You may be aware from the BBC article

http://news.bbc.co.uk/1/hi/technology/4906138.stm .

or elsewhere that there is a serious flaw on many D-link products which
get the time from the Internet using time servers. Whilst many time
servers are open for anyone to use, D-link products are using those
which are not.

The time servers being abused are owned by individuals, the military,
the US Government, some academic institutions and commercial companies.

One owner of a Dutch time server at least is incurring very large costs
due to this and even more costs in paying a consultant to find the problem.

http://people.freebsd.org/~phk/dlink/

To my knowledge no owners have asked for users to switch off their
D-link products, but given they are abusing the time servers, it would
be sensible to keep them switched off when not absolutely necessary.


--
Dave K MCSE.

MCSE = Minefield Consultant and Solitaire Expert.

Please note my email address changes periodically to avoid spam.
It is always of the form: month-year@domain. Hitting reply will work
for a couple of months only. Later set it manually.

Its not a dutch but a danish server.
"Dave (from the UK)" <see-my-signature@southminster-branch-line.org.uk>
skrev i en meddelelse news:444119fc@212.67.96.135...

Jakob Salomonsson wrote:

Sorry. You are right of course - I don't know what I was thinking of there.

But it now appears there are forty odd servers throughout the world

http://people.freebsd.org/~phk/dlink/letter2.html

where this abuse is happening. So people with D-link products might
well be using several of these without permission.


--
Dave K MCSE.

MCSE = Minefield Consultant and Solitaire Expert.

Please note my email address changes periodically to avoid spam.
It is always of the form: month-year@domain. Hitting reply will work
for a couple of months only. Later set it manually.

Its stupid done of D-Link
"Dave (from the UK)" <see-my-signature@southminster-branch-line.org.uk>
skrev i en meddelelse news:444133e3@212.67.96.135...

"Dave (from the UK)" <see-my-signature@southminster-branch-line.org.uk> wrote:

Better yet, how about making the time server the thing uses configurable so that users can simply set them to use a public server... or even provide a list of acceptable servers to use.

Turn it off? You MUST be joking! My operation is active 24/7/365 Turning it off costs money and the board of directors tends to frown on things that cost money without producing a larger profit. Turning off a D-Link product is one example of such.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In article <444119fc@212.67.96.135>,
Dave (from the UK) <Apr-2006@southminster-branch-line.org.uk> wrote:
It would be even more sensible to change router settings to use an alternate
address (like us.pool.ntp.org) instead. Instead of your router pinging
addresses it shouldn't when it's on, it'll never ping those addresses at
all. There's an option in there (in the DI-604, at least) to specify an NTP
server to use. Fill it with something from *.pool.ntp.org and you're all
set.

_/_
/ v \ Scott Alfter (remove the obvious to send mail)
(IIGS( http://alfter.us/ Top-posting!
\_^_/ rm -rf /bin/laden >What's the most annoying thing on Usenet?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEQVoZVgTKos01OwkRAnxmAKDPm4UsgAkgGg6JOS8ADo vd8CxyiACfQbPo
wp9xSamK+rbVDeNjxDUDjTo=
=SQgD
-----END PGP SIGNATURE-----

On 15 Apr 2006 20:25:46 GMT, scott@alfter.diespammersdie.us (Scott
Alfter) wrote:

My old DI-804U doesn't seem to have such an option. But it surely
pre-dates 2005 (that's when the problem started, as the BBC article
states).

NNN

Scott Alfter wrote:

True, but for many models the time servers can't be changed - the
DWL-700AP I own is one such model. But the time servers it uses are OK
to use.
--
Dave K MCSE.

MCSE = Minefield Consultant and Solitaire Expert.

Please note my email address changes periodically to avoid spam.
It is always of the form: month-year@domain. Hitting reply will work
for a couple of months only. Later set it manually.

nobody@nowhere.net wrote:
That BBC article is not well written, so I would not tend to put much
weight on what it says.

Although the issue with the Danish time server started in 2005, there
are many other time servers which are being accessed by D-link products
which have restricted access.

I have no idea if the names or IP addresses of any of those time servers
were coded into older models - I suggest you ask D-link about the
particular model(s) you have. You can get to their support page at:

http://support.dlink.com/


--
Dave K MCSE.

MCSE = Minefield Consultant and Solitaire Expert.

Please note my email address changes periodically to avoid spam.
It is always of the form: month-year@domain. Hitting reply will work
for a couple of months only. Later set it manually.

