UrlBlogGrey

I just finished reading an interesting write-up on an accidental Denial-of-Service (DoS) attack launched against network-time servers at the University of Wisconsin by consumer network equipment made by Netgear. More than 700,000 Netgear broadband routers made around 2003 had hard-coded entries for Network Time Protocol (NTP) servers to access for time updates. At the top of the list of servers to use was a system at UWisc. Even worse, if the Netgear routers were unable to contact the UWisc servers, they would repeatedly send requests every second. This created a flood of traffic against UWisc that paralyzed their public Internet infrastructure.

Netgear created patches for the offending routers which updated the NTP client implementation and the list of NTP servers to use. However, there are always going to be unpatched consumer systems in use that will continue to access the UWisc server. The patches must be applied by the consumer, which implies that the customer is knowledgable about product defects in the first place (certainly not the majority of consumers). The only thing that will ultimately solve the problem is product obsolescence. The offending Netgear routers were made in 2003 and featured 802.11b technology, which is becoming less prevalent due to the entry of much-faster 802.11g wireless technology. As consumers upgrade their home-networks to use 802.11g, they will likely discard their old equipment such as the Netgear routers responsible for this DoS attack. I actually owned one of the Netgear products involved in the attack (MR814) until I upgraded to 802.11g and gave the router to my parents for use as SPI firewall on their broadband connection.

It's all too easy for product designers to compromise long-term thinking when dealing with bleeding-edge technology. Yes, the product will ultimately be part of a "dumpster-upgrade", but the damage that consumer technologies are capable of when networked en-masse must be respected.