Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×

D-Link Firmware Abuses Open NTP Servers 567

DES writes "FreeBSD developer and NTP buff Poul-Henning Kamp runs a stratum-1 NTP server specifically for the benefit of networks directly connected to the Danish Internet Exchange (DIX). Some time last fall, however, D-Link started including his server in a hardcoded list in their router firmware. Poul-Henning now estimates that between 75% and 90% of NTP traffic at his server originates from D-Link gear. After five months of fruitless negotiation with a D-Link lawyer (who alternately tried to threaten and bribe him), he has written an open letter to D-Link, hoping the resulting publicity will force D-Link to acknowledge the issue. There are obvious parallels to a previous story, though Netgear behaved far more responsibly at the time than D-Link seem to be."
This discussion has been archived. No new comments can be posted.

D-Link Firmware Abuses Open NTP Servers

Comments Filter:
  • by SuperficialRhyme ( 731757 ) on Friday April 07, 2006 @09:39AM (#15084051) Homepage
    From TFA: "A number of D-Link products, so far I have at least identified DI-604, DI-614+, DI-624, DI-754, DI-764, DI-774, DI-784, VDI604 and VDI624, contain a list of NTP servers in their firmware and using some sort of algorithm, they pick one and send packets to it."
    • by ajs ( 35943 ) <{moc.sja} {ta} {sja}> on Friday April 07, 2006 @12:47PM (#15086066) Homepage Journal
      I don't get why D-Link doesn't just solve the problem. All they need to do is put up an ntp.dlink.com with a simple mock DNS server that checks the requesting IP, and returns the closest known, public (or authorized for that network) NTP server as a CNAME. In most of the cases, that's going to be the IP's ISP-provided NTP server, which D-Link could easily compile a list of from ISP Web-sites. It's like 2 weeks of one person's work to write the server, gather data, and solve 80% of the problem (and avoid doing this to companies that CAN afford to sue in the future). This would also allow organizations to request special listings in D-Link's table.

      Even in the case where the request comes from a recursive lookup, it should (in almost all cases) come from a DNS server which indicates the rough location (in terms of Internet topography) of the client.

      Of course, they could also obey DHCP responses (either to the device or to a directly connected IP) as a fallback, solving even more of the problem.
  • Moochers (Score:5, Insightful)

    by suso ( 153703 ) * on Friday April 07, 2006 @09:39AM (#15084052) Journal
    Give people an inch and they take a mile. I don't see why D-Link and Netgear couldn't just make their own stratum-1 NTP servers. I mean, if you trust the brandname enough for your routing, don't you trust them enough for your time as well?
    • That required time, money, and resources. DLink et al would be much happier just taking your money once and never having to deal with you again. But if they ran a time server, their customers would continue to use it yet they would get nothing* in return.

      * - nothing in this case is strictly defined as money. I'm not considering good will, appreciation, or the right thing to do. None of these things apply to a business unfortunately.
      • Re:Moochers (Score:4, Insightful)

        by suso ( 153703 ) * on Friday April 07, 2006 @10:06AM (#15084284) Journal
        I'm not considering good will, appreciation, or the right thing to do. None of these things apply to a business unfortunately.

        Eh hem, at the risk of sounding like a troll, they apply to my business damnit and don't you forget that.

        The problem is, when you do the right thing, like enforcing security over convience, customers don't always appretiate it.
    • Re:Moochers (Score:4, Insightful)

      by archen ( 447353 ) on Friday April 07, 2006 @10:05AM (#15084265)
      I mean why in the hell does cheap dlink crap need to connect to stratum-1 servers? Seriously these things should be running on stratum-3 or lower. I doubt the FBI will come into your home with national security at stake and the whole world ENDS because your $40 dlink router is off by half a second. Why doesn't dlink run their own damn ntp server off of the stratum-1 (making them stratum 2 - stratum 1 is sortof expensive). There is no need for these things to have this level of time precision - they just need ballpark correct time.
    • Re:Moochers (Score:5, Interesting)

      by typical ( 886006 ) on Friday April 07, 2006 @10:07AM (#15084290) Journal
      It's cheaper for D-Link to freeload off other people.

