Re: Open Letter to D-Link about their NTP vandalism
SS Date: Thu, 13 Apr 2006 22:22:11 -0700 SS From: Steve Sobol Apologies in advance for the OT post... SS Well I just saw your .sig... Can't give any credit to your statement. SS SS Your choice. I don't see any sense in arguing the point further, as you SS probably won't change your mind. The irony is that ad hominem attacks and signature debates truly _do_ make the list noise and off-topic gripes. (Not directed at anyone in particular. Steve's post seemed like a logical place to respond.) Let's at least keep the flames relevant. ;-) Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita DO NOT send mail to the following addresses: [EMAIL PROTECTED] -*- [EMAIL PROTECTED] -*- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter.
Re: well-known NTP? (Re: Open Letter to D-Link about their NTP vandalism)
Sorry for the noise again. Yes, you can edit /etc/hosts No, the box does not care. Neither voipd nor multid care for it Apr 13 05:25:17 voipd[402]: Request: SUBSCRIBE sip:[EMAIL PROTECTED] Apr 13 05:25:17 voipd[402]: dns: _sip._udp.sipgate.de: query Apr 13 05:25:17 voipd[402]: dns: _sip._udp.sipgate.de: 0 0 5060 sipgate.de ttl=584 from 192.168.180.1. Apr 13 05:25:17 voipd[402]: dns: sipgate.de: query Apr 13 05:25:17 voipd[402]: dns: sipgate.de: 217.10.79.9 ttl=4786 from 192.168.180.1. Apr 13 05:25:18 voipd[402]: Status: 200 OK Apr 13 02:27:25 multid[360]: dns: 0.europe.pool.ntp.org: query Apr 13 02:27:25 multid[360]: dns: 0.europe.pool.ntp.org: 85.214.32.50 ttl=1619 from 192.168.180.1. Apr 13 02:27:25 multid[360]: sending SNTP request to server 0.europe.pool.ntp.org (85.214.32.50) Apr 13 02:27:25 multid[360]: The NTP time is 13.4.2006 00:27:24.133000 UTC Apr 13 02:27:25 multid[360]: system time is 1.02 seconds ahead Apr 13 02:27:25 multid[360]: adjusting time backward 1.02 seconds Regards, Peter and Karin Peter Dambier wrote: Just for curiousity, you can change it. /etc/hosts is a link /etc/hosts - ../var/tmp/hosts you can edit but you cannot permanently save it. cat /etc/hosts 127.0.0.1 localhost 192.168.178.1 fritz.box 217.10.79.8 0.europe.pool.ntp.org ntp.sipgate.de Now I dont bother pool.ntp.org but ask my sip provider. That trick might work for the D-Link too. Of course 0.europe.pool.ntp.org is alright but that ntp server D-Link has is not. You have to insert the hostname plus ip into /var/tmp/hosts or the box will ask DNS. Cheers Peter and Karin Peter Dambier wrote: From my Fritzbox log: Apr 12 06:27:29 multid[360]: dns: 0.europe.pool.ntp.org: query Apr 12 06:27:30 multid[360]: dns: 0.europe.pool.ntp.org: 82.71.9.63 ttl=79 from 192.168.180.1. Apr 12 06:27:30 multid[360]: sending SNTP request to server 0.europe.pool.ntp.org (82.71.9.63) Apr 12 06:27:30 multid[360]: The NTP time is 12.4.2006 04:27:29.15 UTC Apr 12 06:27:30 multid[360]: system time is 1.007000 seconds ahead Apr 12 06:27:30 multid[360]: adjusting time backward 1.007000 seconds Seems to do that every 8 hours. I could not find a config file. Compiled into /sbin/multid ? I guess similar devices like the maudit D-Link are much the same. Only that multid deamon seems to be AVM specific. If that NTP thing is from the non disclosed und unGPLed TI source then best forget about it. Replace it by some wellknown software that is known not to be nasty. Another router that is not compatible and not especially a good router - has an html interface where you can put it your favourite NTP server. I still wonder why I cannot configure the NTP server but at least it is not as nasty as the D-Link. Peter Stephane Bortzmeyer wrote: On Tue, Apr 11, 2006 at 10:01:10PM +, Edward B. DREGER [EMAIL PROTECTED] wrote a message of 27 lines which said: AS112-style NTP service, anyone? That would be cooperative and possibly even useful. It already exists (Security warning: do not use it on strategic machine, there is no warranty that these servers are trustful): http://www.pool.ntp.org/ Active server count on 2006-04-12 Africa 1 Asia 24 Europe 368 North America 223 Oceania 26 South America 7 Global 582 All Pool Servers 653 The pool.ntp.org project is a big virtual cluster of timeservers striving to provide reliable easy to use NTP service for millions of clients without putting a strain on the big popular timeservers. Adrian von Bidder created this project after a discussion about resource consumption on the big timeservers, with the idea that for everyday use a DNS round robin would be good enough, and would allow spreading the load over many servers. The disadvantage is, of course, that you may occasionally get a bad server and that you usually won't get the server closest to you. The workarounds for this is respectively to make sure you configure at least three servers in your ntp.conf and to use the country zones (for example 0.us.pool.ntp.org) rather than the global zone (for example 0.pool.ntp.org). Read more on using the pool. The pool is now enormously popular, being used by at least hundreds of thousands and maybe even millions of systems around the world. The pool project is now being maintained by Ask Bjørn Hansen and a great group of contributors on the mailing lists. -- Peter and Karin Dambier The Public-Root Consortium Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Open Letter to D-Link about their NTP vandalism
What most people participating in this subthread seem to be missing is that if one did decide to send (or accidentally sent) false time to these D-Link devices, NOBODY WOULD EVER KNOW OR CARE. Doing so does not solve any problems, so whatever the legal risk of acting is, no matter how small, it's not worth it. But there is a larger issue of NTP abuse here that needs a coordinated technical and legal approach. I suggest that if you are going to operate a public NTP server you should also run a web server at the same IP address and publish your terms of service. If you have given public advance notice of what constitutes normal use, and what constitutes abuse, then you are on stronger legal ground. And if you state that those abusing the service will be disconnected by sending a KoD packet, and that users who persist after the KoD packet will receive a jittered time signal (or delayed or whatever), then you are on even stronger legal ground. Of course, you should always consult your lawyer on the legalities, but it helps your lawyer if you have a clear and well-thought out approach to present to him. This thread has had a lot of good info about NTP best practices so I consider it worthwhile, even if most of the responses were tangential to the original issue. --Michael Dillon
Re: Open Letter to D-Link about their NTP vandalism
Steve Sobol wrote: Alain Hebert wrote: With the way you named your address book (North American Noise and Off-topic Gripes). We now know where to fill your futur comments. (In the killfile that is) You don't seem to want to act very responsibly, based on your comments here, so it doesn't surprise me that you don't want to see Richard taking you to task for not acting responsibly. What bothers me is that you seem to think you are in the right and don't want to listen to suggestions to the contrary. Its a cultural issue... Its not right versus wrong but amelioration versus status-quo... Its DLink creating hardship to DIX and answering make me to DIX request... The intended audience of the NANOG mailing list consists primarily of professionals who are paid to operate computer networks on behalf of large numbers of other people. Said professionals have a responsibility to operate said networks in a professional manner. R didnt show that naming his addressbook that way... You're wrong. Richard is right. ... long punt deleted ... Well I just saw your .sig... Can't give any credit to your statement. **SJ you're allowed to express your opinion here, just as I'm allowed to tell you your opinion is silly S Duh. -- Alain Hebert[EMAIL PROTECTED] PubNIX Inc. P.O. Box 175 Beaconsfield, Quebec H9W 5T7 tel 514-990-5911 http://www.pubnix.netfax 514-990-9443
Re: Spam filtering bcps [was Re: Open Letter to D-Link about their NTP vandalism]
On Wed, 12 Apr 2006 18:56:44 -0700 (PDT) Steve Thomas [EMAIL PROTECTED] wrote: How does one properly report delivery failure to a guerrilla spammer? If you accept the message, you can presumably deliver it. In this day and age, anyone accepting mail for a domain without first checking the RCPT TO - even (especially?) on a backup MX - should have their head examined. In the event that the RCPT TO is valid but the message truly can't be delivered for some other reason, In this day and age it is not always possible to check for valid addresses at a border SMTP gateway. Sites have multiple legacy systems which are not very interoperable. Some e-mail gateways are incapable of scanning messages in-line. How does that make the gateway junk or the system administrator an idiot or incompetent? you should bounce the message and fix the problem. This is advocating collateral damage because nearly all spam and viruses have return paths which falsely implicate innocent victims (i.e., blowback). Users don't want it delivered or dropped in their junk folder; most wouldn't know what to do with a junk folder. E-mail systems require investments in the 100s of thousands of dollars, not some Windows PC running Linux. The largest part of the cost equation is personnel and training, not hardware. Large organizations like our shy away from open source software in many situations NOT because it's open source. We opt for commercial solutions so employees, like me, can take vacation and know that other employees can handle problems and let me enjoy my vacation without carrying a pager (unless you think it's cool to be tethered to your job 24/7 with a Blackberry). Dogmatic adherence to a literal reading of every RFC is impractical. When my organization decided to drop BrightMail postively-identified spam, we accepted a FP rate of less than one in a million as a good thing, fully aware that this violated RFC 821. I used to love sendmail but recommended our organization drop it. Sendmail's queue processing algorithm was (is?) hopelessly broken and delayed e-mail for hours or just discarded it after five days because sendmail couldn't properly prioritize the queue. With our IronPort C60 gateway, almost all e-mail is processed sub-second, users don't see postiviely-identified spam, and viruses and phishing attempts are a thing of the past. Should I no longer be able to perform my duties, for whatever reason, our e-mail system will continue running and someone else can take on my responsibilities with a tiny learning curve. No worries about whether SpamAssassin got it's update. No worries about whether ClamAV will be running next month. No worries about system outages during complicated open-source software upgrades, even for a few minutes. Unless you feel those are OK. Ask yourself this question: can your organization survive a loss of its entire technical staff? Would new employees be able to manage your systems or would chaos result? matthew black california state university, long beach
Re: Open Letter to D-Link about their NTP vandalism
On Wed, 12 Apr 2006, Miquel van Smoorenburg wrote: In article [EMAIL PROTECTED], Matt Ghali [EMAIL PROTECTED] wrote: [ someone else wrote, but Miquel failed to attribute: ] .or do you think that TCP/IP connection should be held open until the message can be scanned for spam and viruses just so we can give a 550 MESSAGE REJECTED error instead of silently dropping it? absolutely. is that actually a problem, today, in 2006? RCPT TO: [EMAIL PROTECTED] RCPT TO: [EMAIL PROTECTED] DATA . .. after content scanning, user1 wants the mail, user2 doesn't. Now what ? Gosh gomer, is 2821 not available in Books On Tape format? matto [EMAIL PROTECTED]darwin Moral indignation is a technique to endow the idiot with dignity. - Marshall McLuhan
Re: Open Letter to D-Link about their NTP vandalism
From the BBC Daily news, Technology section: * Net clocks suffering data deluge * Home hardware maker D-Link has been accused of denting the net's ability to tell the time accurately. Full story: http://news.bbc.co.uk/go/em/-/2/hi/technology/4906138.stm
Re: Open Letter to D-Link about their NTP vandalism
Matt Ghali [EMAIL PROTECTED] wrote: On Wed, 12 Apr 2006, Miquel van Smoorenburg wrote: [...] .. after content scanning, user1 wants the mail, user2 doesn't. Now what ? Gosh gomer, is 2821 not available in Books On Tape format? Aww, but reading is *hard*! The simple answer is that RFCs discuss mechanism, and the BOFH decides the policy. As BOFH, I apply the union of the spamfiltering rules selected by the recipients. 2xx/4xx/5xx is given in response to the final period, so false positives are reported to the sender who will presumably resend to the failed recipients if it's anything important. The reasoning for my policy is that by having multiple recipients, it's already starting to look a bit pink, and the user that's explicitly asked to not receive spam cares more than those who have expressed no opinion. Nobody has yet asked to be opted *out* of the spam filtering. -- When you have a thermic lance, everything looks like hours of fun. - Christian Wagner [EMAIL PROTECTED] in the Monastery
Re: Open Letter to D-Link about their NTP vandalism
[ In response to Richard A Steenbergen ] Alain Hebert said: Well, With the way you named your address book (North American Noise and Off-topic Gripes). We now know where to fill your futur comments. (In the killfile that is) That Cc: came from my message, and RAS didn't change it back to something inoffensive when he replied to me. While one can certainly find reasons to killfile RAS, this is not one of them. Grow a sense of humor, already... S Stephen SprunkStupid people surround themselves with smart CCIE #3723 people. Smart people surround themselves with K5SSS smart people who disagree with them. --Aaron Sorkin
RE: Spam filtering bcps [was Re: Open Letter to D-Link about their NTP vandalism]
I haven't seen any succinct justification for providing a 550 message rejection for positively-identified spam versus silently dropping the message. Lots of how-to instructions but no whys. matthew black california state university, long beach Because your father may forward a copy of a Nigeria scam from a new email address he just got with his new ISP and ask if you if he should send them money. Because a machine you own may be responsible for the spam, and someone may be forwarding you a copy of it along with the tracking information to demonstrate that you were responsible for it. Because the spam may include a trademark you own and you may need to notify your legal department about it. The spam may have been helpfully forwarded to you by someone familiar with your trademarks. Because if you say you are going to deliver a message, that's what you should do. Because being spam is not the same as being unimportant. All of these things really do happen. Agreed, but we're willing to live with an error rate of less than one in a million. This isn't a space shuttle. I don't think the USPS can claim 99.% delivery accuracy. Nonetheless, to allay worries, we are considering spam quarantines to allow recipients an opportunity to review spam messages themselves, much like Yahoo! Mail. It is one thing to have an error rate of one in a million, it is quite another thing to choose to have an error rate of one in a million instead of one in a billion for no rational reason at all. If the measure is what fraction of positively-identified spam the recipient would probably rather receive than not receive, it's probably more like one in 5,000. If the measure is what fraction of positively-identified spam the recipient would rather the sender get a reject than silently discard, it's probably more like one on 20,000. The argument on the other side is if the positively-identified spam comes from a business-critical mailing list that unsubscribes people if they have too many bounces. This probably isn't an issue for viruses and malware because these rarely get past the filters these lists already have. It is a big issue for spam and one of the few for which there is no good solution I know of. (Other than having the recipient whitelist the list at the MTA, which is hard to do.) DS
