D-Link Settles Danish Time Dispute

igb writes "The Register reports that DLink has settled the time server dispute described a little over a month ago here on Slashdot. They're going to stop using an NTP server they're not really authorized to chime with, and they've reached an amicable settlement over the use by existing products. The details of the settlement are, not unsurprisingly, somewhat vague, but let's hope that the good guys aren't out of pocket any more."

They should've known better...

than to challenge a Time Lord!

Netgear did the same thing a few years ago

Netgear did the same thing with the University of Wisconsin Internet NTP's servers. [wisc.edu]

It's strange these companies can't afford to set up a few of their own NTP servers instead of overloading servers that don't have the bandwidth. It it's because they are clueless or they are cheap?

Re:Netgear did the same thing a few years ago

Why dont they at least use the government supported ntp servers since then the users probobly still payed for it in taxes.

I currently use the Argonne national lab NTP server most of the time which is probobly government paid though it could be provided b

Re:Netgear did the same thing a few years ago

It it's because they are clueless or they are cheap?

Yes, and yes. They are clueless, and they are cheap.

That is why pool.ntp.org was created - to provide a pool of NTP servers that these bozos can use without hammering anybody's server too badly.

Re:Netgear did the same thing a few years ago

These situations make no sense to me. The NTP system is very easy to use properly.

There's a great little website about how to use ntp.org servers [ntp.org] properly.

For the quick-fix people, point your NTP capable system at pool.ntp.org.

If you live in north america, you can use the north-america.pool.ntp.org dns name instead, for only north american servers. The same applies to other continents [ntp.org] and several country codes.

Basically, there's no excuse for hard-coding a time server in almost any situation, unless your client is completely incapable of DNS and has no access to external DNS servers.

Re:Netgear did the same thing a few years ago

It would be really nice to think that it's not that hard. Yet, somehow, as a member of the NTP pool, I just keep on having issues. At this moment, I'm supporting roughly 1500 clients. 35% of my resources to supply all those clients with acurate time are being used by 40 clients. In fact, the top 10 "abusers" are taking nearly 17%... and it's a good moment.

Re:Netgear did the same thing a few years ago

as a member of the NTP pool
[...]
At this moment, I'm supporting roughly 1500 clients

Somehow, I find this value flawed. On my server [ntp.org], also in the pool, I logged requests from 161683 different IPs within just the first 24 hours after joining the pool; thus,

Re:Netgear did the same thing a few years ago

At this moment, I'm supporting roughly 1500 clients. 35% of my resources to supply all those clients with acurate time are being used by 40 clients. In fact, the top 10 "abusers" are taking nearly 17%... and it's a good moment.

I wonder if the abusers are running some kind of Unix/Linux/BSD time daemons.

In my experience, when starting the 'chronyd' time daemon under Linux, it will poll very often, like 15 seconds intervals. Everytime it gets an answer, it will compare it to the system clock, log the deviation and adjust the system clock speed based on the trend. After some time, the system clock will run really accurate, so the logged deviations will be small. The polling interval will then be increased in steps up to a max. limit of 4 hours. If the computer is restarted, this scenario starts over again.

Compare this to a typical Windows XP computer which seems to poll a time server once a week or so. No doubt that the ntp server will feel some clients more abusive than others.

Disclaimers:
The intervals stated above may be wrong. I haven't tinkered with optimizing my time daemons since the old pay-per-minute ISDN days so my memory is a bit rusty.

Chronyd is just an example. I have no knowledge of whether it stresses the time servers more or less than other time daemons like 'xntpd'.

Re:Netgear did the same thing a few years ago

... and that's the rub; this is a router. Surely in most cases its getting DNS information from an ISP by DHCP on behalf of its clients.

It could, you know, use that information to resolve pool.ntp.org properly.

PS, being a good netizen, I run a public NTP

Re:Netgear did the same thing a few years ago

Proper queries are only denied & not re-made if the client follows the rules.
If you check the original artical, D-Link routers do not recognize the kill request, and they re-request very quickly. So yes, he configured the NTP server correctly, AND he