      That being said, D-Link has acquired quite a bad reputation in my book. The last time they were prominently mentioned on Slashdot was when their routers were randomly silently redirecting a small chunk of HTTP traffic to D-Link advertisements, and causing the obvious mayhem in non-human-readable HTTP traffic.

      I'm also wondering just how much mayhem this guy could cause on various networks by playing with the time he returns. I'm not advocating that...I'm just pointing out that D-Link is rather leaving the owners of their routers open to whatever he chooses to do to them. Adding NTP support to a product is one thing -- hardcoding it to reference an NTP server that you can't guarantee is trustworthy is another thing. Suppose, for instance, this guy drops the name due to the expenses and someone else picks it up...

      To be blunt, buying D-Link hardware at this point means that you're kind of, well, asking for whatever the hardware does to you.
      • Re:Moochers (Score:5, Informative)

        by boneshintai ( 112283 ) <(ten.yrautcnasnoil) (ta) (nosbocajo)> on Friday April 07, 2006 @10:27AM (#15084502) Homepage
        That was Belkin [theregister.co.uk].
      • Re:Moochers (Score:3, Interesting)

        by Just Some Guy ( 3352 )
        Suppose, for instance, this guy drops the name due to the expenses and someone else picks it up...

        ...or does what I'd do, and find out if any NTP replies can crash DLink's hardware. Move my real NTP server to a new IP and hostname and start advertising that, then start serving bad packets on the old address.

        DLink might be more interested in fixing the problem if 75% of their hardware was returned each month for random failure.

      • Path to Justice (Score:5, Interesting)

        by doublem ( 118724 ) on Friday April 07, 2006 @11:13AM (#15084959) Homepage Journal
        1. Buy the domain name off this poor guy / arrange for alternate hosting if it can't be sold.

        2. Take a collection from the /. community to set up an alternate server.

        3. Wait a month for all the legitimate users to switch to a new URL.

        4. Fire up a server at the old URL reporting Midnight, Jan 1, 1900

        5. Let D-Link deal with users accusing D-Link of failing to sell a Y2K compliant product in 2006.
  • by MECC ( 8478 ) *
    I'd think they could just firewall off just their ntp servers, and only allow certain networks in - their networks. Of course, it wouldn't be open anymore, but with PHBs trolling around like daleks, opening things up the general internet public is getting more and more difficult.

    • by DES ( 13846 ) * <des@des.no> on Friday April 07, 2006 @09:48AM (#15084130) Homepage
      A good idea, but not easily doable, since the allowed networks include most of Denmark. He would have to filter traffic based on the AS of the sender; this would require a full BGP feed and probably also a continuously updated mirror of the RIPE database.
    • Then someone would complain about the router spying on them. After all, do you want your router CALLING HOME TO D-LINK WITHOUT ASKING YOU??!!!!!??!!

      It would be the worst case of spyware since Slashdot implemented cookies.
  • Easy fix (Score:4, Funny)

    by mcgroarty ( 633843 ) <brian.mcgroarty@ ... om minus painter> on Friday April 07, 2006 @09:41AM (#15084067) Homepage
    If he can detect that the majority of connections are from D-Link products, then he can detect which connections are from D-Link products. The easy solution? Whenever a D-Link product connects, report a very very wrong time. :)
    • Re:Easy fix (Score:5, Informative)

      by holdenholden ( 961300 ) on Friday April 07, 2006 @09:46AM (#15084117)
      He says that such a solution is hard to implement on Cisco, and would be too CPU intensive. FTFA: "Filtering the D-Link packets requires inspection of fields which are not simple to implement in Cisco routers, and in particular such filtering seems to send all packets on the interface through the CPU instead of fast switching, so ingress filtering the packets at the ingress of AS1835 is totally out of the question."
    • Actually that would be fun. Add a PC in front of the NTP server that looks for Dlink traffic or any traffic outside the networks he desires to serve and either blackhole the response (IPTABLES DROP) or hand off to a C app that reports a random time response. Thus making all D-link hardware wonky.