Re: Open Letter to D-Link about their NTP vandalism
Alain Hebert wrote: Its a cultural issue... I acknowledge that there are cultural differences, but... y'know, two wrongs, etc. Its not right versus wrong but amelioration versus status-quo... It is *both.* DLink is being obnoxious. That doesn't mean being obnoxious back is the right answer. Well I just saw your .sig... Can't give any credit to your statement. Your choice. I don't see any sense in arguing the point further, as you probably won't change your mind. -- Steve Sobol, Professional Geek ** Java/VB/VC/PHP/Perl ** Linux/*BSD/Windows Apple Valley, CA Resident of Southern California - the home of beautiful people and butt-ugly traffic jams
Re: Open Letter to D-Link about their NTP vandalism
Hmm, if some idiot wrote my NTP IP into his hardware, I just stop to monitor my NTP and make sure that it have few hours of error in time. No one require me to CLAIM that I set up wrong time, BUT no one can require me to maintain correct time just because some idiots use my server. The same in this case - instead of long claiming, complaining and so on they could just set up wrong time (and never claim that they did it - just _oo, we have a wrong time.. Thanks, but we do not maintain this NTP server and we cannot change anything on this server so we cannot correct it_ - and problem could be solved forever. And even could maintain different NTP translation fro their customers. Just again, no one can prohibit it, even in USA. Just _DO NOT CLAIM_ that it was intentionally. Here is a difference - _coffee is hot, someone's server is brokn, if 'Ivan||Paul||Lisa' have a CD he/she always can make a copy, fire can burn, dog can bite_ - everyone should know it; if he do not know, it's his personal problems, not someone's liability. Kids MUST learn such things when they are young. It is COMMON SENSE. - Original Message - From: Michael Froomkin - U.Miami School of Law [EMAIL PROTECTED] To: Alexei Roudnev [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; John Dupuy [EMAIL PROTECTED] Sent: Tuesday, April 11, 2006 11:29 AM Subject: Re: Open Letter to D-Link about their NTP vandalism law professor I'd really suggest that readers confirm this claim (that intentional sending of false data with a malicious purpose is perfectly acceptable) with a local lawyer before trying it at home or at work./law professor I also bet that the claim of widespread acceptability would fail badly if we weigh countries by population. Or even connectivity. Not to mention the fact that your packets might stray across borders sometimes. On Tue, 11 Apr 2006, Alexei Roudnev wrote: It's legal to have broken NTP server in ANY country, and it's legal in most (by number) countries to send counter-attack (except USA as usual, where lawyers want to get their money and so do not allow people to self-defence). -- http://www.icannwatch.org Personal Blog: http://www.discourse.net A. Michael Froomkin |Professor of Law| [EMAIL PROTECTED] U. Miami School of Law, P.O. Box 248087, Coral Gables, FL 33124 USA +1 (305) 284-4285 | +1 (305) 284-6506 (fax) | http://www.law.tm --It's warm here.--
Re: well-known NTP? (Re: Open Letter to D-Link about their NTP vandalism)
On Tue, Apr 11, 2006 at 10:01:10PM +, Edward B. DREGER [EMAIL PROTECTED] wrote a message of 27 lines which said: AS112-style NTP service, anyone? That would be cooperative and possibly even useful. It already exists (Security warning: do not use it on strategic machine, there is no warranty that these servers are trustful): http://www.pool.ntp.org/ Active server count on 2006-04-12 Africa 1 Asia24 Europe 368 North America 223 Oceania 26 South America 7 Global 582 All Pool Servers653 The pool.ntp.org project is a big virtual cluster of timeservers striving to provide reliable easy to use NTP service for millions of clients without putting a strain on the big popular timeservers. Adrian von Bidder created this project after a discussion about resource consumption on the big timeservers, with the idea that for everyday use a DNS round robin would be good enough, and would allow spreading the load over many servers. The disadvantage is, of course, that you may occasionally get a bad server and that you usually won't get the server closest to you. The workarounds for this is respectively to make sure you configure at least three servers in your ntp.conf and to use the country zones (for example 0.us.pool.ntp.org) rather than the global zone (for example 0.pool.ntp.org). Read more on using the pool. The pool is now enormously popular, being used by at least hundreds of thousands and maybe even millions of systems around the world. The pool project is now being maintained by Ask Bjørn Hansen and a great group of contributors on the mailing lists.
Re: Open Letter to D-Link about their NTP vandalism
On 12/04/06, Alexei Roudnev [EMAIL PROTECTED] wrote: Hmm, if some idiot wrote my NTP IP into his hardware, I just stop to monitormy NTP and make sure that it have few hours of error in time. No one require me to CLAIM that I set up wrong time, BUT no one can require me to maintaincorrect time just because some idiots use my server. That works well as long as you don't have any legitimate users of your NTP service.-- Tony Sarendal - [EMAIL PROTECTED]IP/Unix -= The scorpion replied, I couldn't help it, it's my nature =-
Re: well-known NTP? (Re: Open Letter to D-Link about their NTP vandalism)
On Tue, 11 Apr 2006, Edward B. DREGER wrote: AS112-style NTP service, anyone? That would be cooperative and possibly even useful. pool.ntp.org Tony. -- f.a.n.finch [EMAIL PROTECTED] http://dotat.at/ BERWICK ON TWEED TO WHITBY: WEST OR SOUTHWEST 5 OR 6, PERHAPS INCREASING 7 LATER IN NORTH. RAIN AT FIRST. MAINLY GOOD. SLIGHT OR MODERATE.
Re: Spam filtering bcps [was Re: Open Letter to D-Link about their NTP vandalism]
On Wed, 12 Apr 2006, Suresh Ramasubramanian wrote: Exim with the spamassassin patches (sa-exim) does this, for example. SpamAssassin support is built in to Exim since version 4.50. Tony. -- f.a.n.finch [EMAIL PROTECTED] http://dotat.at/ BERWICK ON TWEED TO WHITBY: WEST OR SOUTHWEST 5 OR 6, PERHAPS INCREASING 7 LATER IN NORTH. RAIN AT FIRST. MAINLY GOOD. SLIGHT OR MODERATE.
Re: Open Letter to D-Link about their NTP vandalism
In article [EMAIL PROTECTED], Matt Ghali [EMAIL PROTECTED] wrote: .or do you think that TCP/IP connection should be held open until the message can be scanned for spam and viruses just so we can give a 550 MESSAGE REJECTED error instead of silently dropping it? absolutely. is that actually a problem, today, in 2006? RCPT TO: [EMAIL PROTECTED] RCPT TO: [EMAIL PROTECTED] DATA . .. after content scanning, user1 wants the mail, user2 doesn't. Now what ? Mike.
Re: well-known NTP? (Re: Open Letter to D-Link about their NTP vandalism)
From my Fritzbox log: Apr 12 06:27:29 multid[360]: dns: 0.europe.pool.ntp.org: query Apr 12 06:27:30 multid[360]: dns: 0.europe.pool.ntp.org: 82.71.9.63 ttl=79 from 192.168.180.1. Apr 12 06:27:30 multid[360]: sending SNTP request to server 0.europe.pool.ntp.org (82.71.9.63) Apr 12 06:27:30 multid[360]: The NTP time is 12.4.2006 04:27:29.15 UTC Apr 12 06:27:30 multid[360]: system time is 1.007000 seconds ahead Apr 12 06:27:30 multid[360]: adjusting time backward 1.007000 seconds Seems to do that every 8 hours. I could not find a config file. Compiled into /sbin/multid ? I guess similar devices like the maudit D-Link are much the same. Only that multid deamon seems to be AVM specific. If that NTP thing is from the non disclosed und unGPLed TI source then best forget about it. Replace it by some wellknown software that is known not to be nasty. Another router that is not compatible and not especially a good router - has an html interface where you can put it your favourite NTP server. I still wonder why I cannot configure the NTP server but at least it is not as nasty as the D-Link. Peter Stephane Bortzmeyer wrote: On Tue, Apr 11, 2006 at 10:01:10PM +, Edward B. DREGER [EMAIL PROTECTED] wrote a message of 27 lines which said: AS112-style NTP service, anyone? That would be cooperative and possibly even useful. It already exists (Security warning: do not use it on strategic machine, there is no warranty that these servers are trustful): http://www.pool.ntp.org/ Active server count on 2006-04-12 Africa 1 Asia24 Europe 368 North America 223 Oceania 26 South America 7 Global 582 All Pool Servers653 The pool.ntp.org project is a big virtual cluster of timeservers striving to provide reliable easy to use NTP service for millions of clients without putting a strain on the big popular timeservers. Adrian von Bidder created this project after a discussion about resource consumption on the big timeservers, with the idea that for everyday use a DNS round robin would be good enough, and would allow spreading the load over many servers. The disadvantage is, of course, that you may occasionally get a bad server and that you usually won't get the server closest to you. The workarounds for this is respectively to make sure you configure at least three servers in your ntp.conf and to use the country zones (for example 0.us.pool.ntp.org) rather than the global zone (for example 0.pool.ntp.org). Read more on using the pool. The pool is now enormously popular, being used by at least hundreds of thousands and maybe even millions of systems around the world. The pool project is now being maintained by Ask Bjørn Hansen and a great group of contributors on the mailing lists. -- Peter and Karin Dambier The Public-Root Consortium Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Open Letter to D-Link about their NTP vandalism
Miquel van Smoorenburg wrote: In article [EMAIL PROTECTED], Matt Ghali [EMAIL PROTECTED] wrote: .or do you think that TCP/IP connection should be held open until the message can be scanned for spam and viruses just so we can give a 550 MESSAGE REJECTED error instead of silently dropping it? absolutely. is that actually a problem, today, in 2006? RCPT TO: [EMAIL PROTECTED] RCPT TO: [EMAIL PROTECTED] DATA . .. after content scanning, user1 wants the mail, user2 doesn't. Now what ? Mike. Three choices Screw user1 Screw user2 Screw sender by dropping user2 from recipient list Its only on the third choice that you have to decide whether or not to notify the sender with a bounce. A patched sendmail can prevent a milter from performing a reject of an email as requested by a milter, if some of the recipients do not want the protection offered.
Re: Spam filtering bcps [was Re: Open Letter to D-Link about their NTP vandalism]
Suresh Ramasubramanian wrote: On 4/11/06, Matthew Black [EMAIL PROTECTED] wrote: Are you suggesting that we configure our e-mail servers to notify people upon automatic deletion of spam? Frequently, spam cannot be properly identified until closure of the SMTP conversation and that final 200 mMESSAGE ACCEPTED...or do you think that TCP/IP connection should be held open until the message can be scanned for spam and viruses just so we can give a 550 MESSAGE REJECTED error instead of silently dropping it? You can reject right after DATA, at the CRLF.CRLF stage, before QUIT That's still an in line smtp reject rather than an accept + bounce DSN. Exim with the spamassassin patches (sa-exim) does this, for example. -srs Of course Postfix can be setup (using spampd) with spamassassin to do exactly the same. I believe Sendmail+MimeDefang+Spamassassin will also reject inline if set to do so. Regards, Mat
Re: Spam filtering bcps [was Re: Open Letter to D-Link about their NTP vandalism]
Matthew Sullivan wrote: Suresh Ramasubramanian wrote: On 4/11/06, Matthew Black [EMAIL PROTECTED] wrote: Are you suggesting that we configure our e-mail servers to notify people upon automatic deletion of spam? Frequently, spam cannot be properly identified until closure of the SMTP conversation and that final 200 mMESSAGE ACCEPTED...or do you think that TCP/IP connection should be held open until the message can be scanned for spam and viruses just so we can give a 550 MESSAGE REJECTED error instead of silently dropping it? You can reject right after DATA, at the CRLF.CRLF stage, before QUIT That's still an in line smtp reject rather than an accept + bounce DSN. Exim with the spamassassin patches (sa-exim) does this, for example. -srs Of course Postfix can be setup (using spampd) with spamassassin to do exactly the same. I believe Sendmail+MimeDefang+Spamassassin will also reject inline if set to do so. Regards, Mat As will sendmail+spamass-milter+spamassassin In fact there are quite a few milters that can be used in between sendmail and spamassassin Joe
Re: Open Letter to D-Link about their NTP vandalism
This reminds me of selective availability (I think that's the correct term) in the GPS stream coming from US DOD orbital platforms. Sure, the data is jittered. Who sues because only authorized clients (in that case, US military forces) get unjittered time and position but folks without authorization get severely compromised time and position data? What is to prevent a network from providing unjittered NTP to its downstream clients/customers BUT jittered NTP to outsiders? How is this different from providing up-to-the-millisecond stock exchange data to paying customers but delaying the same data provided to the general public by some time period? Are we constrained by fear of litigation from taking appropriate pro-active measures to protect services from abuse and from discriminating between legitimate and questionable requests for data from our own servers? Is it time to bail out of the Internet business? David Leonard ShaysNet On 11 Apr 2006, Paul Vixie wrote: I've said in other forums the only solution for this sort of software is to return the wrong time (by several months). The owner might actually notice then and fix the problem. that creates new liability, and isn't realistic in today's litigious world. (Suprise to read that from PV.) Why? It may be the voice of experience. ... Because its DIX ressources... They can do whatever they want with it. actually, not. who owns the resources isn't as important, to a judge, as whether someone is damaged and whether that damage resulted from an intentional act. the voice of experience, if i have one, says that if DIX wants to cease providing this service they can do so safely, but if they decide to deliberately return the wrong time, and if that wrong time costs or loses somebody else some money, then a judge would take it seriously. again, denying service (assuming there's no explicit contract to provide it) is unquestionably safe. i was responding to the proposal that the wrong time be deliberately returned. you'd be betting that nobody would notice or that it would cost nobody money -- which isn't a safe bet, since someone can always find ways to allege that your intentional actions cost them money. (as opposed to your deliberate inaction, as in the case of denying service.) note, IANAL. but i've been sued by experts, and even stupid lawsuits cost a lot to answer/defend, and not all stupid lawsuits are provably frivolous. -- Paul Vixie
Re: Open Letter to D-Link about their NTP vandalism
On Wed, 12 Apr 2006, M. David Leonard wrote: This reminds me of selective availability (I think that's the correct term) in the GPS stream coming from US DOD orbital platforms. Sure, the data is jittered. Hasn't been for several years. Tony. -- f.a.n.finch [EMAIL PROTECTED] http://dotat.at/ BERWICK ON TWEED TO WHITBY: WEST OR SOUTHWEST 5 OR 6, PERHAPS INCREASING 7 LATER IN NORTH. RAIN AT FIRST. MAINLY GOOD. SLIGHT OR MODERATE.
