nanog mailing list archives
Re: Open Letter to D-Link about their NTP vandalism
From: Kevin Day <toasty () dragondata com>
Date: Fri, 7 Apr 2006 18:43:54 -0500
On Apr 7, 2006, at 6:02 PM, Mark Boolootian wrote:
Its just NTP, I can't imagine that it is *really* enough traffic to careall that much.You're kidding, right? Do you know what happened to wisc.edu: http://www.cs.wisc.edu/~plonka/netgear-sntp/
Correct me if I'm wrong, but... That was only "really" a problem for them because there was a flaw in the Netgear code that caused the devices to make requests every second. That's not (as far as I'm aware) happening here, so we're not talking huge amounts of bandwidth.
We intentionally run public NTP servers, which are even in the pool.ntp.org pool, as well as on some NTP lists. I've pegged about 35,000 unique IPs using our North America server in the last 24 hours, or about 175pps. Bandwidth usage is about 100Kbps per second on average. The occasional burst up to 250Kbps+, but those are pretty rare.
This link here: http://www.lightbluetouchpaper.org/2006/04/07/when- firmware-attacks-ddos-by-d-link/ says he's getting 37pps. NTP uses 76 byte packets. 37pps * 76 byte packets = 22.4Kbps, or less than the amount of traffic a dialup user can spew. If you're running a semi- public server on the internet, and it can't handle a dialup user flooding it - you need a firewall anyway. :)
I can see how unwanted NTP traffic could be a nuisance, but not how it could possibly cost US$8,800 per year. Nor requiring the use of a US$5000 "external consultant" to track down the source of the traffic. Nor worthy of invoking the Slashdot masses in outrage. Let alone why an additional traffic load of less than a dialup user accessing your server in any way is worthy of caring. Bad on D-Link for what they've done, but total overreaction on the other side as well.
I think the lesson here is that any service you make available to the public (NTP, DNS, IRC, SMTP, whatever) is going to be used in ways that do not match with your desires. If you're not willing to ACL/ police the service, you're going to have to accept that people are going to use it in ways you'd rather they didn't.
Current thread:
- Re: Open Letter to D-Link about their NTP vandalism, (continued)
- Re: Open Letter to D-Link about their NTP vandalism Alain Hebert (Apr 07)
- Re: Open Letter to D-Link about their NTP vandalism Rubens Kuhl Jr. (Apr 07)
- Re: Open Letter to D-Link about their NTP vandalism Jeff Shultz (Apr 07)
- RE: Open Letter to D-Link about their NTP vandalism Mark Borchers (Apr 07)
- Which Cisco 7500 OS for high availability neal rauhauser (Apr 09)
- Re: Which Cisco 7500 OS for high availability Alain Hebert (Apr 10)
- Re: Open Letter to D-Link about their NTP vandalism Steven M. Bellovin (Apr 07)
- Re: Open Letter to D-Link about their NTP vandalism Richard A Steenbergen (Apr 07)
- Re: Open Letter to D-Link about their NTP vandalism Mark Boolootian (Apr 07)
- Re: Open Letter to D-Link about their NTP vandalism Kevin Day (Apr 07)
- Re: Open Letter to D-Link about their NTP vandalism Matt Ghali (Apr 07)
- Re: Open Letter to D-Link about their NTP vandalism Todd Vierling (Apr 07)
- Re: Open Letter to D-Link about their NTP vandalism Robert E . Seastrom (Apr 08)
- Re: Open Letter to D-Link about their NTP vandalism Suresh Ramasubramanian (Apr 08)
- Re: Open Letter to D-Link about their NTP vandalism Valdis . Kletnieks (Apr 08)
- Re: Open Letter to D-Link about their NTP vandalism Simon Lockhart (Apr 08)
- Re: Open Letter to D-Link about their NTP vandalism Jared Mauch (Apr 08)