On Sat, 15 Apr 2006 17:06:19 +0100, "Dave (from the UK)"
<see-my-signature@southminster-branch-line.org.uk> wrote:

Hmmm, usual Bimbo Broadcasting "Science & Technology" reporting job. Where
do they get those people?

Uhh.... where are those "many time servers"?

This is not a question of "switch off". In fact, if the gateway/routers
work well this would aggravate the "problem" because every switch-on would
cause a look-up. Besides, people with ADSL or cable access want/need a
permanent connection anyway.

Why don't you check the NTP server which your Internet Gateway/router is
using for NTP look-up? Mine -- not a D-Link -- is set from the factory to
look up clock.isc.org and is so documented in the mfr's docs. In fact I've
tried to find a Stratum-2 NTP server but none of those which were
"documented" worked. The problem here is that the NTP "community" has
their heads up their a... err, in the sand with their "open access - please
notify by e-mail" and "use name only" comments and their docs are either
obsolete or impossible to follow. Do'h this is not a lot of help.

In the office I have our DC set to use time.nist.gov because I couldn't
find anything else which worked - my ISP has a NTP.<ISPName> which maps to
an IP address but the time look-up fails there. I suppose there's
time.windows.com but I had trouble getting a response there - hardly
surprising because that's what every (U.S.) Windows XP system is set to
use.... and do we all want to depend on Bill Gates for our clock-time
now?;-)

I wonder how the conclusion was reached that *only* D-Link was at fault
here? AFAIK D-Link is one of the few vendors which actually makes such
equipment - it might be that their OEMs don't reprogram the NTP-Server
field/algorithm in the configuration. It could also be that D-Link owners
spend a lot of time re-booting their gateway/routers.:-) If the Danish guy
is getting a lot of hits, who do you think is responsible for programming
his NTP Server address into D-Link routers?

Calling this "vandalism" and "abuse" is nuts IMO. If you set up a Time
Server, it's gonna take a LOT of hits simply because Stratum-2 is a mess of
obsolete, non-functioning addresses. I have to ask what gateway/router
vendors are supposed to program into their devices for "default" NTP
look-up, given that most end-users are not expert enough to be fiddling
with the configuration settings. Ideally, the ISP who supplies them to
end-users would have a functioning NTP Server and then program that address
in before delivery but that does not happen... apparently.

--
Rgds, George Macdonald

Borked Pseudo Mailed wrote:
D-link need to do that although the Danish time server will still be
affected, as only a small percentage will update firmware.

What if the owner/admin of a time-server asked you to stop accessing
their server? Would the directors say "Tuff, we are going to leave our
D-link product(s) running, accessing your time-server, against your
published wishes and do nothing about it?"

There might well be legal implications for doing that. I suspect that
could come under laws about mis-use of computers if you are connecting
to computers you have no right to do so, and ignore requests to cease.
People pay for bandwidth, so your actions are costing them money.


--
Dave K MCSE.

MCSE = Minefield Consultant and Solitaire Expert.

Please note my email address changes periodically to avoid spam.
It is always of the form: month-year@domain. Hitting reply will work
for a couple of months only. Later set it manually.

George Macdonald wrote:
Yes - I agree. That is particularly badly written I think.

http://ntp.isc.org/bin/view/Servers/WebHome

I have done - but it is not easy to do.

It required downloading the firmware, decompressing *part* of the file
and then using the strings command in UNIX to find the IP addresses.
From that, the name of the servers could be found.

The buy in Denmark whose time-server is affected told me how to do it.

I doubt you should be using that.

http://ntp.isc.org/bin/view/Servers/ClockIscOrg

ServiceArea: BARRnet, Alternet-west, CIX-west
AccessPolicy: OpenAccess

Have a look at the above site and find one. Or use this (explanation a
bit further down)

Worldwide pool.ntp.org
Asia asia.pool.ntp.org
Europe europe.pool.ntp.org
North America north-america.pool.ntp.org
Oceania oceania.pool.ntp.org
South America south-america.pool.ntp.org

What is abuse then? Accocding to

http://en.wikipedia.org/wiki/Abuse

* Abuse is a general term for the use or treatment of
* something (person, thing, idea, etc.) that causes some
* kind of harm (to the abused person or thing, to the
* abusers themselves, or to someone else) or is unlawful
* or wrongful.

If, as in this case, Pou-Henning is getting a large bill for the
lockups, which are making up 90% of his traffic, then it is causing him
harm. So it is abuse.