Re: Open Letter to D-Link about their NTP vandalism
M. David Leonard [EMAIL PROTECTED] writes: What is to prevent a network from providing unjittered NTP to its downstream clients/customers BUT jittered NTP to outsiders? How is this different from providing up-to-the-millisecond stock exchange data to paying customers but delaying the same data provided to the general public by some time period? All quotes and all NTP ticks are delayed 15 minutes is an amusing concept. Are we constrained by fear of litigation from taking appropriate pro-active measures to protect services from abuse and from discriminating between legitimate and questionable requests for data from our own servers? Is it time to bail out of the Internet business? Listen to Paul; he's a past master at defending against gratuitous/stupid lawsuits. You're under no obligation to provide the service, but actively providing bad info could be construed as a tort, and defending/filing lawsuits, like horse racing (owning the horses, not going to the races), is a sport for the super-well-heeled. ---Rob
Re: Open Letter to D-Link about their NTP vandalism
FYI: a couple of update at http://people.freebsd.org/~phk/dlink/ I've summited a suggestion for a story to Wired... We'll see. -- Alain Hebert[EMAIL PROTECTED] PubNIX Inc. P.O. Box 175 Beaconsfield, Quebec H9W 5T7 tel 514-990-5911 http://www.pubnix.netfax 514-990-9443
Re: Open Letter to D-Link about their NTP vandalism
At 10:15 AM -0400 4/12/06, Alain Hebert wrote: FYI: a couple of update at http://people.freebsd.org/~phk/dlink/ I've summited a suggestion for a story to Wired... We'll see. Perhaps they could also talk to someone who actually knows how ntp works as well. -M -- Martin Hannigan(c) 617-388-2663 Renesys Corporation(w) 617-395-8574 Member of Technical Staff Network Operations [EMAIL PROTECTED]
Re: Spam filtering bcps [was Re: Open Letter to D-Link about their NTP vandalism]
Several people kindly contacted me off list with laborious explanations of how to implement delayed 550 rejections using sedmail, et al. We gave up sendmail years ago in favor of a competing solution. I haven't seen any succinct justification for providing a 550 message rejection for positively-identified spam versus silently dropping the message. Lots of how-to instructions but no whys. matthew black california state university, long beach
Re: Spam filtering bcps [was Re: Open Letter to D-Link about their NTP vandalism]
On 4/12/06, Matthew Black [EMAIL PROTECTED] wrote: I haven't seen any succinct justification for providing a 550 message rejection for positively-identified spam versus silently dropping the message. Lots of how-to instructions but no whys. For viruses - fine. But you are not going to find any spam filter in the world that doesnt have false positives. And in such cases its always a good idea to let the sender know his email didnt get through. Like for example - you see a large webmail provider whose hosts and domains keep getting forged into spam, misread the headers and block that provider. In such cases, its your users who arent getting a lot of valid email from their friends and relatives who are using that provider, and 550'ing instead of trashing email saves the senders, and their provider, quite lot of time that'd otherwise be spent troubleshooting the issue. Plus, 5xx smtp rejects tend to save your bandwidth a bit compared to accepting the entire email (not that it matters on a small university domain where your userbase is going to be fairly small, and bandwidth available quite generous .. but for larger sites, or sites with bandwidth issues, that's definitely a concern) --srs -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: Spam filtering bcps [was Re: Open Letter to D-Link about their NTP vandalism]
On Wed, 12 Apr 2006, Matthew Black wrote: I haven't seen any succinct justification for providing a 550 message rejection for positively-identified spam versus silently dropping the message. If you are wrong about the message being spam, then the sender gets a bounce. Tony. -- f.a.n.finch [EMAIL PROTECTED] http://dotat.at/ BERWICK ON TWEED TO WHITBY: WEST OR SOUTHWEST 5 OR 6, PERHAPS INCREASING 7 LATER IN NORTH. RAIN AT FIRST. MAINLY GOOD. SLIGHT OR MODERATE.
Re: well-known NTP? (Re: Open Letter to D-Link about their NTP vandalism)
Just for curiousity, you can change it. /etc/hosts is a link /etc/hosts - ../var/tmp/hosts you can edit but you cannot permanently save it. cat /etc/hosts 127.0.0.1 localhost 192.168.178.1 fritz.box 217.10.79.8 0.europe.pool.ntp.org ntp.sipgate.de Now I dont bother pool.ntp.org but ask my sip provider. That trick might work for the D-Link too. Of course 0.europe.pool.ntp.org is alright but that ntp server D-Link has is not. You have to insert the hostname plus ip into /var/tmp/hosts or the box will ask DNS. Cheers Peter and Karin Peter Dambier wrote: From my Fritzbox log: Apr 12 06:27:29 multid[360]: dns: 0.europe.pool.ntp.org: query Apr 12 06:27:30 multid[360]: dns: 0.europe.pool.ntp.org: 82.71.9.63 ttl=79 from 192.168.180.1. Apr 12 06:27:30 multid[360]: sending SNTP request to server 0.europe.pool.ntp.org (82.71.9.63) Apr 12 06:27:30 multid[360]: The NTP time is 12.4.2006 04:27:29.15 UTC Apr 12 06:27:30 multid[360]: system time is 1.007000 seconds ahead Apr 12 06:27:30 multid[360]: adjusting time backward 1.007000 seconds Seems to do that every 8 hours. I could not find a config file. Compiled into /sbin/multid ? I guess similar devices like the maudit D-Link are much the same. Only that multid deamon seems to be AVM specific. If that NTP thing is from the non disclosed und unGPLed TI source then best forget about it. Replace it by some wellknown software that is known not to be nasty. Another router that is not compatible and not especially a good router - has an html interface where you can put it your favourite NTP server. I still wonder why I cannot configure the NTP server but at least it is not as nasty as the D-Link. Peter Stephane Bortzmeyer wrote: On Tue, Apr 11, 2006 at 10:01:10PM +, Edward B. DREGER [EMAIL PROTECTED] wrote a message of 27 lines which said: AS112-style NTP service, anyone? That would be cooperative and possibly even useful. It already exists (Security warning: do not use it on strategic machine, there is no warranty that these servers are trustful): http://www.pool.ntp.org/ Active server count on 2006-04-12 Africa 1 Asia 24 Europe 368 North America 223 Oceania 26 South America 7 Global 582 All Pool Servers 653 The pool.ntp.org project is a big virtual cluster of timeservers striving to provide reliable easy to use NTP service for millions of clients without putting a strain on the big popular timeservers. Adrian von Bidder created this project after a discussion about resource consumption on the big timeservers, with the idea that for everyday use a DNS round robin would be good enough, and would allow spreading the load over many servers. The disadvantage is, of course, that you may occasionally get a bad server and that you usually won't get the server closest to you. The workarounds for this is respectively to make sure you configure at least three servers in your ntp.conf and to use the country zones (for example 0.us.pool.ntp.org) rather than the global zone (for example 0.pool.ntp.org). Read more on using the pool. The pool is now enormously popular, being used by at least hundreds of thousands and maybe even millions of systems around the world. The pool project is now being maintained by Ask Bjørn Hansen and a great group of contributors on the mailing lists. -- Peter and Karin Dambier The Public-Root Consortium Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
Re: Spam filtering bcps [was Re: Open Letter to D-Link about their NTP vandalism]
On Wed, 12 Apr 2006 20:30:16 +0530 Suresh Ramasubramanian [EMAIL PROTECTED] wrote: On 4/12/06, Matthew Black [EMAIL PROTECTED] wrote: I haven't seen any succinct justification for providing a 550 message rejection for positively-identified spam versus silently dropping the message. Lots of how-to instructions but no whys. For viruses - fine. But you are not going to find any spam filter in the world that doesnt have false positives. And in such cases its always a good idea to let the sender know his email didnt get through. Agreed, but we're willing to live with an error rate of less than one in a million. This isn't a space shuttle. I don't think the USPS can claim 99.% delivery accuracy. Nonetheless, to allay worries, we are considering spam quarantines to allow recipients an opportunity to review spam messages themselves, much like Yahoo! Mail. Complaints about e-mail not getting through won't be solved with a 550 versus silently dropping spam because most users aren't willing to sift through e-mail errors to find the specific cause for delivery failure. Members of this list are a rare exception. Like for example - you see a large webmail provider whose hosts and domains keep getting forged into spam, misread the headers and block that provider. In such cases, its your users who arent getting a lot of valid email from their friends and relatives who are using that provider, and 550'ing instead of trashing email saves the senders, and their provider, quite lot of time that'd otherwise be spent troubleshooting the issue. Plus, 5xx smtp rejects tend to save your bandwidth a bit compared to accepting the entire email (not that it matters on a small university domain where your userbase is going to be fairly small, and bandwidth available quite generous .. but for larger sites, or sites with bandwidth issues, that's definitely a concern) We already reject most connections with a 550 or TCP REFUSE based on reputation filtering and blacklists, et al. Where is the bandwidth savings once we've accepted an entire message, scanned it, determined it was spam, then provided a 550 rejection versus silently droping? matthew black california state university, long beach
Re: Spam filtering bcps [was Re: Open Letter to D-Link about their NTP vandalism]
On 4/12/06, Matthew Black [EMAIL PROTECTED] wrote: Agreed, but we're willing to live with an error rate of less than one in a million. This isn't a space shuttle. I don't think the USPS can claim 99.% delivery accuracy. Nonetheless, to I'm not even saying five nines. Spam filtering - even with heuristics etc - is less than perfect, and per user spam filtering, however idiot proof, sometimes turns out to be like giving Acme Inc gadgets to Wile E Coyote. [users having fun with procmail and .forwards should already be a familiar story I guess?] We already reject most connections with a 550 or TCP REFUSE based on reputation filtering and blacklists, et al. That works just fine. I dont have any argument with it Where is the bandwidth savings once we've accepted an entire message, scanned it, determined it was spam, then provided a 550 rejection versus silently droping? If you can scan it inline, you can stop, issue a 550 and drop the SMTP connection any time you want. Like for example, midstream when you discover a fake header pattern. You'd start with whatever can be rejected in session - fake HELOs, blocklist listed IPs, random faked headers, dodgy attachment types that are more likely to be viruses than not Then apply the heavier and more cpu intensive filters later, on a much smaller volume of spam Maybe not all that much of a bandwidth / cpu saving, but saving remote postmasters the hassle of troubleshooting lost email is always a good idea. -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: Spam filtering bcps [was Re: Open Letter to D-Link about their NTP vandalism]
On Wed, 12 Apr 2006 21:12:44 +0530 Suresh Ramasubramanian [EMAIL PROTECTED] wrote: On 4/12/06, Matthew Black [EMAIL PROTECTED] wrote: Where is the bandwidth savings once we've accepted an entire message, scanned it, determined it was spam, then provided a 550 rejection versus silently droping? If you can scan it inline, you can stop, issue a 550 and drop the SMTP connection any time you want. Like for example, midstream when you discover a fake header pattern. You'd start with whatever can be rejected in session - fake HELOs, blocklist listed IPs, random faked headers, dodgy attachment types that are more likely to be viruses than not Then apply the heavier and more cpu intensive filters later, on a much smaller volume of spam We already do this. Maybe not all that much of a bandwidth / cpu saving, but saving remote postmasters the hassle of troubleshooting lost email is always a good idea. After all said methods have been performed and the message gets through reputation filtering; blacklists; forged/munged headers, e-mail addresses, domain names the message comes in and then there's that final dot. Up to this point, the message hasn't proven to be spam until it can be scanned using BrightMail, SpamAssassin, Baysian filters, DCC lists, or other methods. All I'm saying is that once the full DATA submission has completed, there's no bandwidth savings from silently dropping the message versus providing a 550 rejection. In the best of all worlds, it would be nice to give feedback. No system is perfect and a false-positive rate of less than one in a million 220 accepted messages seems pretty small. matthew black california state university, long beach
Re: Spam filtering bcps [was Re: Open Letter to D-Link about their NTP vandalism]
Matthew Black wrote: there's no bandwidth savings from silently dropping the message versus providing a 550 rejection. In the best of all worlds, it would be nice to give feedback. No system is perfect and a false-positive rate of less than one in a million 220 accepted messages seems pretty small. I thought I had already participated in beating this dead horse sufficiently in multiple threads in multiple forums on multiple occasions. Maybe I am in your killfile or something. If I post again on this topic, I certainly will deserve to be. Let me ask you this simple question: If you know at close of DATA whether you are going to actually perform final delivery, what does it cost you to follow standards and issue a 550 instead of a 220 and discard it? If you use a 550, a real live person sending an email that somehow gets FP will actually benefit. I am with Suresh on this, just like in the past threads. Search the archive.
