Rick Nelson

Time for D-Link to own up
April 20, 2006

Need to know the time? Please don't ask Poul-Henning Kamp. His experience attempting to operate a Danish timeserver pro bono demonstrates that no good deed goes unpunished. Nevertheless, it makes for a fascinating detective story, provides a valuable tutorial about network timeservers, and might serve as a cautionary tale about the perils of engineering ineptness.

Kamp's time server is hosted on DIX, the Danish Internet eXchange, which waives thousands of dollars in connection fees for Kamp because NTP is, or should be, a low bandwidth protocol and because Kamp's server operates as a public service.

Kamp's server is designed to accommodate roughly 2000 legitimate Danish users, but he began receiving up to 3.2 million illegitimate requests per day, a level of traffic DIX couldn't accommodate for free.

Kamp enlisted Richard Clayton of the Security Group at the University of Cambridge Computer Laboratory, who ruled out a deliberate, malicious denial-of-service attack. The culprits, he determined, turned out to be potentially millions of consumer routers, access points, and related products from D-Link, which include firmware commanding them to query stratum 1 timeservers such as Kamp's in violation of posted access policies. Kamp's policy, for example, reads, "open access to servers, please, no client use." Others that seem to be affected have posted less polite warnings, such as "prior permission required." The appropriate approach, Kamp and Clayton both report, is for client boxes such as D-Link's to query stratum 3 servers hosted by local ISPs or by D-Link itself.

Kamp has looked to D-Link for resolution and for restitution for legal and consulting costs he has incurred and for compensation for his own time (he works as an independent contractor). Unable to obtain satisfaction (a lawyer representing D-Link, he says, has accused him of extortion), he has posted an open letter to D-Link outlining his travails. Subsequently, Clayton posted a description of his detective work. Both make for fascinating, informative reading.

I asked D-Link for comment and received only this response: "D-Link is continuing to investigate the merits of Mr. Poul-Henning Kamp's claims in an attempt to achieve the full resolution of any issues. It is D-Link's long-standing policy not to comment further until an investigation is complete."

I suspect D-Link may be more concerned about investigating its legal liability with respect to other servers it may be abusing than about investigating the technical merits of Kamp's claim. In either event, there's already been plenty of time to investigate (Kamp says he first contacted D-Link in November 2005). It's time for D-Link to own up for its engineers' blunder, compensate Kamp for his trouble, and make some effort to convince millions of consumers to re-flash their D-Link boxes' firmware.

Posted by Rick Nelson on April 20, 2006 | Comments (0)