      I prefer the drop as this limits the bandwidth and will get customers screaming at Dlink.

      It should not be too hard to set up a linux box to drop and route based on some simple rules. hell dropping all NTP request
      • Re:Easy fix (Score:3, Funny)

        by Ilex ( 261136 )
        Thus making all D-link hardware wonky.


        From my experience with DLink I doubt many people would notice any difference.
    • Re:Easy fix (Score:3, Insightful)

      by gstoddart ( 321705 )

      If he can detect that the majority of connections are from D-Link products, then he can detect which connections are from D-Link products. The easy solution? Whenever a D-Link product connects, report a very very wrong time. :)

      Except, he'd still end up paying the $8000 USD bandwidth fees for the privelege of lying to people he'd rather not be connecting to him in the first place.

      An awfully expensive practical joke, don't you think?

      So he's stuck paying the bill, unless he wants to disconnect his legitimate u

    • by swschrad ( 312009 ) on Friday April 07, 2006 @10:00AM (#15084231) Homepage Journal
      send a private communication to the authentic users (not the robot moochers from D-Link) that on date X, the new IP service address will be unhacked.gps.dix.de or whatever suits him.

      on date X, send bogus packets in response... not just wrong time, but seriously wrong time, like a packet with time of 9s in all fields, which would be most seriously wrong.

      hopefully, it would lock up the offending junkpiles, and clear the problem right smartly.

      the general idea in engineering an end to these things is to find a way to blow up the crooked machine by a seriously wrong entry that will screw up the internals. since they took an ugly and cheap shortcut by using firmware tables, they probably don't error-check their inputs from NTP and other services. so there should be a memory jump and a crash in those pirate boxes someplace.

      and that puts the onus back where it belongs, on supercheap designers for obnoxious companies that don't give a shit about network etiquette. the market will punish them. that's how it should be for slap-happy outfits.
      • the market will punish them.

        The market has no mechanism for punishing them. It is completely helpless to deal with this. It takes a sysadmin from a left-socialist country to deal with the things the market cannot.
      • The real issue is, as no one seems to be recognizing, that you have to set your desktop machine to connect to the router, and sync the time.

        And since D-Link is not a brand with a great reputation in the segment of the population who knows HOW to do that, all we're going to end up with is a bunch of routers with crewy internal time, and a bunch of clueless users who will never know it.
      • if he did that, d-link would probably sue him for damages. this is how corporations think.
  • Since you can apparently sign your life away with a EULA, why not say in the T&C's for your NTP server(s) that any requests users cause that do not follow certain conditions will cost $1 each or something.
  • by bersl2 ( 689221 ) on Friday April 07, 2006 @09:42AM (#15084074) Journal
    pool.ntp.org?
  • by Bogtha ( 906264 ) on Friday April 07, 2006 @09:43AM (#15084088)

    If there's one thing I hate more than incompetence, it's people who don't care that they are incompetent and carry on churning out crap regardless of the problems it causes others.

    According to this page [dlink.com], D-Link have an office operating in Denmark. This makes them subject to Danish law whether they like it or not. I don't know whether Denmark's computer crime laws cover this, but it wouldn't surprise me.

    • What exactly would be the crime, though? As much as I sympathise, I don't know what's legally wrong with what D-Link is doing. If you run a publicly accessible server, then you should expect the public to access it; and if you don't like that, take measures to prevent it from happening.