Re: Spam filtering bcps [was Re: Open Letter to D-Link about their NTP vandalism]
I haven't seen any succinct justification for providing a 550 message rejection for positively-identified spam versus silently dropping the message. Lots of how-to instructions but no whys. RFC 2821? ...the protocol requires that a server accept responsibility for either delivering a message or properly reporting the failure to do so. ... If an SMTP server has accepted the task of relaying the mail and later finds that the destination is incorrect or that the mail cannot be delivered for some other reason, then it MUST construct an undeliverable mail notification message and send it to the originator of the undeliverable mail (as indicated by the reverse-path). Unless you're the final recipient of the message, you have no business deleting it. If you've accept a message, you should either deliver or bounce it, per RFC requirements.
Re: Spam filtering bcps [was Re: Open Letter to D-Link about their NTP vandalism]
On Wed, 12 Apr 2006 10:16:53 PDT, Steve Thomas said: I haven't seen any succinct justification for providing a 550 message rejection for positively-identified spam versus silently dropping the message. Lots of how-to instructions but no whys. RFC 2821? ...the protocol requires that a server accept responsibility for either delivering a message or properly reporting the failure to do so. Elsewhere in 2821 (6.1, to be specific): When the receiver-SMTP accepts a piece of mail (by sending a 250 OK message in response to DATA), it is accepting responsibility for delivering or relaying the message. It must take this responsibility seriously. It MUST NOT lose the message for frivolous reasons, such as because the host later crashes or because of a predictable resource shortage. OK? Got that? You '250 OK' it, you got a *serious* responsibility. Losing the message because the whole damned machine crashes is considered a frivolous reason. And throwing it away because you don't like the way it looks is OK? Man, you're in for some severe karmic protocol payback down the road... ;) pgpmW5ds5R1xP.pgp Description: PGP signature
Re: Open Letter to D-Link about their NTP vandalism
Thus spake Alexei Roudnev [EMAIL PROTECTED] Hmm, if some idiot wrote my NTP IP into his hardware, I just stop to monitor my NTP and make sure that it have few hours of error in time. No one require me to CLAIM that I set up wrong time, BUT no one can require me to maintain correct time just because some idiots use my server. What most people participating in this subthread seem to be missing is that if one did decide to send (or accidentally sent) false time to these D-Link devices, NOBODY WOULD EVER KNOW OR CARE. Doing so does not solve any problems, so whatever the legal risk of acting is, no matter how small, it's not worth it. On the plus side, after seeing D-Link's (lack of) reaction to this, I'll bet none of us will buy another of their products again. S Stephen SprunkStupid people surround themselves with smart CCIE #3723 people. Smart people surround themselves with K5SSS smart people who disagree with them. --Aaron Sorkin
Re: Spam filtering bcps [was Re: Open Letter to D-Link about their NTP vandalism]
Earlier today, I said: Unless you're the final recipient of the message, you have no business deleting it. If you've accept a message, you should either deliver or bounce it, per RFC requirements. I just want to clarify that I was in no way suggesting that anyone bounce spam - I was merely pointing out that if you choose to 250 a message, you have to deliver it. The much better option is to 550 it after DATA if you don't like what you see. Silently deleting other people's e-mail should never even be considered. Returning to lurk status... St-
Re: Open Letter to D-Link about their NTP vandalism
On Tue, 11 Apr 2006, Steven M. Bellovin wrote: By the way, since we're talking about D-Link, it's instructive to read the warnings on their firmware update pages. Do NOT upgrade firmware on any D-Link product over a wireless connection. Failure of the device may result. Use only hard-wired network connections. Cisco/Linksys says the same thing. -- Steve Sobol, Professional Geek ** Java/VB/VC/PHP/Perl ** Linux/*BSD/Windows Apple Valley, CA Resident of Southern California - the home of beautiful people and butt-ugly traffic jams
Re: Open Letter to D-Link about their NTP vandalism
On 4/12/06, Steve Sobol [EMAIL PROTECTED] wrote: On Tue, 11 Apr 2006, Steven M. Bellovin wrote: By the way, since we're talking about D-Link, it's instructive to read the warnings on their firmware update pages. Do NOT upgrade firmware on any D-Link product over a wireless connection. Failure of the device may result. Use only hard-wired network connections. Cisco/Linksys says the same thing. Who here hasn't been burned at least once by changing packet filters, routes or interface configurations over the wire/air? Or maybe getting your userland and kernel out of sync on a *NIX machine? It's not really that surprising that they put that in there, other than maybe the fact that it's useful advice. And maybe it'll reduce support costs. Loading a new firmware is a risky operation - I don't know of too many consumer network widgets with a reflash safety protocol to prevent you from destroying the device with an aborted upload. Heck, that's still a pretty rare feature in pee-cees. Sure it's easy to implement such a thing, but that would cost money. I think this thread has done a good job of demonstrating that those who would choose the right (and maybe slightly more expensive up front) solution are outvoted by those who would just take a quick, cheap and easy hack. CK -- GDB has a 'break' feature; why doesn't it have 'fix' too?
Re: Spam filtering bcps [was Re: Open Letter to D-Link about their NTP vandalism]
On Wed, Apr 12, 2006 at 12:03:51PM -0400, Joe Maimon wrote: Matthew Black wrote: there's no bandwidth savings from silently dropping the message versus providing a 550 rejection. In the best of all worlds, it would be nice to give feedback. No system is perfect and a false-positive rate of less than one in a million 220 accepted messages seems pretty small. Let me ask you this simple question: If you know at close of DATA whether you are going to actually perform final delivery, what does it cost you to follow standards and issue a 550 instead of a 220 and discard it? If you use a 550, a real live person sending an email that somehow gets FP will actually benefit. In today's world, at least with the spamtorrent I see at my clients, that's just untrue. If your filtering is set up well, and you mark an e-mail as SPAM, it almost certainly is (yes, I'll certainly concede FP's exist, but again, it almost certainly doesn't matter that much in that teensy number of occurrences); and 99-plus-percent of spam is emitted from spambots who don't give a $expletive about return status one way or another. If you're worrying about no-status in the context of FP's, then your filtering isn't set up well, which really means you've got larger problems. I am with Suresh on this, just like in the past threads. Search the archive. Though not contradicting what I just wrote, so am I. However, header-forged and multi-chained spam from firehose-like spambots don't play by any of our rules; all they do is blast away in a largely one-way transaction (guess which direction!). A 550 now-a-days has nowhere to go (and those commercial akak legit) spamhouses don't wash their lists even on 550's. -- Henry Yen Aegis Information Systems, Inc. Senior Systems Programmer Hicksville, New York
Re: Open Letter to D-Link about their NTP vandalism
On Wed, 12 Apr 2006, Steve Sobol wrote: On Tue, 11 Apr 2006, Steven M. Bellovin wrote: By the way, since we're talking about D-Link, it's instructive to read the warnings on their firmware update pages. Do NOT upgrade firmware on any D-Link product over a wireless connection. Failure of the device may result. Use only hard-wired network connections. Cisco/Linksys says the same thing. It is safe to do it with openwrt at least. scp the firmware to a local file, then update flash from that file. -Dan
Re: Open Letter to D-Link about their NTP vandalism
On Tue, 11 Apr 2006, Alain Hebert wrote: Because its DIX ressources... They can do whatever they want with it. They owe nothing to DLink customers, and DLink customers should know to buy equipments from a better company that do not trespasses on other properties. And how exactly will the typical person buying a consumer-grade router even know something's wrong, in this case? -- Steve Sobol, Professional Geek ** Java/VB/VC/PHP/Perl ** Linux/*BSD/Windows Apple Valley, CA Resident of Southern California - the home of beautiful people and butt-ugly traffic jams
Re: Spam filtering bcps [was Re: Open Letter to D-Link about their NTP vandalism]
On Wed, 12 Apr 2006 14:18:24 -0400 [EMAIL PROTECTED] wrote: On Wed, 12 Apr 2006 10:16:53 PDT, Steve Thomas said: I haven't seen any succinct justification for providing a 550 message rejection for positively-identified spam versus silently dropping the message. Lots of how-to instructions but no whys. RFC 2821? ...the protocol requires that a server accept responsibility for either delivering a message or properly reporting the failure to do so. Your statement is open to multiple interpretations. I argue that anytime our system identifies a message as spam that it gets delivered to the system bit bucket. RFC-821 and netiquette also mandate e-mail be properly addressed. System manufacturers and administrators make compromises because strict adherence to the rules is not always possible from an operational perspective. Elsewhere in 2821 (6.1, to be specific): When the receiver-SMTP accepts a piece of mail (by sending a 250 OK message in response to DATA), it is accepting responsibility for delivering or relaying the message. It must take this responsibility seriously. It MUST NOT lose the message for frivolous reasons, such as because the host later crashes or because of a predictable resource shortage. Lost me on that part about crashes being frivolous reasons. This is a political statement not an indisputable matter of fact. OK? Got that? You '250 OK' it, you got a *serious* responsibility. Losing the message because the whole damned machine crashes is considered a frivolous reason. And throwing it away because you don't like the way it looks is OK? Man, ...*** you're in for some severe karmic protocol payback down the road... ;) I'm not the one throwing them away and never look at them; watch the finger wagging. And thanks for the karma heads up, Bhudda. matthew black california state university, long beach
Re: Open Letter to D-Link about their NTP vandalism
Steve Sobol wrote: On Tue, 11 Apr 2006, Alain Hebert wrote: Because its DIX ressources... They can do whatever they want with it. They owe nothing to DLink customers, and DLink customers should know to buy equipments from a better company that do not trespasses on other properties. And how exactly will the typical person buying a consumer-grade router even know something's wrong, in this case? (A NTP/KOD packet should be nice...) The cattle that buy those products dont care about DIX. But DLink might start to care if it gets in the media... -- Alain Hebert[EMAIL PROTECTED] PubNIX Inc. P.O. Box 175 Beaconsfield, Quebec H9W 5T7 tel 514-990-5911 http://www.pubnix.netfax 514-990-9443
Re: Spam filtering bcps [was Re: Open Letter to D-Link about their NTP vandalism]
Steve Thomas wrote: Earlier today, I said: Unless you're the final recipient of the message, you have no business deleting it. If you've accept a message, you should either deliver or bounce it, per RFC requirements. I just want to clarify that I was in no way suggesting that anyone bounce spam - I was merely pointing out that if you choose to 250 a message, you have to deliver it. The much better option is to 550 it after DATA if you don't like what you see. Silently deleting other people's e-mail should never even be considered. This policy I whole heartedly agree with, and I strive where ever possible to enforce this in every place I work, where ever people get listed in SORBS for backscatter, I work with them telling them how they can do this With the current technologies available there is no reason a small-medium organisation cannot virus and spam scan mail inline at the SMTP transaction stage. (Even the barracuda's can spamassassin scan at around 8 messages per second - my previous employment were receiving around 4 messages per second - which translated to 1-2 million emails per day) It is possible to do inline scanning in larger ISPs (I personally have configured a 'system' to handle upto 90 message per second inline scanning) - though it requires a lot more planning, thought, and careful consideration. Regards, Mat
Re: Open Letter to D-Link about their NTP vandalism
On Wed, Apr 12, 2006 at 01:32:26PM -0500, Stephen Sprunk wrote: On the plus side, after seeing D-Link's (lack of) reaction to this, I'll bet none of us will buy another of their products again. If it was legal to sell whatever you people are smoking that makes you think dlink gives a flying crap about you as customers, I'd be a very rich man. What part of mass consumer product isn't clear here, 99.9% of their target market doesn't know NTP is, and doesn't care. I am absolutely appalled by the number of slashdot warriors here, ready to launch a crusade of spreading misinformation to the media in hopes of obtaining a large monetary payout or otherwise causing dlink, in the name of doing the right thing, and without any consideration or understanding of the facts at hand. You know why dlink can't just come forward and say woops we're sorry, we didn't see that you wanted this used for DIX members only, our bad? Because they have to contend with people who will take that apology and then use it in court as an admission of guilt, and seek many tens of thousands of dollars or more in non-existent damages. I think we all know that dlink was wrong. They should have double-checked the list of NTP servers they included in their default shipping firmware to make certain that the owners were ok with having their services used publically, there is no question about this. However, just because they made this mistake, it is not an excuse for everyone involved to start cashing in like they hit the lottery. Imagine that you get rear ended in traffic by an inattentive driver, and they dent your bumper. Yes it is their fault, yes they made a mistake and they should be responsible for it, but it is not okay for you to start screaming whiplash as soon as you see that you got hit by a Mercedes. It also doesn't mean that you are going to get a new car instead of them paying to have your bumper fixed. If anyone else is going to carry this as a story, please act responsibly and do a little fact checking. We're talking about 37 packets/sec, less than a dialup worth of bandwidth, and any number of technical solutions which could completely mitigate that traffic without ANY additional expenses. Also, IANAL, but I think that refusing to take reasonable action to mitigate the damages because you feel the other party is at fault and should be 100% responsible is probably a good way to hurt any kind of case you might actually have against them too. -- Richard A Steenbergen [EMAIL PROTECTED] http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
Re: Spam filtering bcps [was Re: Open Letter to D-Link about their NTP vandalism]
ST Date: Wed, 12 Apr 2006 10:16:53 -0700 (PDT) ST From: Steve Thomas ST RFC 2821? ST ST ...the protocol requires that a server accept responsibility ST for either delivering a message or properly reporting the ST failure to do so. How does one properly report delivery failure to a guerrilla spammer? ST Unless you're the final recipient of the message, you have no business ST deleting it. If you've accept a message, you should either deliver or ST bounce it, per RFC requirements. Please automatically delete anything that might be spam. They'll call me if it's important. I know I'll lose some mail, but that's okay. Throwing RFC 2821 at that user probably would not have made them happy. As for MUST bounce using return-path... perhaps you've never experienced blowback from a joe job. It can be unpleasant. RFCs are for maintaining interoperability. They are not infallible. When a system is clearly broken, it's time to examine alternatives -- not to say that the RFC was handed down from on high. Proposal: MXes can say 2xx message queued with ID blahblahblah. They also can return 4xx try back later codes. Yes? How about some return code that says poll by $deadline if you want to know whether message ID blahblahblah was accepted or rejected? No need to retransmit the entire message, and the sender can learn whether the message was actually accepted. Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita DO NOT send mail to the following addresses: [EMAIL PROTECTED] -*- [EMAIL PROTECTED] -*- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter.
