of Netgear cocking up their appliance they should not only a)refund any monies spent by the university in this problem and b)send out patches, at their own cost, to all users of affected routers. For heavens sake, so many people don't have anti-virus software installed, don't patch, why would they with a router? They just think "I plug this in to my cable modem, plug my computer in and I dun got thar intarnet workun" why would they know that they need to upgrade the products firmware?

Re:Netgear should bear the cost... (0, Troll)

stratjakt (596332) | more than 10 years ago | (#6766939)

Yeah people are so stupid.

Know what? I dont daily check USRobotics.com to make sure I have the latest modem firmware, nor do I go to logitech to make sure I have the latest mouse drivers.

It isnt that people are stupid or lazy, they obviously just have better ways to spend their time.

Most people who work with computers aren't IT douchebags who sit around on the internet all day looking for a new patch to install. You aren't elite. You're the lowest rung on the ladder.

Now hurry the fuck up and replace the toner cartridge in the xerox, monkey boy.

i know USA isnt .AU but.. (2, Insightful)

sjwt (161428) | more than 10 years ago | (#6766757)

With the state of uni bugets out this way,
i think net gear should be thankfull that
it wasnt sued for the bandwidth costs and
the reduced levels of service for the uni..

DMCA + Copyright law (0)

NoSuchGuy (308510) | more than 10 years ago | (#6766760)

What about that the University of Wisconsin-Madison has "... determined that at least the following code images explicitly contain our server's IP address: MR814_4_11.bin, MR814_v409.bin, RP614_4_0_0.bin, RP614_4_12.bin.".? Isn't this some kind of reverse engenerring or "theft" of copyrighted information / IP?

Will / can Netgear sue them under the DMCA or Copyright law?

NoSuchGuy

And then, on friday august 22 2003.. (4, Funny)

192939495969798999 (58312) | more than 10 years ago | (#6766761)

And then we got a ridiculous number of HTTP requests about the problem, which caused our server to explode and rain tiny bits of hazardous material into Lake Michigan. Fortunately, the indigenous wildlife was not affected, because nothing lives in Lake Michigan.

Re:And then, on friday august 22 2003.. (0, Flamebait)

Raven42rac (448205) | more than 10 years ago | (#6766772)

I am pretty sure the web and ntp servers are seperate, unless dunces are running the CS department over there.

(Geography)Re:And then, on friday august 22 2003.. (2, Informative)

StuDude (627980) | more than 10 years ago | (#6766822)

Of course, UW-Madison isn't on Lake Michigan (it is in south-central Wisconsin). That must have been quite a server explosion (90+ miles)!!

Re:And then, on friday august 22 2003.. (2, Informative)

Ericfoos (590524) | more than 10 years ago | (#6766847)

You mean Lake Monona and Lake Mendota, not Lake Michigan

Simple Fix (5, Funny)

Boss, Pointy Haired (537010) | more than 10 years ago | (#6766795)

UWisc hard codes the date/time on their time time server to 2038-19-01 03:14:00.

After 6 seconds, the netgear will crash and burn as a result of the Y2K38 problem and the requests will be no more.

Think Strata (5, Informative)

n9fzx (128488) | more than 10 years ago | (#6766796)

Dave Mill's original clock distribution architecture ala NTP was based loosely on the Bell System's inverted tree structure. Only the top level servers are locked to the national servers; the next level is locked to the top level, and so on. In theory, it's a perfectly scalable infrastructure, with terrific fan-out.

Unfortunately, the code droids seem to think that there's something magical about being at Stratum 2 instead of Stratum 3 or Stratum 4; also, they seem perfectly willing to take advantage of a nonprofit consortium (the owners/operators of public Strat 1 clocks) instead of spending the $500 or so on hardware to service their own customers, who presumably paid them for something.

Anyone else remember the Good Old Days when it was considered polite to ask first before using someone else's clock?

[Truechiming since 1987...]

In Soviet Jersey... (-1)

Anonymous Coward | more than 10 years ago | (#6766811)

The ntp server pings YOU!