      Of course, trying to talk to D-Link is not a bad idea, either, but if this was a crime, then one could just as well argue that it's a crime when Google crawls a website without explicit permission - and I'm not even talking a
    • OK, keep going. Pretend it was in the US what's the crime?
  • pool.ntp.org (Score:3, Insightful)

    by martin ( 1336 ) <maxsec@@@gmail...com> on Friday April 07, 2006 @09:44AM (#15084093) Journal
    Should be using pool.ntp.org surely........

    or am I being daft again..

  • Blacklist time (Score:4, Insightful)

    by phil reed ( 626 ) on Friday April 07, 2006 @09:45AM (#15084101) Homepage
    Time to add D-Link to the hardware vendor blacklist. Whenever you're asked by your non-tech friends what hardware they should buy, recommend anything BUT D-Link, and tell them to actively AVOID D-Link.
    • Re:Blacklist time (Score:3, Insightful)

      by RedBear ( 207369 )
      Time to add D-Link to the hardware vendor blacklist. Whenever you're asked by your non-tech friends what hardware they should buy, recommend anything BUT D-Link, and tell them to actively AVOID D-Link.

      I always wonder about something whenever someone suggests boycotting an entire company's products like this because of a few little problems. Namely, which perfect heart-warming angel company am I supposed to shop with from now on? Don't Linksys, Netgear, Belkin, IOGear, etc. all have their own problems? Last
      • Re:Blacklist time (Score:3, Interesting)

        by bzipitidoo ( 647217 )
        Well, first D-Link did a boneheaded thing in their default setting. No problem. Some noticed and tried to tell them. Maybe a stupid incompetent mistake, but at this point an honest one. But D-Link is refusing to fix the problem, and behaving poorly and childishly. That's more serious. They're like a kid who accidentally knocked a glass off the table and then denied breaking it even though you were right there and saw the whole thing happen. Would any of you let your children get away with b.s. like t
  • by Aggrajag ( 716041 ) on Friday April 07, 2006 @09:48AM (#15084127)
    The DI-624+ is not on the list and it is possible to manually change the NTP server which the router uses.
  • I have never once had a good piece of D-Link hardware. I bought both the DI-624 wireless router and the DWL-G520 PCI wireless card. First up the router didn't do UPNP properly; it simply did not work. A call to tech support told me to upgrade the firmware because they knew that UPNP simply didn't work. After the firmware upgrade, port forwarding didn't work at all either. No solution for the router yet. As for the wireless card. After installing it, my system would completely hardlock after about 5 minutes
    • I had heard a lot of complaints like this about D-Link hardware and had thus avoided them when purchasing network products. But a few months ago, I was in the market for a wireless router. I started off with a Netgear router because I had good success with one of the old purple metal boxes I bought a long time ago. I live in an apartment with a lot of nearby wireless networks, so perhaps the SNR was just too small, but I was constantly losing the connection. Even the wired ethernet connection would drop off
  • Solution: Close them to those users.
  • D-Link ha! (Score:2, Informative)

    I own a D-Link Ethernet ADSL modem and guess what, the local IP adress is fixed to 192.168.0.1. Nope, no changing that thing. If I had known beforehand... I had to completely renumber my network. I only had 8 NICs and two LANs but was pissed off nevertheless.
  • Fairly simple fix (Score:2, Redundant)

    by fataugie ( 89032 )
    Is the IP address hard coded? Or the name? Change whichever is needed and propogate the changes to the partners you want to connect. Seems much easier than beating your head against a wall...don't you think?
    • Re:Fairly simple fix (Score:3, Informative)

      by nsayer ( 86181 )
      RTFA. He discusses this.

      1. He's already out a bunch of money trying to figure out what happened.

      2. He could change the DNS name, but then every legitimate user would have to change their configuration, and there's no guarantee D-Link wouldn't just update the firmware with the new name.
  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Friday April 07, 2006 @10:02AM (#15084243)
    Comment removed based on user account deletion
    • Whoa, Whoa, Whoa here! You tryin to get yourself sued or have men in black suits show up at your door?!?

      let's get this straight, businesses taking responsibility for their mistakes, paying restitution to the poor bastard who was wronged with a little extra compensation *instead* of paying four times the amount to a lawyer and the guy getting a check for $40 and a free happy meal? Preposterous!!!