Re: Spam filtering bcps [was Re: Open Letter to D-Link about their NTP vandalism]
How does one properly report delivery failure to a guerrilla spammer? If you accept the message, you can presumably deliver it. In this day and age, anyone accepting mail for a domain without first checking the RCPT TO - even (especially?) on a backup MX - should have their head examined. In the event that the RCPT TO is valid but the message truly can't be delivered for some other reason, you should bounce the message and fix the problem. My point was that when it comes to spam, it should either be rejected inline or delivered. Unless your spam scanner has 100% accuracy, 100% of the time, there is no justification for sending anything not addressed to you to /dev/null. Please automatically delete anything that might be spam. They'll call me if it's important. I know I'll lose some mail, but that's okay. If you have an agreement with a customer that specifically allows for such behaviour, great. We can get into individual cases for any concievable scenario, but that would be silly. It was pretty clear, to me at least, that we were discussing this as it would pertain to a system-wide configuration. As for MUST bounce using return-path... perhaps you've never experienced blowback from a joe job. It can be unpleasant. Yes, I have. And yes, it is. However, I never suggested bouncing spam, as my last message clearly stated. My position is that if you accept the message (250 OK), you have an obligation to deliver it. If you can't scan it during the SMTP transaction, do it after and mark up the headers, drop it in a junk folder - whatever - but don't delete it. St-
Re: Open Letter to D-Link about their NTP vandalism
Well, With the way you named your address book (North American Noise and Off-topic Gripes). We now know where to fill your futur comments. (In the killfile that is) Richard A Steenbergen wrote: On Wed, Apr 12, 2006 at 01:32:26PM -0500, Stephen Sprunk wrote: On the plus side, after seeing D-Link's (lack of) reaction to this, I'll bet none of us will buy another of their products again. If it was legal to sell whatever you people are smoking that makes you think dlink gives a flying crap about you as customers, I'd be a very rich man. What part of mass consumer product isn't clear here, 99.9% of their target market doesn't know NTP is, and doesn't care. I am absolutely appalled by the number of slashdot warriors here, ready to launch a crusade of spreading misinformation to the media in hopes of obtaining a large monetary payout or otherwise causing dlink, in the name of doing the right thing, and without any consideration or understanding of the facts at hand. You know why dlink can't just come forward and say woops we're sorry, we didn't see that you wanted this used for DIX members only, our bad? Because they have to contend with people who will take that apology and then use it in court as an admission of guilt, and seek many tens of thousands of dollars or more in non-existent damages. As a (older, since '87) operator of a small network, I'll always help other operators when its question of making the 'net better. Good luck advocating the next turd coming from sub-standard design flow that contributed to the DIX issues with DLink. Me, I prefer to strive for excellence... I think we all know that dlink was wrong. They should have double-checked the list of NTP servers they included in their default shipping firmware to make certain that the owners were ok with having their services used publically, there is no question about this. However, just because they made this mistake, it is not an excuse for everyone involved to start cashing in like they hit the lottery. Imagine that you get rear ended in traffic by an inattentive driver, and they dent your bumper. Yes it is their fault, yes they made a mistake and they should be responsible for it, but it is not okay for you to start screaming whiplash as soon as you see that you got hit by a Mercedes. It also doesn't mean that you are going to get a new car instead of them paying to have your bumper fixed. FYI I didn't read anything about somebody looking to make money on this... If anyone else is going to carry this as a story, please act responsibly and do a little fact checking. We're talking about 37 packets/sec, less than a dialup worth of bandwidth, and any number of technical solutions which could completely mitigate that traffic without ANY additional expenses. Also, IANAL, but I think that refusing to take reasonable action to mitigate the damages because you feel the other party is at fault and should be 100% responsible is probably a good way to hurt any kind of case you might actually have against them too. Yeap x packets/sec times millions... -- Alain Hebert[EMAIL PROTECTED] PubNIX Inc. P.O. Box 175 Beaconsfield, Quebec H9W 5T7 tel 514-990-5911 http://www.pubnix.netfax 514-990-9443
Re: Open Letter to D-Link about their NTP vandalism
Alain Hebert wrote: With the way you named your address book (North American Noise and Off-topic Gripes). We now know where to fill your futur comments. (In the killfile that is) You don't seem to want to act very responsibly, based on your comments here, so it doesn't surprise me that you don't want to see Richard taking you to task for not acting responsibly. What bothers me is that you seem to think you are in the right and don't want to listen to suggestions to the contrary. The intended audience of the NANOG mailing list consists primarily of professionals who are paid to operate computer networks on behalf of large numbers of other people. Said professionals have a responsibility to operate said networks in a professional manner. You're wrong. Richard is right. **SJ you're allowed to express your opinion here, just as I'm allowed to tell you your opinion is silly S -- Steve Sobol, Professional Geek ** Java/VB/VC/PHP/Perl ** Linux/*BSD/Windows Apple Valley, CA Resident of Southern California - the home of beautiful people and butt-ugly traffic jams
Re: Open Letter to D-Link about their NTP vandalism
Paul Vixie wrote: [EMAIL PROTECTED] (Simon Lyall) writes: I've said in other forums the only solution for this sort of software is to return the wrong time (by several months). The owner might actually notice then and fix the problem. that creates new liability, and isn't realistic in today's litigious world. (Suprise to read that from PV.) It is DIX resources/equipements... they are not oblige to offer reliable/secure/valide/etc services to anybody outside their clients. It like saying that blacklist services like spamcop should be liable for mail servers XYZ deleting your email. Anyway *litigious* is kinda limited our south neighbourgh... DIX is under a different legal system. Good luck to DLink lawyers trying to bend reality enought the make DLink right... and oblige DIX to offer NTP to DLink customers for free. Now if we can get this letter into Wired... -- Alain Hebert[EMAIL PROTECTED] PubNIX Inc. P.O. Box 175 Beaconsfield, Quebec H9W 5T7 tel 514-990-5911 http://www.pubnix.netfax 514-990-9443
Re: Open Letter to D-Link about their NTP vandalism
On Tue, 11 Apr 2006, Simon Lyall wrote: Everyone here runs spam filters. Many times a day you tell a remote MTA you've accepted their email but you delete it instead. Explain the difference? Hold on there. What you are describing is evil and bad, and I certainly hope everyone does not do that. When I do not wish to accept a message, I do not accept it, rejecting with an SMTP permanent delivery failure. Don't mean to go off on a tangent, but accepting and then silently discarding mail is a terrible idea. matto [EMAIL PROTECTED]darwin Moral indignation is a technique to endow the idiot with dignity. - Marshall McLuhan
Re: Open Letter to D-Link about their NTP vandalism
At 08:36 PM 10/04/2006, Simon Lyall wrote: I've said in other forums the only solution for this sort of software is to return the wrong time (by several months). The owner might actually notice then and fix the problem. Of our customers who have such routers, I would say 90% would not know the unit even kept time, let alone the correct or incorrect time. ---Mike
Re: Open Letter to D-Link about their NTP vandalism
It seems to me, that the only *real* solution is for these manufacturers to implement a [responsible] strategy of automatic firmware upgrades, as it pertains to these (simple eu type) devices. How difficult would it be to have the router test a server periodically, (say once a month), and in the case of a critical flaw in the software, silently update the device? I suspect it is cost/benefit skepticism that is keeping them from doing just that. John - Original Message - From: Mike Tancsa [EMAIL PROTECTED] To: Simon Lyall [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, April 11, 2006 9:05 AM Subject: Re: Open Letter to D-Link about their NTP vandalism At 08:36 PM 10/04/2006, Simon Lyall wrote: I've said in other forums the only solution for this sort of software is to return the wrong time (by several months). The owner might actually notice then and fix the problem. Of our customers who have such routers, I would say 90% would not know the unit even kept time, let alone the correct or incorrect time. ---Mike
Re: Open Letter to D-Link about their NTP vandalism
On Mon, 10 Apr 2006 23:23:06 -0700 (PDT) Matt Ghali [EMAIL PROTECTED] wrote: On Tue, 11 Apr 2006, Simon Lyall wrote: Everyone here runs spam filters. Many times a day you tell a remote MTA you've accepted their email but you delete it instead. Explain the difference? Hold on there. What you are describing is evil and bad, and I certainly hope everyone does not do that. When I do not wish to accept a message, I do not accept it, rejecting with an SMTP permanent delivery failure. Don't mean to go off on a tangent, but accepting and then silently discarding mail is a terrible idea. matto Are you suggesting that we configure our e-mail servers to notify people upon automatic deletion of spam? Frequently, spam cannot be properly identified until closure of the SMTP conversation and that final 200 mMESSAGE ACCEPTED...or do you think that TCP/IP connection should be held open until the message can be scanned for spam and viruses just so we can give a 550 MESSAGE REJECTED error instead of silently dropping it? Because most spam originates from a bogus or stolen sender address, notification creates an even bigger problem. What's next: asking for permission to hang up on telemarketers? matthew black network services california state university, long beach
Re: Open Letter to D-Link about their NTP vandalism
Matthew Black wrote: On Mon, 10 Apr 2006 23:23:06 -0700 (PDT) Matt Ghali [EMAIL PROTECTED] wrote: On Tue, 11 Apr 2006, Simon Lyall wrote: Everyone here runs spam filters. Many times a day you tell a remote MTA you've accepted their email but you delete it instead. Explain the difference? Hold on there. What you are describing is evil and bad, and I certainly hope everyone does not do that. When I do not wish to accept a message, I do not accept it, rejecting with an SMTP permanent delivery failure. Don't mean to go off on a tangent, but accepting and then silently discarding mail is a terrible idea. This is way OT. Inline rejection -- best Notification after the fact -- Worst, but sometimes unavoidable Silent Disacard -- better then blanket notifications Try to limit the second in preference for the first. For anything in which your detection mechanism's accuracy is high enough, you can probably perform the last without much worry. matto Are you suggesting that we configure our e-mail servers to notify people upon automatic deletion of spam? Dont do that. Notify the recpient if anything. Unfortunately they may learn to ignore such notifications, especialy if your system is fairly accurate. I advise against such quarantine;store;notify;wait;delete systems precisely because of this. Frequently, spam cannot be properly identified until closure of the SMTP conversation and that final 200 mMESSAGE ACCEPTED...or do you think that TCP/IP connection should be held open until the message can be scanned for spam and viruses just so we can give a 550 MESSAGE REJECTED error instead of silently dropping it? Yes, a 550 after completion of DATA with crlf.crlf is perfectly acceptable and preferable. Legit senders should hang around for the half minute or so to receive 220, and illegits will tend to drop the connection after being told 550. Because most spam originates from a bogus or stolen sender address, notification creates an even bigger problem. What's next: asking for permission to hang up on telemarketers? I do that all the time with barely a no thanks. My wife complains that I am rude to do so. I think not. The problem is in the word most. With regards to anti-virus, most becomes well upwards of 99%, and as such silent discard is more acceptable. matthew black network services california state university, long beach
Re: Open Letter to D-Link about their NTP vandalism
To keep this operational: Operationally the network operator should contact a lawyer before doing something like this. Purposely and knowingly sending bad data in order to do harm is a counter-attack. As such it might be vigilantism, which is illegal in most countries. Or it might be self-defense, which is not illegal. Might. Contact a lawyer. John At 07:36 PM 4/10/2006, Simon Lyall wrote: On Mon, 10 Apr 2006 [EMAIL PROTECTED] wrote: One particular piece of crapware of the tucows archive variety would retry once per second if it hadn't heard a response - but a ICMP Port Unreachable would trigger an *immediate* query, so it would basically re-query at whatever the RTT for the path was. I've said in other forums the only solution for this sort of software is to return the wrong time (by several months). The owner might actually notice then and fix the problem. Just not returning anything means the time still works on the querying device (especially if it uses multiple servers) and the problem will not be noticed and it will continue. -- Simon J. Lyall | Very Busy | Web: http://www.darkmere.gen.nz/ To stay awake all night adds a day to your life - Stilgar | eMT.
Re: Open Letter to D-Link about their NTP vandalism
On Tue, 11 Apr 2006 10:28:32 -0400, John Underhill [EMAIL PROTECTED] wrote: It seems to me, that the only *real* solution is for these manufacturers to implement a [responsible] strategy of automatic firmware upgrades, as it pertains to these (simple eu type) devices. How difficult would it be to have the router test a server periodically, (say once a month), and in the case of a critical flaw in the software, silently update the device? I suspect it is cost/benefit skepticism that is keeping them from doing just that. It would be a disaster. My (cable modem) ISP does that to my cable modem/NAT box. A few months ago, a buggy update made the NAT part drop all connections after 30 minutes. It took me a week or so to get enough data to nail down the problem precisely. I then had the fun of trying to get through the phone droids to reach someone who understood what NAT or TCP meant. What unusual combination of features will random upgrades break? By the way, since we're talking about D-Link, it's instructive to read the warnings on their firmware update pages. Do NOT upgrade firmware on any D-Link product over a wireless connection. Failure of the device may result. Use only hard-wired network connections. This firmware is engineered for US products only. Using this firmware on a device outside of the United States will void your warranty and may render the device unusable. Other warnings I've seen include warnings that all configuration options will be reset, version incompatibilities, and the suggestion that one should connect to a UPS before doing the upgrade, just in case. (Hmm -- there's a vicious thunderstorm approaching, and the lights are flickering. And it's time for the monthly autoupgrade!) --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
Re: Open Letter to D-Link about their NTP vandalism
It's legal to have broken NTP server in ANY country, and it's legal in most (by number) countries to send counter-attack (except USA as usual, where lawyers want to get their money and so do not allow people to self-defence). So, it can be a GOOD prtactice in reality. But, of course, not in USA. - Original Message - From: John Dupuy [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, April 11, 2006 9:00 AM Subject: Re: Open Letter to D-Link about their NTP vandalism To keep this operational: Operationally the network operator should contact a lawyer before doing something like this. Purposely and knowingly sending bad data in order to do harm is a counter-attack. As such it might be vigilantism, which is illegal in most countries. Or it might be self-defense, which is not illegal. Might. Contact a lawyer. John At 07:36 PM 4/10/2006, Simon Lyall wrote: On Mon, 10 Apr 2006 [EMAIL PROTECTED] wrote: One particular piece of crapware of the tucows archive variety would retry once per second if it hadn't heard a response - but a ICMP Port Unreachable would trigger an *immediate* query, so it would basically re-query at whatever the RTT for the path was. I've said in other forums the only solution for this sort of software is to return the wrong time (by several months). The owner might actually notice then and fix the problem. Just not returning anything means the time still works on the querying device (especially if it uses multiple servers) and the problem will not be noticed and it will continue. -- Simon J. Lyall | Very Busy | Web: http://www.darkmere.gen.nz/ To stay awake all night adds a day to your life - Stilgar | eMT.