Mentioned on ntp.org mailing list a while ago.. (5, Informative)

James_G (71902) | more than 10 years ago | (#6766836)

I can't get to the article, so in the meantime, here's the text of an email about this with some details that was sent to an ntp.org mailing list back in June:

David L. Mills wrote on 2003-06-26 10:55:

> Guys,
>
> I find myself on the review team for an incident taking place at U Wisconsin/Madison. Apparently, the Netgear folks have manufactured some 700,000 routers with embedded SNTP clients configured to use the public U Wisconsin NTP server. The server address is unchangeable and the client cannot be disabled. If that isn't bad enough, if the client gets no replies, it starts sending packets at one-second intervals until forever and without backoff.
>
> The U Wisconsin folks determined some 285,000 different IP addresses are now sending between 300 and 700 packets per second requiring between 150 and 400 megabits per second. Apparently, the principal eason for this flux is misconfiguration of the firewall component of the router. This is costing them $266 per day.
>
> The Netgear folks were slow to respond until U Wisconsin folks emailed the entire senior management and others known to be U Wisconsin alum. Netgear says they have no way to recall those routers and no way to insure the products are updated from the web site. The products cost between $20 and $40 depending on rebate.
>
> U Wisconsin have considered several ways to deflect the tide, the most promising may be noting the source port 23457 unique to these products and tossing them at the doorstep. The products do not use DNS and are not configurable. Another way considered is to configure a subnet visible to BGP and convince the ISPs to punch holes in the routing fabric. Send money.
>
> I never thought it could get as bad as that. My reasoned recommendation was to fire up the lawyers and sue the bastards for costs and punitive damages and to injoin the company from selling any products until proved safe. There is apparently some standards group that allegedly reviews and certifies new products for Internet use. The Netgear products were all certified, which surely says nothing about the standards group.
>
> Include me in any replies; I am not on any ntp.org list.
>
> Dave

mmmm... so virus like. (1)

ftplimited (681917) | more than 10 years ago | (#6766851)

I wonder when someone is going to write a virus that delivers a payload that 1. detects the home router 2. connects to a remote server to obtain the proper files 3. upgrades the router with a custom built firmware that removes all normal function and just starts pinging a target. ...

How to prevent this (1)

yerricde (125198) | more than 10 years ago | (#6766927)

upgrades the router with a custom built firmware that removes all normal function and just starts pinging a target

1. Router upgrades are done through the admin control panel, which requires a password. I have changed the default password on my NETGEAR router, but others often haven't, so...

2. I'd imagine that router upgrades are digitally signed by the manufacturer.

Poor UWisc (5, Funny)

EmagGeek (574360) | more than 10 years ago | (#6766867)

First the time server

Then the e-mail server (from the helpdesk requests)

Then the webserver (from /.)

What next?

Re:Poor UWisc (1)

mrm677 (456727) | more than 10 years ago | (#6766901)

UWisc was just named the #2 party school in the nation. I wouldn't feel so sorry for them!

dyndns.org (3)

AchmedHabib (696882) | more than 10 years ago | (#6766871)

One of the others was an IP address previously used by the "dyndns.org" dynamic DNS name service.
I really hope they did not include that IP while it was used by dyndns.org. If they did, I'd say they are the biggest assholes alive for generating tons of traffic to a free service. But then again they have already proved that now.

Getting gay with kids? (-1, Troll)

Anonymous Coward | more than 10 years ago | (#6766878)

uWisc has a lot of explaining to do.

A lot.

They sure have a lot of bandwidth... (0, Offtopic)

twoslice (457793) | more than 10 years ago | (#6766881)

I bet it would make for a super fast NTP server...

dear god (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#6766909)

It's WisconsIn, not "Wisconson." Jesus Christ.

It generated costs on the other side too (5, Interesting)

Anonymous Coward | more than 10 years ago | (#6766911)

This didn't only generate trouble for U of Wisconsin, it also generated a lot of cost for some people using the router. Since the server was down, the Firmware has been trying to connect to the time server constantly, thereby keeping the connection from timing out. (Who wrote that algorithm?) For people whos connections are on metered internet access, this ment the connnection was never closed and they are stuck with the bill.

Aparently there are a lot of Netgear users in Germany who are stuck with horrendous bills now. I wonder if Netgear is going to pick those bills up?

Stupid spelling errors (-1, Redundant)

Anonymous Coward | more than 10 years ago | (#6766922)

causing a major denial of service to the University of Wisconson's network before it was filtered and eventually tracked down.

That's WisconsIn. How about getting some damn spell-checking mechanism installed? It's just unprofessional and embarassing.

Bleh.

Not the only offender (2, Informative)

oneiric (603250) | more than 10 years ago | (#6766933)

When investigating time (mis)keeping on the D-Link DI614+, I found exactly the same thing there. Walking the strings of the firmware reveals a hardcoded list ntp servers and from observation it looks like they walk down the list, primary ntp servers first, to get the time.

The D-Link firmware is cobbled together from quite a few different libraries. It maybe the code exists in a library both systems use or the systems are re-badged from a common source.

How many others then???

ntp.netgear.com (1)

packethead (322873) | more than 10 years ago | (#6766935)

I guess these guys should've set up a round-robin of stratum-2 ntp hosts themselves.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...