      Seriously, between this and the paper I read about tying congressional pay raises directly to minimum wage increas
    • Big companies tend to treat certain groups of people like terrorists (we don't negotiate with terrorists) because they're afraid that if they give money to one of them, more will come out of the woodwork.

      Your solution might be obvious to us, but when it's your money... you might do what they did and just hope the guy goes away. Like TFA says, he can't afford to sue them, so other than publicly shaming D-Link, all he can do is bugger off.

      Either way, I hope some idiot programmer(s) gets fired at D-Link. You
  • by cdrudge ( 68377 ) on Friday April 07, 2006 @10:02AM (#15084244) Homepage
    It's not the first time that D-Link's crappy programming has affected a service. DynDNS.com [dyndns.com] last year started blocking all update requests [dyndns.com] that match a user-agent of client/1.0, beleived primarily to be several D-Link routers. D-Link has been mum on a response last I heard.
  • by 91degrees ( 207121 ) on Friday April 07, 2006 @10:17AM (#15084404) Journal
    Change the DNS name. Granted, he gives reasons for not wanting to do this, but the only practical alternative is to shut down the server entirely. This will still require 2000 or so system administrators to reconfigure their servers, so he might as well provide a logical alternative.
  • Stupid idea.... (Score:3, Insightful)

    by JaJ_D ( 652372 ) on Friday April 07, 2006 @10:20AM (#15084434)
    ...why don't you change the one they (D-Link) use to (basically) lie about the time! Deliberatly send out the wrong information. Altered the config for the customers of dix and let the D-Link customers go mad at D-Link

    Brutal but (in theory) affective....

    Jaj
  • by spatenbrau ( 926486 ) on Friday April 07, 2006 @10:30AM (#15084528)
    I'm surprised phk is screwing around writing long-winded letters. Much faster would have been to just add a dns A-record entry by the name of private-ntp.dix.dk for the legit users and have them use that server. The old gps.dix.dk entry should be made into a CNAME for www.dlink.com. That would put the crushing levels of ntp traffic back where it belonged -- right on Dlink's doorstep.
  • by tehwebguy ( 860335 ) on Friday April 07, 2006 @10:38AM (#15084584) Homepage
    ATTN: President & CEO
    17595 Mt. Herrmann St
    Fountain Valley, CA 92708

    I have recently read an open letter to D-Link available at the following URL:
    http://people.freebsd.org/~phk/dlink/ [freebsd.org]

    I must say that I am disgusted with D-Link's poor choice of action. D-Link may
    think that abuse such as this will go un-noticed, but that is not the case.

    While I don't expect my actions to bring your corporation to its knees, I am the
    "geek" of my family, and I have taken a personal stand by ordering Linksys
    products to replace any and all of the D-Link networking gear that my parents,
    siblings, cousins, and roomates are using. I hope that my sacrifice puts a dent
    in the damage your corporate negligence has caused Mr. Kamp.
  • by phkamp ( 524380 ) on Friday April 07, 2006 @10:48AM (#15084704) Homepage
    Let me clarify a number of details here.

    1. My server has not replied to the packets sinde the CodeRed virus/worm abused NTP servers to coordinate attacks. That was a couple of years ago. I doubt D-Link ever even tried to test this.

    2. NTP is a timing protocol. You do not want to do expensive and timeconsuming filtering on the packets because that disturbs your timing performance.

    3. If I have to sue D-Link, it will be either in USA or Taiwan. Both their Danish marketing office and the UK european office will be able to deflect a lawsuit to their mothership.

    4. If you download a firmware file from D-Link, it is often a ARJ archive. unpack that and run strings. If you see GPS.dix.dk in there, please use another version. If the firmware you run is older than about a month, please update it.