Re: Open Letter to D-Link about their NTP vandalism
On Tue, 2006-04-11 at 09:28:14 -0700, Alexei Roudnev proclaimed... It's legal to have broken NTP server in ANY country, and it's legal in most (by number) countries to send counter-attack (except USA as usual, where lawyers want to get their money and so do not allow people to self-defence). Usually I take my time from more than one server anyway, and discard the bogus time. You'd think that d-link's crackshot development team would do this, as well. - Eric
Re: Open Letter to D-Link about their NTP vandalism
As I replied in a comment offline, auto updating firmware is nothing new.. my cellphone updates itself, as does my satellite receiver, and many other devices as well, (the best of which, perform these tasks without our notice or appreciation). There is of course the potential for a bug causing some unforeseen catastrophy, but much of the risk could be mitigated with a bit of planning and a well designed system, (ex. old image is stored, and boot failure loads that image.. image is first downloaded, test md5, then flashed etc). Servers have been using these technologies for quite a while now, all tested and true. Also, one would expect the vendors to release updates only when necessary, with some serious QA before a release, (but if they did that in the first place, we wouldn't be having this discussion ;o) Just a thought. John - Original Message - From: Steven M. Bellovin [EMAIL PROTECTED] To: John Underhill [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, April 11, 2006 12:24 PM Subject: Re: Open Letter to D-Link about their NTP vandalism On Tue, 11 Apr 2006 10:28:32 -0400, John Underhill [EMAIL PROTECTED] wrote: It seems to me, that the only *real* solution is for these manufacturers to implement a [responsible] strategy of automatic firmware upgrades, as it pertains to these (simple eu type) devices. How difficult would it be to have the router test a server periodically, (say once a month), and in the case of a critical flaw in the software, silently update the device? I suspect it is cost/benefit skepticism that is keeping them from doing just that. It would be a disaster. My (cable modem) ISP does that to my cable modem/NAT box. A few months ago, a buggy update made the NAT part drop all connections after 30 minutes. It took me a week or so to get enough data to nail down the problem precisely. I then had the fun of trying to get through the phone droids to reach someone who understood what NAT or TCP meant. What unusual combination of features will random upgrades break? By the way, since we're talking about D-Link, it's instructive to read the warnings on their firmware update pages. Do NOT upgrade firmware on any D-Link product over a wireless connection. Failure of the device may result. Use only hard-wired network connections. This firmware is engineered for US products only. Using this firmware on a device outside of the United States will void your warranty and may render the device unusable. Other warnings I've seen include warnings that all configuration options will be reset, version incompatibilities, and the suggestion that one should connect to a UPS before doing the upgrade, just in case. (Hmm -- there's a vicious thunderstorm approaching, and the lights are flickering. And it's time for the monthly autoupgrade!) --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
Re: Open Letter to D-Link about their NTP vandalism
On Tue, Apr 11, 2006 at 02:04:39AM -0400, Alain Hebert wrote: Paul Vixie wrote: [EMAIL PROTECTED] (Simon Lyall) writes: I've said in other forums the only solution for this sort of software is to return the wrong time (by several months). The owner might actually notice then and fix the problem. that creates new liability, and isn't realistic in today's litigious world. (Suprise to read that from PV.) Why? It may be the voice of experience. In this country, and in many others with hypertrophied legal systems, one may sue another for any reason whatsoever. If the person bringing suit picks the judge carefully, the suit might even not be recognised as idiotic and thrown out immediately as without merit. It is obvious that D-Link should not be doing this to DIX, no matter how short a skirt DIX may be wearing. [;-)] However, why should DIX try to turn around and do likewise to innocent D-Link customers, even given that most of them would not notice it? -- Joe Yao --- This message is not an official statement of OSIS Center policies.
Re: Open Letter to D-Link about their NTP vandalism
Joseph S D Yao wrote: On Tue, Apr 11, 2006 at 02:04:39AM -0400, Alain Hebert wrote: Paul Vixie wrote: [EMAIL PROTECTED] (Simon Lyall) writes: I've said in other forums the only solution for this sort of software is to return the wrong time (by several months). The owner might actually notice then and fix the problem. that creates new liability, and isn't realistic in today's litigious world. (Suprise to read that from PV.) Why? It may be the voice of experience. In this country, and in many others with hypertrophied legal systems, one may sue another for any reason whatsoever. If the person bringing suit picks the judge carefully, the suit might even not be recognised as idiotic and thrown out immediately as without merit. It is obvious that D-Link should not be doing this to DIX, no matter how short a skirt DIX may be wearing. [;-)] However, why should DIX try to turn around and do likewise to innocent D-Link customers, even given that most of them would not notice it? Because its DIX ressources... They can do whatever they want with it. They owe nothing to DLink customers, and DLink customers should know to buy equipments from a better company that do not trespasses on other properties. Enough of them might see it and make enough chatter to get DLink to fire that idiotic engineering team and fix that flaw. Because at the end of the day... It is a flaw. As a device developer myself, I always ask... what would Cisco do. (;-} -- Alain Hebert[EMAIL PROTECTED] PubNIX Inc. P.O. Box 175 Beaconsfield, Quebec H9W 5T7 tel 514-990-5911 http://www.pubnix.netfax 514-990-9443
Re: Open Letter to D-Link about their NTP vandalism
* [EMAIL PROTECTED] (Robert Bonomi) [Tue 11 Apr 2006, 22:00 CEST]: I'll suggest that there are several presumptions in that 'claim' that are not fully supported by the facts of the matter, as previously described. Please don't suggest anything of the kind. This is not the North American International Law Posturing Group. Your legal opinion is appreciated, but it's off-topic for this list. -- Niels. -- Calling religion a drug is an insult to drugs everywhere. Religion is more like the placebo of the masses. -- MeFi user boaz
Re: Open Letter to D-Link about their NTP vandalism
On Tue, 11 Apr 2006 15:00:14 CDT, Robert Bonomi said: 1) _Who_says_ it is 'false data'? *Who*knows* what that machines is 'supposed' to provide TO WHOM? I think if you are handing another machine an NTP packet that's intentionally set several months off just to get them to shut up, you *know* the answer to is it false data. I submit that; 1) If the query originator is 'entitled' to make assumptions about what the 2) It would seem that the server operator is *equally* 'entitled' to make assumptions about what the query means, and 3) to respond in a manner consistent with _his_ understanding of what the query originater 'wanted'. If the query originator fails to 'get what he wanted', due to his failure to communicate _in_advance_ with the server operator, *WHO* is to blame? I suppose pointing out that the Internet works because providers *cooperate* and *agree on protocols* would be pointless pgpXJsNUDWwWG.pgp Description: PGP signature
Re: Open Letter to D-Link about their NTP vandalism
[EMAIL PROTECTED] wrote: On Tue, 11 Apr 2006 15:00:14 CDT, Robert Bonomi said: 1) _Who_says_ it is 'false data'? *Who*knows* what that machines is 'supposed' to provide TO WHOM? I think if you are handing another machine an NTP packet that's intentionally set several months off just to get them to shut up, you *know* the answer to is it false data. I submit that; 1) If the query originator is 'entitled' to make assumptions about what the 2) It would seem that the server operator is *equally* 'entitled' to make assumptions about what the query means, and 3) to respond in a manner consistent with _his_ understanding of what the query originater 'wanted'. If the query originator fails to 'get what he wanted', due to his failure to communicate _in_advance_ with the server operator, *WHO* is to blame? I suppose pointing out that the Internet works because providers *cooperate* and *agree on protocols* would be pointless Yeap ... cooperate... Which DLink is not doing. All legal discussion end the same way... a dead end. Half are scared by lawyer and the other have enought intestinal fortitude to put them in there place. (At the bottom of the sea hopefully) -- Alain Hebert[EMAIL PROTECTED] PubNIX Inc. P.O. Box 175 Beaconsfield, Quebec H9W 5T7 tel 514-990-5911 http://www.pubnix.netfax 514-990-9443
Re: Open Letter to D-Link about their NTP vandalism
I've said in other forums the only solution for this sort of software is to return the wrong time (by several months). The owner might actually notice then and fix the problem. that creates new liability, and isn't realistic in today's litigious world. (Suprise to read that from PV.) Why? It may be the voice of experience. ... Because its DIX ressources... They can do whatever they want with it. actually, not. who owns the resources isn't as important, to a judge, as whether someone is damaged and whether that damage resulted from an intentional act. the voice of experience, if i have one, says that if DIX wants to cease providing this service they can do so safely, but if they decide to deliberately return the wrong time, and if that wrong time costs or loses somebody else some money, then a judge would take it seriously. again, denying service (assuming there's no explicit contract to provide it) is unquestionably safe. i was responding to the proposal that the wrong time be deliberately returned. you'd be betting that nobody would notice or that it would cost nobody money -- which isn't a safe bet, since someone can always find ways to allege that your intentional actions cost them money. (as opposed to your deliberate inaction, as in the case of denying service.) note, IANAL. but i've been sued by experts, and even stupid lawsuits cost a lot to answer/defend, and not all stupid lawsuits are provably frivolous. -- Paul Vixie
Re: Open Letter to D-Link about their NTP vandalism
Paul Vixie wrote: I've said in other forums the only solution for this sort of software is to return the wrong time (by several months). The owner might actually notice then and fix the problem. that creates new liability, and isn't realistic in today's litigious world. (Suprise to read that from PV.) Why? It may be the voice of experience. ... Because its DIX ressources... They can do whatever they want with it. actually, not. who owns the resources isn't as important, to a judge, as whether someone is damaged and whether that damage resulted from an intentional act. the voice of experience, if i have one, says that if DIX wants to cease providing this service they can do so safely, but if they decide to deliberately return the wrong time, and if that wrong time costs or loses somebody else some money, then a judge would take it seriously. again, denying service (assuming there's no explicit contract to provide it) is unquestionably safe. i was responding to the proposal that the wrong time be deliberately returned. you'd be betting that nobody would notice or that it would cost nobody money -- which isn't a safe bet, since someone can always find ways to allege that your intentional actions cost them money. (as opposed to your deliberate inaction, as in the case of denying service.) note, IANAL. but i've been sued by experts, and even stupid lawsuits cost a lot to answer/defend, and not all stupid lawsuits are provably frivolous. I see that... Anyway legal thread always finish in the same dead end... Lets get DIX case into the media and get DLink to take its responasbilities. I'm sure with enought spin in the right media (blog/Wired/Computer Show) this could be solved quite rapidely. Have fun... -- Alain Hebert[EMAIL PROTECTED] PubNIX Inc. P.O. Box 175 Beaconsfield, Quebec H9W 5T7 tel 514-990-5911 http://www.pubnix.netfax 514-990-9443
well-known NTP? (Re: Open Letter to D-Link about their NTP vandalism)
Date: Tue, 11 Apr 2006 16:30:11 -0400 From: Valdis.Kletnieks I suppose pointing out that the Internet works because providers *cooperate* and *agree on protocols* would be pointless To a certain [limited] extent, anyway, as countless NANOG-L threads prove time and again. Of course, it's hard to view D-Link as cooperative in this instance. AS112-style NTP service, anyone? That would be cooperative and possibly even useful. Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita DO NOT send mail to the following addresses: [EMAIL PROTECTED] -*- [EMAIL PROTECTED] -*- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter.