Re:Netgear did the same thing a few years ago

So D-Link units were making a NTP request, the request was denied by the server, but the D-Link engineers put it in their list of NTP servers anyway?
Yes, but worse and out of order .....
Check out NTP.org [ntp.org]. Specifically check the Rules of Engagement [isc.org], The Stratum 1 list [isc.org], and RFC 1305 [faqs.org].
Now looking at everything we have a protocol that involves 2 components, an implimentation component and a social component. The actual implimentation of the protocol is laid first as "Format your request in this fasion and we will return the responce looking like this...". However, it also has things for implimenting request timing fallback and kill requests. The social implimentation of the protocol is layed out in the RoE and the Server Lists - note the regional restrictions and the authorization requests in the server lists.
From the original article which evidently doesn't have any information on the open letter anymore - D-Link took the Stratum 1 list and shoved it into some of their router NTP lookup tables. That blows off the entire social aspect of the protocol - both the permissions and the structure.
Next they implimented only the request portion of the protocol, they ignore the backoff & get lost request structures - essentially forgoing the entire error correction portion incorperated into the RFC. So up to the point of manufacture they have 3 strikes against them,

• Failure to obey the Stratum structure of the NTP system
• Failure to follow the permisions structure of the NTP system
• Failure to properly impliment the NTP connection protocol
  

Now there was no known issue with this until the Danish exchange turned to the Stratum 1 owner and said "You are eating a hell of a lot of bandwidth here & we can't keep giving it to you for free." At which point the problem was tracked back to a series of D-Link SOHO routers. I don't recall the exact process he used , but he started sending kill requests to anything from a D-Link router. When they ignored it & kept making requests he talked to D-Link
From memory the conversation then went like this:
Dane: You're routers are hammering my server & they need to stop, you don't have permission & you're violating the rules.
D-Link: How cute, have a nickle & go get yourself some candy.
Dane: WTF? The exchange is going to charge me $8K to cover your protocol violations.
D-Link: It's not our fault & if it is talk to our Lawyer.
Lawyer: I won't talk to you unless you come to CA & argue your case.
At which point it devolved to an open letter & public shaming - which by the way seems to have worked.

[note] IIRC someone calculated the estimated bandwidth from the D-Link routers using Stratum 1 NTP servers to be enough to continously flood a T1. So this isn't just an occasional knock on the door, it's pretty heavy usage for what amounts to a request packet and a responce packet from each router.

Re:Netgear did the same thing a few years ago

From the original article which evidently doesn't have any information on the open letter anymore - D-Link took the Stratum 1 list and shoved it into some of their router NTP lookup tables.

Good god. What a bunch of knuckleheads.

They already lost at least $120 in sales

And likely more. I've been telling my friends not to buy them, and I know of at least one buying decision that was made specifically for that reason that cost them $120 worth of sales of USB wireless adapters.

Re:They already lost at least $120 in sales

Somehow I doubt you and your friends boycott is going to cost them as much money as running their own NTP server would ;)

Re:They already lost at least $120 in sales

I've told my friends (and my company) to avoid buying their stuff because it's junk (IME) We used to spec D-Link because one of our distributors already carried it and I'm fairly certain I've since swapped most all of it to Linksys or Netgear which are bo

Re:They already lost at least $120 in sales

That's nothing. I'm engineering a large scale DSL rollout, around 80,000 installations in the first 2 phases during 2006, and a potential 4 million subscribers over the next 3 years. My technical analysis of the CPEs determines who makes the shortlist. I had a lot of fun at CeBit this March, watching the sales weasels fight over who would get first shot at my account.

I had even more fun letting the D-Link fuckheads know why they were on my blacklist. For two main reasons, the NTP theft of services from all the stratum 1's, and the mac ethernet framing problems. They were told quite clearly the non-response from their engineering team on these two show-stopper problems had left them permanently blacklisted. Its called schadenfreud, and it feels good.

the AC

Re:They already lost at least $120 in sales

Did you also stop buying Belkin when they added sw to their routers that, about one week into operation, would randomly redirect a web page request to an advertisement for their filtering service?

How about Linksys? They've done some mean things too.

Not Vague At All

... D-Link's existing products will have authorized access to Mr. Kamp's server, but all new D-Link products will not use the GPS.Dix.dk NTP time server. D-Link is dedicated to remaining a good corporate and network citizen.

Allow me to translate: He got paid.

Part of the settlement involves him putting on his website "D-Link is dedicated to remaining a good corporate and network citizen."

Otherwise, considering his previous level of frustration, there's no chance he would shill for them like that.

Re:Not Vague At All

And he should have been paid, he needed to be reimbursed for his costs as well as future costs for the hoardes of D-Link gear already out there with his servers configured in their firmware.

Granted D-Link could and likely will correct the issue with firmwa

Re:Not Vague At All

unlikely, these devices are meant to fail after a year or two. it is safe to assume that in 5 years all but a very (lucky) few number of them will have been replaced.

and don't forget that people will probably want to upgrade to get the shiny new lastest wi

Re:Not Vague At All

Well don't tell any of my devices, cause all of them are over 2 years old, many of them over 5 years old. Heck my "public segment", where the DSL modem (6 years old), broadband router (4 years old) and VPN device (4 years old) connect is a 15 year old 10B

ObPA

Do you like his hat? It's made of money!