    5. The list of products in my open letter is unlikely to be complete, those are the only ones I have been able to positively identify (using the method above). If you find out other products are affected, please email me.

    6. We do have a number of very interesting sections of our penal code here in Denmark that are very likely to apply. Only problem is, they havn't been tried in a court yet. So I have to persuade an overworked criminal inspector to raise a criminal case against a foreigner over a, lets face it, quite small monetary amount. Then I have to spend a lot of time making sure that we convince a judge who have never heard of NTP that they are guilty and then if I win, I can see some D-link manager make a checkmark in their pocket book: "Remember to not visit Denmark under true name". I have better things to use my life for.

    I can see a couple of hits from a C-class belonging to "D-Link Irwine": please escalate this guys, your bosses don't read slashdot.

    Thanks for all the supportive email.

    Poul-Henning

    • by mpe ( 36238 ) on Friday April 07, 2006 @02:20PM (#15086897)
      I can see some D-link manager make a checkmark in their pocket book: "Remember to not visit Denmark under true name".

      Can't that easily be re-written to "Remember not to visit the European Union"?
    • I own a DI-604. I just went to D-Link's support site and tried to download the latest firmware for it. There wasn't any. I poked around, nothing. I went to their FTP site, the directory that should have held firmware upgrades was empty. Poked around in other directories, many firmwares for other routers are also missing.

      Looks to me like someone is covering tracks.

  • by Skapare ( 16644 ) on Friday April 07, 2006 @10:51AM (#15084728) Homepage

    D-Link must be run by Osama Bin Laden. That's why no one can be reached (hiding in the mountains of the Afghanistan and Pakistan border). Obviously, this attack has something to do with that cartoon thing.

  • by Qbertino ( 265505 ) <moiraNO@SPAMmodparlor.com> on Friday April 07, 2006 @10:51AM (#15084734)

    Ok, let's do some good. Are we slashdot, or what?

    D-Link Business Development and Strategic Partnerships, E-mail: bdm@dlink.com

    >>>
    To whom ever it may concern:

    Hello.
    I just learned of you companies notably persistent inability and unwillingness to deal with a serious design flaw in a growing range of your products. This flaw is severly disrupting internet services for a large amount of internet participants and even though you have been informed in detail of these effects your products are having, you have done nothing of substance to resolve the issue and compensate for the damage done.

    Until I learn that the issue described in the open letter do D-Link, available under http://people.freebsd.org/~phk/dlink/ [freebsd.org], was resolved in a professional and mutualy satisfying manner I will not purchase any D-Link products and will strongly discourage anybody asking for my expertise as a professional in the IT field from buying D-Link products or from engageing in any sort of business relationship with D-Link.

    Sincerely
    An Internet User

    Mistakes in this one? Please post corrected version below and then add a 'mailto' link to the address.
    Grammar Nazis, it's your turn!


    • by Anonymous Coward
      Could you also mention that they still owe me $15 for a rebate. Thanks.
    • Email Addresses (Score:3, Informative)

      by wonkavader ( 605434 )
      customerservice@dlink.com
      webmaster@dlink.com
      analysts@dlink.com
      sale@dlink.com
      broadband@dlink.com
      bdm@dlink.com
      oem@dlink.com
      productinfo@dlink.com
      hr@dlink.com
      edusales@dlink.com
      si@dlink.com
    • Letter to *MY* ISP (Score:3, Interesting)

      by Anonymous Coward
      I opened a problem ticket with my ISP (who, incidentally, has been VERY responsive in the past) to try to get them to block or redirect the DNS entry for this dude's NTP server:

      Subject: D-Link Abuse of NTP: Action Requested

      I'm certain that most of the technical staff at speakeasy reads slashdot, so you may have seen this before, but please take a peek at:
      http://people.freebsd.org/~phk/dlink/ [freebsd.org]