Re: Open Letter to D-Link about their NTP vandalism
Hi Matt- On Tue, 11 Apr 2006, Matthew Black wrote: Are you suggesting that we configure our e-mail servers to notify people upon automatic deletion of spam? Absolutely not. I was responding to the suggestion that it's a good idea to silently drop mail which you have accepted with a 2xx SMTP rcode. Frequently, spam cannot be properly identified until closure of the SMTP conversation and that final 200 mMESSAGE ACCEPTED.. I disagree. If your system cannot make content-based decisions on whether to accept mail until later, it is broken by design. .or do you think that TCP/IP connection should be held open until the message can be scanned for spam and viruses just so we can give a 550 MESSAGE REJECTED error instead of silently dropping it? absolutely. is that actually a problem, today, in 2006? Because most spam originates from a bogus or stolen sender address, notification creates an even bigger problem. What's next: asking for permission to hang up on telemarketers? once again, I never advocated the generation of any such retarded blowback. matto [EMAIL PROTECTED]darwin Moral indignation is a technique to endow the idiot with dignity. - Marshall McLuhan
RE: Open Letter to D-Link about their NTP vandalism
2) *Who*says* there is 'malicious intent' involved? I'm going to be travelling 'off network'(with the 'network' being defined as the one where I have published that I'm providing time-server services to), and I happen to have a recurring need for 32-bit units of a specifically transformed out- put of a local hardware-based /dev/random. So, I put up a server to deliver that data when requested. For reasons of 'convenience' in my programming, I choose to format the queries/responses like a particular 'well known' protocol, and run it on the port associated with that well-known protocol. Do I have any responsibility to 'announce' that I'm doing something like that, for 'private' use? I don't understand how you can think that a hypothetical where we don't know what the intent is constitutes a response to a situation where we do know exactly what the intent is. I hope your argument is not if you can lie and get away with it, then it's okay. That doesn't sound like a good business model to me. again, denying service (assuming there's no explicit contract to provide it) is unquestionably safe. i was responding to the proposal that the wrong time be deliberately returned. you'd be betting that nobody would notice or that it would cost nobody money -- which isn't a safe bet, since someone can always find ways to allege that your intentional actions cost them money. (as opposed to your deliberate inaction, as in the case of denying service.) The problem is this case is that there is no perfect way to deny service. If bums are trampling your garden to take food out of your garbage, you can lock the garbage can, but you can't poison the food. The problem becomes when the locked garbage can is a problem for the garbage collectors. I don't think anything short of legal action against D-Link is likely to solve this. I'd love to be proben wrong. DS
Spam filtering bcps [was Re: Open Letter to D-Link about their NTP vandalism]
On 4/11/06, Matthew Black [EMAIL PROTECTED] wrote: Are you suggesting that we configure our e-mail servers to notify people upon automatic deletion of spam? Frequently, spam cannot be properly identified until closure of the SMTP conversation and that final 200 mMESSAGE ACCEPTED...or do you think that TCP/IP connection should be held open until the message can be scanned for spam and viruses just so we can give a 550 MESSAGE REJECTED error instead of silently dropping it? You can reject right after DATA, at the CRLF.CRLF stage, before QUIT That's still an in line smtp reject rather than an accept + bounce DSN. Exim with the spamassassin patches (sa-exim) does this, for example. -srs
Re: Open Letter to D-Link about their NTP vandalism
Two concrete technical suggestions to mitigate the volunteered NTP server's usage issues at the DIX: (1) Have someone else anycast the DIX block, and NAT the incoming NTP requests to another NTP stratum-1 server (eg pool address(es)). Or a much better idea: (2) Renumber into a new /24, which is announced only at the DIX with no-export, so that only DIX members are able to reach the server - as was the intended usage of this NTP server in the first place. (The announcment can be made by anyone at the DIX, it is not strictly necessary that the NTP server be the announcer of the /24. And in fact, it need not be a /24, as the server should be the only occupant of the block - but it should not be covered by any globally visible aggregate, at least not one contiguous to the connectivity at the DIX.) As to the liability issue, it is easy enough to envision that someone, somewhere, is relying on time results from NTP for a life-or-death application, like a medical device, and is innocently an impacted third party in this. Sending bad NTP values could in theory be responsible for killing someone's scratch monkey... -- Brian Dickson Email: [EMAIL PROTECTED] http://www.chateau-briand.net Tel : +1 647 234 7282
Re: Open Letter to D-Link about their NTP vandalism
On Tue, 11 Apr 2006, Alain Hebert wrote: Yeap ... cooperate... Which DLink is not doing. All legal discussion end the same way... a dead end. Half are scared by lawyer and the other have enought intestinal fortitude to put them in there place. (At the bottom of the sea hopefully) If everyone on NANOG were to send a boycott email (Our company, Acme Internet Carrier of Oshkosh, will no longer be using Dlink equipment due to yada yada yada) and send it to the Investor Relations email addresses listed at: http://www.corpasia.net/taiwan/2332/irwebsite/index.php?secid=22version=emod=ircontacts Then Dlink would have to sit up and notice and fix the problem (especially once the quarterly sales numbers shows an unexplained 10% sales dip starting in May 2006). And best of all - no lawyers needed. Boycotting someone or something is legal. -Hank
Re: Open Letter to D-Link about their NTP vandalism
At 11:47 PM -0400 4/11/06, Brian Dickson wrote: Two concrete technical suggestions to mitigate the volunteered NTP server's usage issues at the DIX: (1) Have someone else anycast the DIX block, and NAT the incoming NTP requests to another NTP stratum-1 server (eg pool address(es)). Or a much better idea: (2) Renumber into a new /24, which is announced only at the DIX with no-export, so that only DIX members are able to reach the server - as was the intended usage of this NTP server in the first place. All these messages for a device that: - probably uses ntp for internal log cacheing - is a home/SOHO device - a box that can't be chimed - has ntp on the wan port only http://support.dlink.com/faq/view.asp?prod_id=1228question=DI-604%20/%20DI-524_revD%20/%20DI-524_revE%20/%20DI-614+%20/%20DI-624%20/%20DI-754%20/%20DI-764%20/%20DI-774%20/%20DI-614+_revB%20/%20DI-604_revE%20/%20DI-774_revB%20/%20Di-784%20/%20DI-514 http://www.support.dlink.com/faq/view.asp?prod_id=1983question=configure+ntp I wonder who DNS servers they embedded. -M -- Martin Hannigan(c) 617-388-2663 Renesys Corporation(w) 617-395-8574 Member of Technical Staff Network Operations [EMAIL PROTECTED]
Re: Open Letter to D-Link about their NTP vandalism
BD Date: Tue, 11 Apr 2006 23:47:11 -0400 BD From: Brian Dickson BD As to the liability issue, it is easy enough to envision that BD someone, somewhere, is relying on time results from NTP for a BD life-or-death application, like a medical device, and is innocently BD an impacted third party in this. If I had a life-or-death application depending on NTP, I'd do what I've already suggested: Use GPS and multiple stratum-1 servers, and clip adjustment delta magnitude. I might also listen for a heartbeat (no pun intended) saying device agrees with NTP server, then raise an error if that condition failed. BD Sending bad NTP values could in theory be responsible for killing BD someone's scratch monkey... I can only hope that my life is never entrusted to a device that, at the suggestion of a lone NTP server, would adjust the clock by 42 years. IANAL, nor do I play one on TV, but such a setup would seem grossly negligent. Automated devices fail. Pretending otherwise is foolish. But you _did_ say scratch monkey. :-) Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita DO NOT send mail to the following addresses: [EMAIL PROTECTED] -*- [EMAIL PROTECTED] -*- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter.
Re: Open Letter to D-Link about their NTP vandalism
On Mon, 10 Apr 2006 [EMAIL PROTECTED] wrote: One particular piece of crapware of the tucows archive variety would retry once per second if it hadn't heard a response - but a ICMP Port Unreachable would trigger an *immediate* query, so it would basically re-query at whatever the RTT for the path was. I've said in other forums the only solution for this sort of software is to return the wrong time (by several months). The owner might actually notice then and fix the problem. Just not returning anything means the time still works on the querying device (especially if it uses multiple servers) and the problem will not be noticed and it will continue. -- Simon J. Lyall | Very Busy | Web: http://www.darkmere.gen.nz/ To stay awake all night adds a day to your life - Stilgar | eMT.
Re: Open Letter to D-Link about their NTP vandalism
[EMAIL PROTECTED] (Simon Lyall) writes: I've said in other forums the only solution for this sort of software is to return the wrong time (by several months). The owner might actually notice then and fix the problem. that creates new liability, and isn't realistic in today's litigious world. -- Paul Vixie
Re: Open Letter to D-Link about their NTP vandalism
On Tue, 11 Apr 2006, Paul Vixie wrote: [EMAIL PROTECTED] (Simon Lyall) writes: I've said in other forums the only solution for this sort of software is to return the wrong time (by several months). The owner might actually notice then and fix the problem. that creates new liability, and isn't realistic in today's litigious world. Everyone here runs spam filters. Many times a day you tell a remote MTA you've accepted their email but you delete it instead. Explain the difference? I run a NTP server, The only place it is advertised is a list which says To be used by people in DK exchange only . Explain the difference between my blocking someones packets (which causes them to just resend), send a KOD ( ntp for go away) packet (which is ignored) and telling them the time is 2001-11-11 11:11:11 every time they ask? People running RBLs change the access policy or return 127.0.0.1 for every query sometimes. People running public Mail relays or public DNS servers regularly block access or return bad results. NTP provides a method to tell people to go away (The KOD packet) , if a remote client ignores that and keeps flooding your (or your upstream filters) with many udp packets per-second what exactly is someone supposed to do? There is no contract between the Server operator and the abusing client, The client is abusing the access policy and they have ignored the automatic request to go away. -- Simon J. Lyall | Very Busy | Web: http://www.darkmere.gen.nz/ To stay awake all night adds a day to your life - Stilgar | eMT.
Re: Open Letter to D-Link about their NTP vandalism
On Sat, 08 Apr 2006 11:17:20 CDT, Nicholas Suan said: It would be nice if it were that simple. However there are an annoyingly large amount of poorly-written clients whose polling ratios do not decrease after they get no response from the server. There have even been some clients whose polling rate *increases* after they get no response. One particular piece of crapware of the tucows archive variety would retry once per second if it hadn't heard a response - but a ICMP Port Unreachable would trigger an *immediate* query, so it would basically re-query at whatever the RTT for the path was. Said software was why instead of leaving NTP disabled on the before-mentioned box, and hoping that at least *some* people would clue in from the ICMP reply, I had to basically firewall and drop the packets entirely. pgpTAOHZ8RKTD.pgp Description: PGP signature
Re: Open Letter to D-Link about their NTP vandalism
On Fri, 07 Apr 2006 20:16:03 EDT, Jared Mauch said: My suggestion is rename from gps - gps1 and drop the gps dns name. That combined with some bind/whatever views that scope the dns responses are effective since it's a DNS name. That will fix the problem. In 2012 or so. I have a hostname that just now saw 500 NTP packets in 112 seconds. OK, so it's only 5 packets per second. Mind you, that hostname *was* at one time a stratum-2 server. But it moved to a different host on April 7, 2000 - 6 *years* ago. One year after that, it stopped answering NTP entirely at that IP address. And that IP address went away entirely during a building renovation 4 years ago. There's still an ARP every 2-3 seconds for it caused by people who hard-coded the IP address. I'm not sure which is scarier - the fact that of those 500 queries, 367 were *still* running NTPv1 - or that 89 were NTPv3 and and 44 were NTPv4, when the host in question has never answered an NTPv4 query from off campus. So somebody mentioned a stratum-1 is seeing 37 PPS - I'm still seeing 1/6 of that level for something that went away *last century*. pgpF5ZMBnriDb.pgp Description: PGP signature
Re: Open Letter to D-Link about their NTP vandalism
On Sat Apr 08, 2006 at 03:15:24AM -0400, [EMAIL PROTECTED] wrote: There's still an ARP every 2-3 seconds for it caused by people who hard-coded the IP address. I've been configuring up a few ciscos recently. In the config, I enter ntp server pool.ntp.org, at which point IOS resolves pool.ntp.org, and stores the IP address it gets in the config. Not entirely what is expected, but an explaination for why IPs get hardcoded... Simon -- Simon Lockhart | * Sun Server Colocation * ADSL * Domain Registration * Director|* Domain Web Hosting * Internet Consultancy * Bogons Ltd | * http://www.bogons.net/ * Email: [EMAIL PROTECTED] *
Re: Open Letter to D-Link about their NTP vandalism
Matt Ghali [EMAIL PROTECTED] writes: Companies behaving irresponsibly and releasing (selling!) code that abuses a shared public resource should not be the norm. The addresses that are configured into shipping Apple products for NTP are: time.apple.com time.asia.apple.com time.euro.apple.com Time returns 4 A records, time.euro 2, and time.asia 1. All are on net 17, so it's almost certain that Apple owns/runs 'em all. Yes, there are public NTP servers out there. Since the force multiplier effect of a defective shipping product is likely to have serious repercussions for the (all volunteer) owners of same, Apple's approach ought to be held up as the gold standard of manufacturer responsibility. ---rob
Re: Open Letter to D-Link about their NTP vandalism
On 4/8/06, Robert E. Seastrom [EMAIL PROTECTED] wrote: The addresses that are configured into shipping Apple products for NTP are: time.apple.com time.asia.apple.com time.euro.apple.com ubuntu linux has ntp.ubuntulinux.org for this Oh, and windows xp is set up with an option to automatically sync time from time.windows.com (right click the date on your xp taskbar, adjust date and time..) -srs -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: Open Letter to D-Link about their NTP vandalism
On Sat, Apr 08, 2006 at 03:15:24AM -0400, [EMAIL PROTECTED] wrote: On Fri, 07 Apr 2006 20:16:03 EDT, Jared Mauch said: My suggestion is rename from gps - gps1 and drop the gps dns name. That combined with some bind/whatever views that scope the dns responses are effective since it's a DNS name. That will fix the problem. In 2012 or so. I have a hostname that just now saw 500 NTP packets in 112 seconds. OK, so it's only 5 packets per second. Mind you, that hostname *was* at one time a stratum-2 server. But it moved to a different host on April 7, 2000 - 6 *years* ago. One year after that, it ... So, I've run various services over the years, including at one time being hostmaster at cic.net and dealt with renaming and renumbering our dns servers once or twice. At one time our server spurce.cic.net was numbered 35.42.1.100, and we tried to renumber it to 198.87.18.10. We faced numerous challenges in this, as we had customers that would use it as the secondary dns server so we not only had to get them to change everything, but back in the bind4 days, it was common to stick out-of-zone glue in various files. This could have the impact of dns cache poisoning. We spent a lot of time tracking down the offenders and getting them to fix the zone files. I'm sure still today merit is seeing dns tarffic to 35.42.1.100 and that whatever is at the (still valid dns record) for spruce is seeing dns queries from someones win95 dialup host. This is something that is very common that those who have run dns services have seen. The same is true for any other service out there, uu.net folks are famaliar with having their dns server being used by people that are not their customers anymore for recursion, this is quite common. If networks find this a problem, they should also consider asking the community for support, there may be people willing to add that IP to their various ntp servers, or in the case of dns-anycast, to their existing resolver systems. I do think that the vendor in question here should do something to help. I'm just glad that I don't own any of their products. - jared -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine.
RE: Open Letter to D-Link about their NTP vandalism
On Fri, 7 Apr 2006, Todd Vierling wrote: On Fri, 7 Apr 2006, David Hubbard wrote: How about serve back bogus NTP data to non-BIX customer prefixes? Maybe if people's computers start setting themselves to the year 2004 D-Link will do something. :-) Perhaps return back a time value that is ~10 seconds from wrapping around? Where wrapping depends on the size of a time value in the device's OS. (Note that if the devices crash because of bad input, I can hardly see that as legally actionable, since the devices never had the permission to use the data source in the first place. ;) Don't count on that. If you set a bear trap inside your front door, and a burglar injures himself because of it, you can be held liable, at least in most US states. Dunno about .dk. James Smallacombe PlantageNet, Inc. CEO and Janitor [EMAIL PROTECTED] http://3.am =
RE: Open Letter to D-Link about their NTP vandalism
Service Area: Networks BGP-announced on the DIX Since the intended (and announced) use of this server is just for DIX networks, blocking NTP from any other networks should be trivial. That IP address will still be hit by D-Link devices looking for a suitable server, but with no response, they'll move onto another device, and probably never try the DIX address again, at least until they're rebooted. That alone should kill off 95% of the unwanted traffic hitting the box, and probably 80% of the traffic even being sent to DIX in the first place. Chuck
Re: Open Letter to D-Link about their NTP vandalism
On Sat, Apr 08, 2006 at 10:51:27AM -0500, Church, Chuck wrote: Since the intended (and announced) use of this server is just for DIX networks, blocking NTP from any other networks should be trivial. That IP address will still be hit by D-Link devices looking for a suitable server, but with no response, they'll move onto another device, and probably never try the DIX address again, at least until they're rebooted. That alone should kill off 95% of the unwanted traffic hitting the box, and probably 80% of the traffic even being sent to DIX in the first place. It would be nice if it were that simple. However there are an annoyingly large amount of poorly-written clients whose polling ratios do not decrease after they get no response from the server. There have even been some clients whose polling rate *increases* after they get no response.
Re: Open Letter to D-Link about their NTP vandalism
GPS.dix.dk service is described as: DK Denmark GPS.dix.dk (192.38.7.240) Location: Lyngby, Denmark Geographic Coordinates: 55:47:03.36N, 12:03:21.48E Synchronization: NTP V4 GPS with OCXO timebase Service Area: Networks BGP-announced on the DIX Access Policy: open access to servers, please, no client use Contacts: Poul-Henning Kamp ([EMAIL PROTECTED]) Note: timestamps better than +/-5 usec. I think he should use dns views to answer the queries to gps.dix.dk and either: ( a ) answer 127.0.0.1 to all queries from outside his service area ( b ) answer a D-Link IP address to all queries from outside his service area (which could lead to getting their attention; dunno if from their engineers or from their lawyers). Rubens On 4/7/06, Etaoin Shrdlu [EMAIL PROTECTED] wrote: Well, this is at least marginally on topic, and I think it deserves a wider audience. It is written by Poul-Henning Kamp (the affected party). Please read it. http://people.freebsd.org/~phk/dlink/ It ends with the following: Didn't something like this happen before? Yes, D-Link is not the first vendor to make a hash of the NTP protocol. Some years back NetGear products blasted University of Wisconsin off the net. I have repeatedly pointed D-Link's lawyer at this case. Fortunately, in my case it is not that bad. The NetGear incident caused the NTP protocol designers to add a kiss of death option to the Latest (S)NTP standard but D-Links devices does not respect that option. I have tried. -- You can't have in a democracy various groups with arms - you have to have the state with a monopoly on power, Condoleeza Rice, the US secretary of state, said at the end of her two-day visit to Baghdad yesterday. ...No Comment
Re: Open Letter to D-Link about their NTP vandalism
Rubens Kuhl Jr. wrote: GPS.dix.dk service is described as: DK Denmark GPS.dix.dk (192.38.7.240) Location: Lyngby, Denmark Geographic Coordinates: 55:47:03.36N, 12:03:21.48E Synchronization: NTP V4 GPS with OCXO timebase Service Area: Networks BGP-announced on the DIX Access Policy: open access to servers, please, no client use Contacts: Poul-Henning Kamp ([EMAIL PROTECTED]) Note: timestamps better than +/-5 usec. I think he should use dns views to answer the queries to gps.dix.dk and either: ( a ) answer 127.0.0.1 to all queries from outside his service area ( b ) answer a D-Link IP address to all queries from outside his service area (which could lead to getting their attention; dunno if from their engineers or from their lawyers). Neither of which would solve the problem of his bandwidth being used by these, although (b) might actually serve to get their attention. Perhaps as a thanks to him for the public service he provides the DIX, all of the users at DIX could set their external routers to reject incoming NTP packets from networks other than their own? Or even combine that with (b), although it might be more effective if it targeted, oh, www.dlink.com instead of an IP address. Then at least it would not be taking up internal DIX bandwidth capacity. By no means am I encouraging legally actionable activity, however, and as noted, (b) just might be. -- Jeff Shultz
Re: Open Letter to D-Link about their NTP vandalism
Hi, Should not be hard to fix... Its clearly a missuses of dix.dk services. Couple of thinks: Since its bgp and DIX customers surely have to provide a list of subnets to announce (filter and such), add those the the ntp server, or use ipf/ipfw/iptables to filter in the dix customers and I would redirect the others traffic to a dummy clock with a messed up time... after a few complaints DLINK would wake up. (Dont try to pin any legal issues to this ... its DIX servers/bandwidth/ressources, DLink (and its customers) has no regard on what DIX does with its ressources) - Also there is a list of ntp servers in the device and I'm sure DLink never got the permission from most of them. So try to contact the 100+ ntp services for a class action. DLink should use 0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org, and even better provide their own x.ntp.dlink.com. Jeff Shultz wrote: Rubens Kuhl Jr. wrote: GPS.dix.dk service is described as: DK Denmark GPS.dix.dk (192.38.7.240) Location: Lyngby, Denmark Geographic Coordinates: 55:47:03.36N, 12:03:21.48E Synchronization: NTP V4 GPS with OCXO timebase Service Area: Networks BGP-announced on the DIX Access Policy: open access to servers, please, no client use Contacts: Poul-Henning Kamp ([EMAIL PROTECTED]) Note: timestamps better than +/-5 usec. I think he should use dns views to answer the queries to gps.dix.dk and either: ( a ) answer 127.0.0.1 to all queries from outside his service area ( b ) answer a D-Link IP address to all queries from outside his service area (which could lead to getting their attention; dunno if from their engineers or from their lawyers). Neither of which would solve the problem of his bandwidth being used by these, although (b) might actually serve to get their attention. Perhaps as a thanks to him for the public service he provides the DIX, all of the users at DIX could set their external routers to reject incoming NTP packets from networks other than their own? Or even combine that with (b), although it might be more effective if it targeted, oh, www.dlink.com instead of an IP address. Then at least it would not be taking up internal DIX bandwidth capacity. By no means am I encouraging legally actionable activity, however, and as noted, (b) just might be. -- Alain Hebert[EMAIL PROTECTED] PubNIX Inc. P.O. Box 175 Beaconsfield, Quebec H9W 5T7 tel 514-990-5911 http://www.pubnix.netfax 514-990-9443
Re: Open Letter to D-Link about their NTP vandalism
I think he should use dns views to answer the queries to gps.dix.dk and either: ( a ) answer 127.0.0.1 to all queries from outside his service area ( b ) answer a D-Link IP address to all queries from outside his service area (which could lead to getting their attention; dunno if from their engineers or from their lawyers). Neither of which would solve the problem of his bandwidth being used by these, although (b) might actually serve to get their attention. This reduces the bandwidth, as instead of dropping NTP packets, they would never come to him in the first place. Perhaps as a thanks to him for the public service he provides the DIX, all of the users at DIX could set their external routers to reject incoming NTP packets from networks other than their own? Or even combine Which still would require him to answer DNS requests for gps.dix.de. that with (b), although it might be more effective if it targeted, oh, www.dlink.com instead of an IP address. Answering with CNAME instead of A is a good enhancement of the original idea... :-) Then at least it would not be taking up internal DIX bandwidth capacity. It still would require him to answer the DNS requests. Only way to addres that is everybody outside DIX declare gps.dix.de as www.dlink.com in their resolvers. By no means am I encouraging legally actionable activity, however, and as noted, (b) just might be. Motion granted. Rubens
RE: Open Letter to D-Link about their NTP vandalism
From: Rubens Kuhl Jr. It still would require him to answer the DNS requests. Only way to addres that is everybody outside DIX declare gps.dix.de as www.dlink.com in their resolvers. How about serve back bogus NTP data to non-BIX customer prefixes? Maybe if people's computers start setting themselves to the year 2004 D-Link will do something. :-) Dave
RE: Open Letter to D-Link about their NTP vandalism
On Fri, 7 Apr 2006, David Hubbard wrote: How about serve back bogus NTP data to non-BIX customer prefixes? Maybe if people's computers start setting themselves to the year 2004 D-Link will do something. :-) Perhaps return back a time value that is ~10 seconds from wrapping around? Where wrapping depends on the size of a time value in the device's OS. (Note that if the devices crash because of bad input, I can hardly see that as legally actionable, since the devices never had the permission to use the data source in the first place. ;) -- -- Todd Vierling [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: Open Letter to D-Link about their NTP vandalism
Rubens Kuhl Jr. wrote: big snip It still would require him to answer the DNS requests. Only way to addres that is everybody outside DIX declare gps.dix.de as www.dlink.com in their resolvers. Oh, I see two things here - the first is that he's in charge of his DNS, which he probably isn't. DIX likely is, but that's minor. They'll probably support him in this. The second is that I was concatenating this letter and the also referenced Netgear letter, where they were doing refs by IP address instead of DNS like the D-Link is. Combine both of them - reject outside the DIX DNS requests outside the service area (or send them to a DLink CNAME as mentioned) and as a backup reject/redirect all NTP from outside to the gps.dix.de IP address at the edge. Belt and Suspenders as such. As for the bogus NTP data idea... how many people buying a consumer grade router like this even have a clue what NTP is, much less notice what it's doing to that box over in the corner? It won't affect their computer, therefore they won't care. It's just buzzwords on the box. -- Jeff Shultz
Re: Open Letter to D-Link about their NTP vandalism
On Fri, Apr 07, 2006 at 12:52:29PM -0700, Etaoin Shrdlu wrote: Well, this is at least marginally on topic, and I think it deserves a wider audience. It is written by Poul-Henning Kamp (the affected party). Please read it. http://people.freebsd.org/~phk/dlink/ *sigh* Yes yes everyone loves a good large stupid company screws the little guy by sticking their small/free service into a commercial product story, but unfortunately none of these solutions are very pragmatic. If I hosted an NTP server and dlink put it in a default query list of a default firmware, and then I asked them to pay my Equinix bill for the next 5 years, I would fully expect them to provide a nice little ascii diagram of exactly where I could stick it. Its just NTP, I can't imagine that it is *really* enough traffic to care all that much. There are probably a hundred people on this list who could donate free transit for this and not give it a second thought (hell if I had a pop anywhere close to .dk I would donate a gigabit solely to end this nanog thread before it turns into a bunch of self-righteous whining). There are probably an equal number of people who could donate hardware for this, either for filtering or for the IX (if they REALLY don't have the resources to handle it without charging, which I highly doubt). I'm sure you could probably pick out the dlink queries with sufficient packet inspection too, which I'm also sure you can achieve with a FreeBSD box and a couple hours of spare time. :) Seriously now, there are a million viable solutions here, ranging from mild inconvenience to attempting to screw dlink for being dumbasses, all of which are free. Point the A record else where and have people who care change to a new record, it's not worth $62k. Oh and one more thing, if the goal was restricting the traffic to only people who participated at this IX (as per the description), please add this to the list of reasons why announcing your IX subnet over the global internet is a BAD IDEA! -- Richard A Steenbergen [EMAIL PROTECTED] http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
Re: Open Letter to D-Link about their NTP vandalism
On Fri, 7 Apr 2006 18:49:18 -0400, Richard A Steenbergen [EMAIL PROTECTED] wrote: Its just NTP, I can't imagine that it is *really* enough traffic to care all that much. There are probably a hundred people on this list who could donate free transit for this and not give it a second thought (hell if I had a pop anywhere close to .dk I would donate a gigabit solely to end this nanog thread before it turns into a bunch of self-righteous whining). Did you read the posting? His ISP is charging him. He's also put in a fair amount of time trying to get this resolved. As for transit -- NTP works much better with short RTTs, which is precisely why it's good to have a server in Denmark. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
Re: Open Letter to D-Link about their NTP vandalism
Its just NTP, I can't imagine that it is *really* enough traffic to care all that much. You're kidding, right? Do you know what happened to wisc.edu: http://www.cs.wisc.edu/~plonka/netgear-sntp/
Re: Open Letter to D-Link about their NTP vandalism
+[EMAIL PROTECTED] Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: [EMAIL PROTECTED] User-Agent: Mutt/1.5.9i On Fri, Apr 07, 2006 at 06:49:18PM -0400, Richard A Steenbergen wrote: Its just NTP, I can't imagine that it is *really* enough traffic to care all that much. There are probably a hundred people on this list who could donate free transit for this and not give it a second thought (hell if I had a pop anywhere close to .dk I would donate a gigabit solely to end this nanog thread before it turns into a bunch of self-righteous whining). It actually does end up being a lot. My fairly modest public ntp server gets about an average 11.38pps in traffic which ends up being almost 4GB/month. It ends up being about 2,300 unique clients over the perioud an hour. While I'm unsure of how many routers D-Link sold, but I would be suprised if it's not at least 100x that.