I don't think it is a mess, but even if it was, that does not excuse you
using one you don't have permission to use.

My comptuer might be slow. Does tham meean I can use your computers
resources without your permission?

How about gateway/router vendors providing their own time servers,
rather than use others without permission? It is not actually that
expensive. A GPS receiver with a 1 pulse per second output connected to
a Standford Research PRS-10 rubidium source would make a nice one with a
72-hour holdover for stratum 2 if the GPS is lost.

Or vendors can use a pool that have agreed to be in a pool

http://ntp.isc.org/bin/view/Servers/NTPPoolServers

i.e.

Worldwide pool.ntp.org
Asia asia.pool.ntp.org
Europe europe.pool.ntp.org
North America north-america.pool.ntp.org
Oceania oceania.pool.ntp.org
South America south-america.pool.ntp.org

There are several more ways they could do it. They could for example use
something like DNS. The router contacts the vendor's server which
returns the IP address of a publically available time server. The router
then connects to that to get the time.

There are *many* way this could be implemented, but using a random NTP
server that does not allow access is not a good way.

Also, many like myself don't use a modem supplied by my ISP. And there
are other devices, like my WiFi adapter which are not suplied by the ISP.


--
Dave K MCSE.

MCSE = Minefield Consultant and Solitaire Expert.

Please note my email address changes periodically to avoid spam.
It is always of the form: month-year@domain. Hitting reply will work
for a couple of months only. Later set it manually.

On Sun, 16 Apr 2006 02:08:58 +0100, "Dave (from the UK)"
<see-my-signature@southminster-branch-line.org.uk> wrote:

Yeah I knw where the "list" is but like I've said, many just don't work -
the list is obsolete.

So they're selling routers which are not configurable for that setting? I
haven't seen a lot of different brands but my router does not show or allow
changing the setting from its Web-based interface - have to use the Command
Line from a Telnet session... which means reading the docs. This is not
stuff for the average "consumer".

Why should I not use it? It's one of the few with Open Access and no
notification message required. It's even possible that the router mfr has
obtained permission based on assurances of non-abuse and reasonably coded
frequency of look-ups. If someone wants me to obey some "Service Area"
convention, they'd better explain what that means - no such explanation is
easily found.

"Vandalism" requires some intent to do harm or "abuse". This was a mistake
- the indignation of the recipient is overblown IMO given the extent of
(lack of) guidance offered by, and the functional state of, the NTP
infrastructure. It also appears that DK has no Stratum-2 servers at all
and only two Restricted Access ones in Stratum-1 which both say "Open
access to servers, please, no client use". Hmm, difficult to know what
they mean by "servers" but it does seem like there is a problem with the DK
Internet NTP infrastructure.

The ethics of the situation are quite well covered in the University of
Wisconsin/Netgear case - there's plenty of blame to go around and plenty of
targets - things could have been done better all around.

When you go look up a source of documentation, and follow their obscure,
poorly written descriptions, written in their byzantine terminology, and
find that after trying 3 or 4 of the apparently recommended "active" sites
and none of them work, frustration generally leads to something which does
work... even if it requires a "notification message".

Ridiculous extrapolation. For one thing, I do not "publish" the method of
access to my computer. What will most people do when faced with "here it
is; don't use it... but nothing else, which is geographically close, is
available"?

Making up rules after the fact is always easy. AFAIK the "pool" concept is
relatively new - things are continually evolving here and the rules in
place now are not necessarily what was offered when firmware for any given
router was being written. Also, the "Rules of Engagement" and other docs
are hardly written for a quick reference.

I'd think *most* gateway/routers are acquired by end-users and SMBs from an
ISP - it would certainly help if NTP had a similar hierarchical structure
to DNS name caching.

--
Rgds, George Macdonald

George Macdonald wrote:
Most seem to work for me, but I use a Sun workstation, not a D-link
router, so I can't say I have tried with this. I suspect the muppet
routers don't implement the protocol as well as the Sun.

I'm not aware it can be done on mine at all. Luckily, none accessed have
any restrictions.


The ServiceArea is the geographic and/or network area the TimeServer is
intended to serve.

<snip>

I personally did not use the word vandalism. But I think abuse is correct.

Well, you don't have to use a local server and should not use a local
one if it restricts access.

I accept there is a *big* difference between intentionally hacking a
machine (me hacking yours) and you or anyone else using an NTP server
without realizing it. One is an accident, the other a deliberate act.