Re:Not Vague At All

He also took down the entire description of the problem D-Link caused, which used to reside at that URL. Considering how pissed he was, they must have paid him well, indeed.

not unsurprisingly

The details of the settlement are, not unsurprisingly, somewhat vague...

I do not think that means what you think it means

What I would have done

Is silently migrate my legit users to another ntp server and then set the D-Link'ed ones to something like Klingon time or something bizarre, streach 8 hour days to 10 hours, etc. Of course that wouldn't solve the excess traffic, but you can get creative with revenge, especially when you're in the right.

Re:What I would have done

Yes, because everyone is going to be so confused that their router is set to the wrong time that they will go out and buy a competitors product.

Re:What I would have done

Oh fucking god that was funny!

Re:What I would have done

In the last story the server admin stated that he couldn't change the address because it would involve far too much work. Many people rely on his services and it was costing him enough out of pocket as is.

NTP Pool for Vendors

There is now a way for vendors to use the NTP pool. See http://www.pool.ntp.org/vendors.html [ntp.org] for details.

This should have been solved with a check.

Someone at D-Link should simply have realized the mistake and paid for a few very fast servers to sit at a hosting facillity and respond to the requests -- and all the requests already using that service -- for as long as the Danes were willing to point the DNS entry for that server to them.

In the scheme of things, and from a marketing perspective, anything else is stupid and a waste of good will.

Hmmm, "Not unsurprisingly..."

If something is "not unsurprising" doesn't that mean it was surprising? Like it was suprising that the details of the settlement were so vague?

I don't know. I'm just asking. Irregardless, I could care less...

Poul-Henning Kamp got payed!

Poul-Henning Kamp got 200.000 DDK (Danish kroner) which is about 33.000 US$.

The settlement states that Poul-Henning Kamp must not talk about the history of problems which the D-Link routers caused. But He tells danish press that any future problemes causes by D-link equiptment will be posted around the net ;-). This information is from the danish version of computerworld online at http://www.computerworld.dk/ [computerworld.dk]

His homepage is http://people.freebsd.org/~phk/ [freebsd.org]

For those in america: Denmark is not the capital of sweden ;-)

Re:Poul-Henning Kamp got payed!

Since he is facing a bandwidth bill of $8,000 per year to run the server that doesn't seem like a very good settlement. I mean does D-Link think that virtually all of those devices will be off the net in less than 5 years, because if not it was a shitty of

Re:Public? Server

Seems to me that if you run a (public) NTP server with a publicly available IP address and/or DNS resolution, that means anyone (public) can use the (public) service - no?

No.

Public yes, but with permission

Most public NTP servers require permission prior to use. The list of public NTP servers have an email address or webpage form to use prior to using their NTP server.

The reason for this is to avoid problems like this, where the NTP server is overloaded or

Re:Public? Server

Public or not, you have to follow the rules. It is pretty well known that only 'Stratum 2' NTP servers are to use 'Stratum 1' NTP servers. This is not just a 'because we want it that way' policy. There are many good reasons for this.

http://en.wikipedia.org/wiki/NTP_vandalism [wikipedia.org]

Re:Public? Server

Seems to me that if you run a (public) web server with a publicly available IP address and/or DNS resolution, that means anyone (public) can hotlink your images and steal all the bandwidth they want

What's the difference? Of are you the sort of person th

Re:Public? Server

Check the NTP page, there are public (open) servers and there are public (restricted) servers. There are also 3 layers of service,

• Stratum 1 are principle time servers for a region & directly query atomic clocks.
• Stratum 2 are general use for large regions or institutions - generally they should only be contacted by Stratum 3 servers - clients only as a last resort.
• Stratum 3 are the generic NTP servers of the internet - if you're an end client you should be talking to a Stratum 3 unless none are available/unrestricted for your use.

D-Link SOHO routers do 3 things wrong.

• They don't follow the NTP protocol for requests to stop using the service.
• They ignore the restrictions place on the server usage - in Denmark, for use by ISP or Stratum (2/3) requests.
• They hit a Stratum 1 NTP server as an end client.

So no, if you run a public NTP server that you have dutifully entered restrictions on, you are expecting everyone who comes to you to obey the NTP protocol. That includes following the restrictions, listening to the go away requests, and following the basic rules of who to talk to.
[Analogy type=bad]
In the US there are a number of parking spaces set asside for handicapped parking in almost every parking lot. Physically you can park there if you are not handicapped, but you're not supposed to (covers both ignoring restrictions and a client talking to a Stratum 1 server). If the manager of the parking lot tells you to get your car out of the spot - you should do that(refers to the kill request in the NTP protocol). In the real world if it get's this far, the cops come & give you a ticket. On the net you get open letters calling you an arogant prick who can't be bothered to figure out the basics of the protocols you are boasting about
[/Analogy]
For the record the Danish server was not the only Stratum 1 server they hit, they appear to have taken the Stratum 1 list (almost all of which restrict usage to Stratum 2 servers) and shoved it into the routers for general use - hardly the "Good internet citizen" they claim to be.

Re:Public? Server

His NTP server access policy explicitly limited use of said server to the Danish Internet Exchange (DIX). In return, DIX provided him with a free internet connection for his NTP server. Because D-Link was sucking so much bandwidth, DIX told Kamp he would have to pay yearly for the connection. D-Link disregarded his server policy and abused his server. That's why it's a problem.

Also, his server is a Stratum 1, and, while not explicitly written, the D-Link devices should getting the time via a Stratum 2 server. At least, that's how it's commonly done.

Does that help explain things better?

Re:Public? Server

Taping a note to your front door that reads 'only enter if you live here' doesn't accomplish a lot if you leave the door open all the time.

Please, stop with stupid analogies. They are never helpful. You can leave your door open all the time, that doesn't give anyone the right to go in! In Vermont, thats criminal trespass, and the fine is much larger than the other forms of trespass defined in the act.

They DDOS'ed a stratum-1 timeserver . . .

by indiscriminately selling hardware devices which were preconfigured to use it inappropriately (at best, these guys should look to stratum-2 timeservers).

But if you have no problems with the DDOS aspect of this, let me know and I'll send you an e-mail at

Re:Their reputation preceeds them

Agreed. D-Link appears to occupy a point on the cost-quality curve that ultimately costs more in hair-pulling time than it saves in cash. Their products may be OK for lightweight use at home, but they can really give you fits in a more demanding environment.

Case in point: we recently put a bunch of DGS-1008D 8-port gigabit switches into service, and immediately started having problems with dropped Ethernet connections. Our laser printer was sucking down enough power at the onset of its fuser-warmup phase to trigger a nearby UPS momentarily. The resulting switchover transient lasted only a few milliseconds, but it was enough to reset the DGS-1008D. After a LOT of tail-chasing, it transpired that the (cheap-ass linear) wall-wart supplies that D-Link ships with the DGS-1008D lack sufficient filter capacitance to absorb even the slightest power glitch under high-load conditions (e.g., when there are several cables plugged into the switch.)

We took a few of their power supplies apart and found that the oldest ones -- which didn't have the problem -- used a 2000-uF filter capacitor at the rectifier output. At some point, they saved 10 cents by moving to a supply with only 1000 uF, rendering their product useless in many real-world office environments.

This isn't supposed to be a general "let's all bag on D-Link" thread, but hey, if the shoe fits...

Re:Their reputation preceeds them

Let me repeat that: A D-Link card was sending out enough junk that it prevented a different computer from booting.

Hmmm . . . so that different computer had network connectivity before it was booted? Or were you attempting to boot across a network?

Was i

Re:Their reputation preceeds them

Maybe it was a network bootable computer with a PXE card.

Re:Their reputation preceeds them

Windows sends a 1-byte ping to a server within the microsoft.com domain, ostensibly to confirm network connectivity

Years ago, Bill Gates said 'If only I had $1 for every time a windows server rebooted..'

And the rest is history.

Observed behavior.

I first saw it under Win98 back in 2000; no reason to believe anything's changed.

Amen - wireless crap

We used a Belkin wireless router for quite some time with a cable modem - no problems. In comes Verizon with FIOS and they give us a free D-Link wireless router. My wife was constantly complaining about dropped connection. I tried relocating the D-Link all

Re:Amen - wireless crap

The Verizon installer specifically mentioned that FIOS TV will require the use of the D-Link router. A statement supported here [aubreyturner.org] by an aware user.

If you plan to get FIOS TV in the future, don't throw that D-Link away.

Having used preview it appears the lin

Re:What about Microsoft?

What do they say that? [nist.gov] - Sound like they go out of their way (advice about firewalls, etc) to let taxpayers "Set Your Computer Clock Via the Internet".

Re:resolved without legal action

> What D-Link did was unprofessional and irresponsible...

It was also stupid. Why would anyone buy a router from people who can't even get something this simple right?