UPDATE: Netgear routers attack university

25 August 2003 11:20 AM

Tags: network, protocol, netgear, ntp, time, university, gray, wisconsin

A design flaw in a router product has seen the University of Wisconsin's network bombarded with network time protocol synchronisation requests, in an accidental denial of service (DoS) attack.

The university's administrators noticed a dramatic increase in in-bound traffic to its time server, and eventually traced the cause to a Netgear router product. A full analysis was posted on the university's Web site.

The router was hard-coded to synchronise its clock to the university's time server, meaning that every unit sold and deployed began bombarding the machine with requests as often as once a second.

"I have counted more than 500,000 unique Netgear sources that queried our time server in one day. This measurement likely underestimates the actual count," the analysis read. "As of June 30, 2003, Netgear reported a total of 707,147 affected products manufactured."

A similar problem forced the CSIRO to take down its public time server in April this year after a US manufacturer, SMC, hard-coded its network time server into its code. The flood of requests from 85,000 of the devices proved too difficult to service.

Dave Plonka, who wrote the analysis, is planning on educating vendors on the down-side of hard-coding IP specific servers into their products.

"I am in the process of preparing an Internet Draft, currently titled 'Embedding Globally Routable Internet Addresses Considered Harmful', which denounces the practice of embedding unique, globally routable IP addresses in Internet hosts, describes some of the resulting problems, and considers selected alternatives."

In a joint statement, the university's chief information officer, Annie Stunden, said Netgear had worked closely with the university to "understand the issue and minimise any impact".

Netgear has released a firmware upgrade for the products causing the problem.

Talkback (1)
Print
E-mail
Share
- del.icio.us
- Digg
- Reddit
- Slashdot
- StumbleUpon

Talkback 1 comments

Add your opinion

It seems to me that NetGear et. al. could put up their OWN time server, and hardcode their OWN address into their routers. Then they will be able to control the address of the hardcoded time server. Right now, all of the routers are vulnerable to the un Anonymous -- 27/08/03

It seems to me that NetGear et. al. could put up their OWN time server, and hardcode their OWN address into their routers. Then they will be able to control the address of the hardcoded time server. Right now, all of the routers are vulnerable to the univesity changing the DNS name and IP address of their time server.

Or, simply don't hardcode any addresses and let the customer control that sort of thing. Many people would prefer pointing NTP requests at servers that THEY control.

Latest Videos

Play now

Searching for Flash files
Adobe Systems has announced it's partnering with search giants Google and Yahoo to increase the quality of sea… Watch it now
Planet CNET: Robot wars!
Sports, Gates and Gears -- Club Builder
HTC Touch Diamond
More videos »

Blogs

I'm a celebrity, don't back me up
Celebrity comes with its perks — free alcohol, better-looking partners, lots of holiday time — and disadvantages — constant media intrusions, being forced to appear in films with Eddie Murphy for the long-term good of your career, and having to do mindless radio interviews with angry men who've been awake since 4am.
Lies, damned lies and telco stupidity
Earlier this month, Telstra put out a press release trumpeting that it's come up with a new phone coaching service to help people who are "bamboozled" by their mobiles. Another excellent example of wrongheaded thinking from the mobile industry.
Dear carriers: More walking, less talking
Sometimes, a well-placed and well-timed letter can make all the difference. Other times, it can make no difference at all — and even hurt your case. This week's missive by the Competitive Carriers' Coalition, I would suggest, falls into the latter category.
More blogs »