But once you are aware you are not welcome at an NTP server, then I
think the difference disappears.

I will ask you the same question I asked the person posting as:

Borked Pseudo Mail - 'nobody@pseudo.borked.net'

If you were asked by an NTP server administrator (such as the owner of
the Danish one) to stop accessing that server, and you were unable to do
so by a firmware upgrade or reconfiguring the router, would you continue
to access his server, even though he had asked you not to? If you had
no other option, would you switch your router/modem off and not use it?

Furthermore, what if the person asking you was from the US government or
the US Navy, both of whom timeservers are being abused? Would you
continue to use their time servers if you had no way of stopping your
D-link product from doing it without switching it off?

BTW, your ISP, Tellurian, might have something to say about it, as it
would be against their rules:

http://www.tellurian.com/usagepolicy.asp

In particular:

* Any "denial of service" attack, any attempt to breach
* authentication or security measures, or any unauthorized attempt
* to gain access to any other account, host or network is
* prohibited, and will result in immediate service termination,
* which may be without notice.

I think you using the NTP server then would be an unauthorized attempt
to gain access to another host.

So that makes it right?

I suggest if they are in the US, it would be rather foolish to continue
to do it should a US government or navy official ask you to stop.

No, the rules were in place before. I am not suggesting any rules at all.

If vendors chose to implement products which use NTP servers it is up to
them to work out how to do it without accessing other servers their
intended end users are not supposed to. It is not up to me, or anyone
else to tell them how to do it. I am just saying there are ways, but it
is their decision. The rules have been in place a long while.

I suspect, but don't know, that for a gateway router where the time can
only be set to 1 second resolution, it makes no difference if you use a
near or distant NTP server. The protocol corrects for network delays.
Correction improves when multiple time servers are used but I doubt it
is necessary unless the resolution is better than 1 second.

On my own system, 5 time servers are used and corrections rarely exceed
50 ms.

My PDA usually syncs to a local time server (one of my own computers),
but even if I send it to a distant one the other side of the Atlantic,
the corrections are under 1 s.

But to what accuracy you can set the time is really irrelevant for the
discussion. You should not access ones you are not welcome at and to me
at least continuing to do so once you are aware of the issue is no
different from hacking another machine.

--
Dave K MCSE.

MCSE = Minefield Consultant and Solitaire Expert.

Please note my email address changes periodically to avoid spam.
It is always of the form: month-year@domain. Hitting reply will work
for a couple of months only. Later set it manually.

On Sat, 15 Apr 2006 17:06:19 +0100, "Dave (from the UK)"
<see-my-signature@southminster-branch-line.org.uk> put finger to
keyboard and composed:

I have a DSL-302G modem/router. I don't use SNTP because the modem
appears to write the updated time to its flash EEPROM every 15
minutes. If I ran it 24/7, then this would result in approximately
32,000 writes per year. IMO, it would have been better for the time to
have been stored in RAM.

- Franc Zabkar
--
Please remove one 'i' from my address when replying by email.

In article <d7h542t5pg3717f5u5vt9aisdo0ilqpeq9@4ax.com>,
fzabkar@iinternode.on.net says...
...and it wouldn't last more than 30 years at that rate! Sheesh!

--
Keith

Dave (from the UK) wrote:
Not if it defaults to a 24 hour update like mine does as I doubt very many
broadband users operate their machine(s) less than once a day. And if it
syncs at power up your suggestion would make the problem worse.

Dave (from the UK) wrote:

A bit Draconian to hold the user 'responsible' for something they're not
only clueless about but unable to change even if they knew, don't you think?


The question is 'who'?, knowledge, and intent.


And just how is the individual user made 'aware'? And that includes made
'aware' by an authority recognized to have the claimed authority.


Things are seldom that simple and especially not when trying to lay blame
and responsibility on people who had not one shred of participation in, nor
knowledge of, the decisions leading to the alleged 'abuse'.


First, your premise is self serving, pardon the pun. Accessing his server?
You must be kidding. According to your comments above there's essentially
no way for the user to even know a server is being accessed at all and now
someone completely unknown claims a 'perfectly fine', according to the
manufacturer of said item, is 'abusing' his server? Why should the end user
believe this story?

Now the end user *knows* he's kidding, or has no idea what the heck he's
talking about, or is some new kind of internet fraud.

The end user has no reason to worry about such a scenario because the gov
knows who to go after: the manufacturer.


The user is doing *nothing* nor making any 'attempt' to do something nor
even aware anything is being done.


