Time for D-Link to own up

Need to know the time? Please don't ask Poul-Henning Kamp. His experience attempting to operate a Danish timeserver pro bono reinforces the adage that no good deed goes unpunished. Nevertheless, it makes for a fascinating detective story, provides a valuable tutorial about network timeservers, and might serve as a cautionary tale about the perils of engineering ineptness.

Kamp's time server is hosted on DIX, the Danish Internet eXchange, which waives thousands of dollars in connection fees for Kamp because Kamp's server operates as a public service. His server is designed to accommodate roughly 2000 legitimate Danish users, but he began receiving up to 3.2 million illegitimate requests per day, a level of traffic DIX couldn't accommodate for free.

Kamp enlisted the aid of Richard Clayton of the Security Group at the University of Cambridge Computer Laboratory, who ruled out a deliberate, denial-of-service attack. The culprits, he determined, were potentially millions of consumer network products from D-Link, which include firmware commanding them to repeatedly query stratum 1 timeservers such as Kamp's in violation of posted access policies. Kamp's, for example, reads "open access to servers, please, no client use." Others that seem to be affected offer less polite warnings: "prior permission required." The appropriate approach, Kamp and Clayton both report, is for client boxes such as D-Link's to query stratum 3 servers hosted by local ISPs or by D-Link itself.

Kamp has looked to D-Link for resolution, for restitution for costs he has incurred, and for compensation for his own time. Unable to obtain satisfaction, he has posted an open letter to D-Link outlining his travails. Subsequently, Clayton posted a description of his detective work. Both make for interesting, informative reading.

I asked D-Link for comment and received only this response: "D-Link is continuing to investigate the merits of Mr. Poul-Henning Kamp's claims in an attempt to achieve the full resolution of any issues. It is D-Link's long-standing policy not to comment further until an investigation is complete."

I suspect D-Link may be more concerned about investigating its legal liability with respect to other servers it may be abusing than about investigating the technical merits of Kamp's claim. In either event, there's already been plenty of time to investigate (Kamp says he first contacted D-Link in November 2005). It's time for D-Link to own up for its engineers' blunder, compensate Kamp for his trouble, and make some effort to convince millions of consumers to re-flash their D-Link boxes' firmware.