      It would make me very proud to be a $ISP customer if $ISP were to redirect *all* ntp traffic pointed to GPS.dix.dk wer
    • I sent the following:

      Date: Fri, 7 Apr 2006 10:09:27 -0700 (PDT)
      From: Todd Knarr <xxxx@xxxxxx.xxx>
      To: sale@dlink.com, customerservice@dlink.com
      Subject: DLink router use of Danish NTP server

      This is in reference to the open letter to DLink from Danish sysadmin Poul-Henning Kamp (http://people.freebsd.org/~phk/dlink/ [freebsd.org]). Abuse of an NTP server in express violation of the service agreement in the Stratum-1 server list is, in my opinion, inexcusable. Willful refusal to correct the abuse when requeste

  • by phkamp ( 524380 ) on Friday April 07, 2006 @04:08PM (#15087852) Homepage
    We are not talking HTTP here. Robots.txt does not apply.

    The place where the service restriction is clearly written out, the "stratum 1 list" is the only place where DLink can have found the name of the NTP server in the first place.

    As several posters have pointed out: consumer devices like these have no need to query stratum 1 servers.

    As I said clearly in my letter: filtering will not prevent me from getting hit with bandwidth charges of $8800/year.

    I have not tried sending any bogus return packets because that would hit innocent consumers who bought D-Links defficient products.

    And for the people who could have identified the source of these packets so much faster and easier: Drop me an email, I'll be sure to ask for your help next time.

    Finally, I can see that more than 40 people at D-Link Irwine (192.152.81.0/24) have read the open letter now, please guys: get somebody to call me or email me so we can get this matter settled. (both email and phone# is in the open letter)

    Poul-Henning
  • Here's what I'd do (Score:3, Interesting)

    by Introspective ( 71476 ) on Friday April 07, 2006 @04:49PM (#15088125) Homepage
    The problem is really one of economics more than anything else, so the solution has to be cheap.

    He's correct that performing complex packet matching on a Cisco router would load it too much - they just don't have the CPU to do that function for any significant traffic load.

    I would configure the switch that the NTP server is on to have a SPAN port - a port to which all traffic is copied. Most Cisco switches will do this without any problem. On that SPAN port, connect a Linux box with a bit of CPU power - 2GHz would be tons. On the Linux box, setup tcpdump to match the packet patterns that D-Link routers are sending ( from TFA he has this as detected by a network consultant ).

    From the output of tcpdump, extract the source IP addresses. A fairly small perl script would probably do it. Take these IP addresses and massage them into access-lists for the upstream router to block, again perl or TCL/Expect would be reasonable tools. Routers are good at blocking large lists of IP addresses - its not such a load for them as the list gets compiled and pushed onto the hardware. Depending on his router model a few thousand ACL lines would be fine.

    Alternatively, he could use the same approach to detect the non-D-Link source IPs - permit these and block anything else. From his stats of legit -vs- D-Link sources this would result in a shorter access list.

    The only issue here is that a D-Link behind a shared-NAT'd IP address would result in that address being blocked, but there shouldn't be too many of these. And legally he can block anything he wants - his service has no written guarantee to he should be legally safe (yeah, IANAL).

    To keep costs and time down, he can probably get help from the local University ( a cool project for any CompSci students ) to do the code and Linux setup, or help from the local LUG - I'd bet there would be plenty of volunteers to set it up, and I could imagine it being done within a couple of days.

    Kerry

  • by Snaller ( 147050 ) on Saturday April 08, 2006 @03:55AM (#15090063) Journal
    The guy had help in finding out who it was who abused his service, by Richard Clayton, he writes in his blog about this: "on a typical day he'd receive 3.2 million bad packets (that's 37 a second!). "

    Here he explains how he traced down who was behind, what he calls a DDoS attack: His blog [lightbluetouchpaper.org]

Pascal is not a high-level language. -- Steven Feiner

Working...