Maybe I missed it but I'm not aware of any 'US government' announcement to
stop using home routers.

And if you got an unsolicited phone call from someone you never heard of
saying your perfectly fine coffee maker was screwing up their toaster oven
on the other side of the world you'd immediately unplug the thing and stop
using it, right?

The point isn't that the technical details are equivalent, the point is
you're trying to lay blame onto folks who might think the analogy is accurate.

David Maynard wrote:
Yes I accept that if it only updates once/day. It seems to vary an awful
lot - on some the time server can be configured, on others it can't. On
some the update interval may be configured, on others it may not.

I know mine can not be configured, but I also know all the servers are
open-access, so it is not an issue.

However, many of these D-link products are connecting to US military or
government sites for which access is restricted.

If the product is under warranty and you can't configure it to avoid
restricted time servers, it *might* be possible to get a
refund/replacement - it would depend an awful lot on the law in your
country and/or the dealer you bought it from.

If you can configure the ntp servers, the following will connect you to
a random time server which has no access restrictions.

Worldwide pool.ntp.org
Asia asia.pool.ntp.org
Europe europe.pool.ntp.org
North America north-america.pool.ntp.org
Oceania oceania.pool.ntp.org
South America south-america.pool.ntp.org


--
Dave K MCSE.

MCSE = Minefield Consultant and Solitaire Expert.

Please note my email address changes periodically to avoid spam.
It is always of the form: month-year@domain. Hitting reply will work
for a couple of months only. Later set it manually.

On Sun, 16 Apr 2006 15:35:42 +0100, "Dave (from the UK)"
<see-my-signature@southminster-branch-line.org.uk> wrote:

I am not using a D-Link router. The list has nothing to do with routers
per se - it's principal purpose for me is setting accurate time for our DC
which, of course propagates to all other computers on the domain. The
experience of finding a reasonably close, working, reliable NTP server was
extremely frustrating... to the point of having to examine the Win 2K
server logs for the evidence - I didn't need that diversion. I eventually
found a recommended doc somewhere which said it's "OK" to use
time.nist.gov, as long as it's not excessive, so I used it.

That would be surprising.

Yes, I can gather that much... OBVIOUSLY. This does not preclude that a
mfr whose HQ is in a given area cannot arrange to use a server in that area
for all its U.S. sales. For the "network areas" it's not a lot of use to
specify a bunch of inner-circle coded names without explaining to the
end-user what they mean. It's almost like those people *want* to
obfuscate... invent some cryptic language for themselves and then have the
nerve to complain when some naif violates their *unexplained* encoded
rules.

Depends what you mean - their after the fact attitude on correcting the
situation and financial/technical compensation is abusive (U.S. lawyers...
which I gather the UK lawyers are "learning" from). The incident itself is
just an honest -- but likely incompetent -- mistake... with catastrophic
results.

OTOH, the guy is supplying a service to the majority(?) of the Danish ISP
industry... who are profiting from the Internet in general... some of whose
clients are no doubt using D-Link gateway-routers. The silence about their
reaction, other than apparently wanting to apply excessive charges to their
NTP "supplier", is incongruous to say the least... clean hands??

The trouble is "restricted" has degrees of enforcement in general - the
guidelines are malformed and badly expressed... and the anecdotal reports
are ambiguous.

That depends: e.g. my router only does a look-up on restarts, cold or warm,
and AFAIK does not poll excessively to get synced, so I don't feel that's
an enormous abuse; the Netgear and D-Link cases should have probably been
the subject of a recall. I still don't understand why they continue to
poll every hour or so once synced but, given that the D-Links have a
configurable NTP address the ISP industry, at least those who supply D-Link
gateway-routers bears some blame for the situation.

I'm not using their servers and I'm not that interested in discussing
hypotheticals as they apply to me.

What NTP server are you talking about? Now you're getting impudent without
assimilating already presented facts. I think you know what the above
means and is targeted at - applying it to a published list of servers which
are poorly documented might result in some "advice" on how to do things
right *BUT* he'd have trouble taking things further since ntp.tellurian.com
*does* exist but does not work. This same ISP supplied the gateway-router
which is hitting clock.isc.org.<shrug>

RIGHT!

No, the rules have been in flux for a while.

Depends on how the algorithm is implemented. Windows 2K/XP gives up if it
can't get a consistent delay. It seems self-evident to me that use of a
geographically close server is a better choice from several POVs.

--
Rgds, George Macdonald