Hacker News new | past | comments | ask | show | jobs | submit login

How is that even legal?



Once you put an NTP server on the 'net, it's public - pretty much like most Web sites. Sure, there are reasonable expectations of decency like for anything in the Commons, but I don't think there's any legal defense against skunks at the picnic.

IIRC, the university called Netgear out for doing something stupid and disruptive, and Netgear stopped doing it. The second best possible scenario, I guess.


> Netgear stopped doing it.

Netgear issued patches for the devices. Most people never update their server firmware, and we're talking about over 700,000 devices. The university still gets considerable traffic.

https://en.wikipedia.org/wiki/NTP_server_misuse_and_abuse#NE...


Can't the university throttle non local connections ? (netgear could have provided the hardware ;)


Throttling won't do much good; their WAN interfaces will still eat the traffic, I don't think it's as much of an issue that the NTP servers were melting it's more that their entire network was.

For what you want to have any effect they'll have to sinkhole/throttle the traffic upstream before it ever reaches them and as a university they are effectively an ISP so that might not even be really possible.


Not necessary -- fortunately these routers all used source port 23457 for their NTP packets, making them trivially easy to block.

I do recommend reading the incident report posted above if you have an interest in network operations, it's quite interesting!


You still have to receive the traffic to block it.


It is a public NTP server. Throttling public defeats the point.


Not really. If an NTP client gets 1/10th of the updates that it wants, it will still keep reasonably good time.


Keeping a table of clients and their last-updated time is probably more expensive than just sending them a response.


Randomly dropping a percentage of requests is stateless.


But what happens if you are the client whose requests are dropped all the time because you are unlucky?


Then I guess you'll have to use somebody else's free server.


Is the NTP synchronization done with only a single packet? Because otherwise you'll be interrupting connections constantly.


It is UDP, so it is connectionless.


UDP is a Transport Layer protocol. NTP is an Application Layer protocol.


Fair enough, UDP doesn't imply that the application protocol is connection-less, but AFAIK NTP is.


Do NTP clients not retry immediately/very quickly if a request gets lost?


It's more that your device's clocks don't skew that rapidly, unless something is really wrong.


But dropping requests to reduce traffic load is counter-productive if failed requests are quickly retried.


Retry yes, immediately/very quickly no. Ntp is designed to handle network issues transparently.


This was one of the issues wth netgears client, it retried every second until it worked.


Incorrect clients aside, it should at worst be another 64 seconds (from memory so I might be wrong) before a client retries a poll.


> The university still gets considerable traffic

It'd be interested in seeing if there's been any update since 2003.

E.g., is it really "considerable traffic" by 2016 standards? The original flood in 2003 was 150 MBps - I don't think I'd notice if I got a flood of 150 MBps on my home connection.

How many of those devices are still around 13 years later?


I believe an "agreement was forged", no public details, but I might assume some money changed hands.


$350,000.

https://en.wikipedia.org/wiki/NTP_server_misuse_and_abuse#NE...

> NETGEAR has donated $375,000 to the University of Wisconsin–Madison's Division of Information Technology for their help in identifying the flaw.

Although that appears to be uncited.


Wow, I never realized operators couldn't push fixes to their routers without permission. The internet is indeed a tragedy of the commons: trivial to ruin, but a Sisyphean task to fix.


Most admins would consider having network infrastructure's firmware change outside of their control a bug/misfeature. Not to mention most devices would require reboot to apply change.

And to be able to remotely change the code running a HUGE security issue.


The vast majority of admins don't even know that they're admins. They bought or received a cheap Netgear router, plugged it in, and never touched it again, except to maybe turn it off and on again when the internet was slow/down.

If you're an admin who cares about their infrastructure, you're not using a bargain-basement Netgear router, and if you are, you'll have gone through every single menu and seen the auto-update option.


Sure. It's also why the internet is super vulnerable to 0-days.


Some operators do, mostly ISPs that lease routers to customers and retain a way to push firmware updates to them (for example, Comcast does this). But router manufacturers typically don't touch the device once it's out of their hands.


Note that cable modems (all of them, not just from Comcast) download their configuration from the provider every time they boot up. Ironically (since it uses TFTP, for one), this is called "secure provisioning".

They might give you a web interface where you can configure certain settings (e.g. integrated Wi-Fi) but the ISP ultimately has at least some control over any cable modem connected to it.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: