Netgear

I wanted a mesh system to increase range while maintaining good speeds and this system doesn't disappoint. It's really good and ready for current gen. It's way cheaper then it's bigger brother the ax6000 which I was looking at but found that too costly. The response and shipping was also fantastic from netgear team.

ABSTRACT In May 2003, the University of Wisconsin - Madison found that it was the recipient of a continuous large scale flood of inbound Internet traffic destined for one of the campus' public Network Time Protocol (NTP) servers. The flood traffic rate was hundreds-of-thousands of packets-per-second, and hundreds of megabits-per-second. Subsequently, we have determined the sources of this flooding to be literally hundreds of thousands of real Internet hosts throughout the world. However, rather than having originated as a malicious distributed denial-of-service (DDoS) attack, the root cause is actually a serious flaw in the design of hundreds of thousands of one vendor's low-cost Internet products targeted for residential use. The unexpected behavior of these products presents a significant operational problem for UW-Madison for years to come. This document includes the initial public disclosure of details of these products' serious design flaw. Furthermore, it discusses our ongoing, multifaceted approach toward the solution which involves the University, the products' manufacturer, the relevant Internet standards (RFCs), and the public Internet service and user communities.Table of ContentsFlawed Routers Flood University of Wisconsin Internet Time Server Netgear Cooperating with University on a Resolution The Initial Flood Figure 1. The Initial Flood Blocking the Flood Background: Simple Network Time Protocol (SNTP) Figure 2. A SNTP Request Packet Figure 3. A Unicast SNTP Reply Packet The Flood Continues Figure 4. The Flood Continues: One Month Later Investigation Contacting Source Networks Figure 5. Email Notification to Peer Institution Gathering Background Information Examining the Netgear Code Contacting Netgear Figure 6. Email to Netgear Support Figure 7. Email from Netgear Support The Review Process The Flawed SNTP Client Impact to Netgear Customers Code Upgrades for Affected Netgear Products Figure 8. Affected Netgear Products Flawed Product Counts Figure 8a. Netgear SNTP Clients Per Day Suggested Fixes The Initial Fix: "Instant" Code Network Operational Options: To Serve or To Sever? Endgame A: UW-Madison Netgear Anycast Time Service Figure 10. A WiscNet BGP-based Anycast Time Service Endgame B: Attempt to Suppress the Requests Figure 11. Using the Global BGP Routing Table to Squelch Requests Endgame B: IP Resources Required Figure 12. IP Resources Required for BGP-based Suppression Inform the Internet Community Clarify Internet Best Current Practice and Protocol Standards Status, August 21, 2003 Figure 13. The Most Recent Flood Afterthoughts Acknowledgements Analysis Tools References / Further Reading Frequently Asked Questions What is Netgear's liability for causing (however inadvertently) this denial of service for your network? Have you considered putting up a server which sends back fake answers to netgear clients, to cause people to upgrade? What is the expected life-time for these products? In figure 13, could that "shark fin" spike have anything to do with last week's power grid failure (Blackout 2003), and subsequent "rolling" restoration? Are there other devices than those mentioned which also suffer from the flaw which causes inadvertent flooding of your network? What was the effect of this article being slashdotted? Why is a traditional manufacturer recall/defect solution not a possibility? I'm with [the IT press], do you have some time to speak with me? How has this story been covered in the press?

Netgear

Download File 🔥 https://urlca.com/2y4I6r 🔥

Figure 6. Email to Netgear SupportDate: Mon, 16 Jun 2003 16:00:21 -0500From: Dave Plonka To: support@netgear.comSubject: NETGEAR products abusing University of Wisconsin time serverNETGEAR support folks,Since May 14, 2003, the publicly-advertised Internet time server"ntp1.cs.wisc.edu" (a.k.a. "caesar.cs.wisc.edu", 128.105.39.11) at theUniversity of Wisconsin-Madison has been the recipient of a large-scaleflood of time queries apparently from NETGEAR products deployedthroughout the Internet.Currently, based on our analysis we believe that the NETGEAR "Platinum"products such as the RP614 and MR814 are the primary source of thisflood of traffic. They likely will need to have their code changed tomitigate what is essentially an accidental Denial-of-Service floodagainst our NTP infrastructure. The inbound aggregate traffic rate toour network from NETGEAR products currently exceeds 250,000packets-per-second and 150 megabits-per-second at our border routers,apparently from at least tens-of-thousands of NETGEAR sources. Thishas also cost us numerous work hours of Internet traffic engineering,troubleshooting, and abuse investigation.Specifically, the code for the Platinum products appears to contain anembedded Simple Network Time Protocol (SNTP) client, which sendsqueries from UDP port 23457 to port 123 of the IP host 128.105.39.11.Inexplicably, NETGEAR's products code ships with our server explictlyconfigured by IP address. We have determined that at least thefollowing code images explicitly contain our server's IP address:MR814_4_11.bin, MR814_v409.bin, RP614_4_0_0.bin, RP614_4_12.bin.We believe this is inappropriate and not best current practice forload-balancing and reliability of the Internet's NTP service. Inaddition to the sheer number of deployed products, these requests oftenoccur at a very fast rate from each device (for instance, one persecond) and therefore put an enormous load on our NTP server.Please contact me as soon as possible regarding your products' defaultSNTP client configration, possible SNTP client software bug, and theresulting incident which required us to block your customer's SNTPqueries to our Network Time Protocol (NTP) server.We look forward to hearing from you soon.DaveP.S. our NTP server is publicly advertised: ~mills/ntp/servers.html ~mills/ntp/clock2a.htmlP.P.S. NTP best practice is described in the "Rules of Engagement" sectionof this document: ~mills/ntp/servers.htmlAfter receiving no response for days, I calledNetgear's headquarters, leaving messages with two executives explainingthe seriousness of the situation. I also emailed members of Netgear'sexecutive team by guessing their email addresses, based upon theiremail naming convention. I included a "Return-Receipt-To" header, andtheir Mail-eXchanger notified me that all were delivered successfully.Here's a portion of that message:At this point I have a complete write-up of this continuing incident,including traffic measurement statistics evidencing the flood and ananalysis of its root cause ready to be released publicly.I absolutely need to hear from responsible parties at NETGEARimmediately, if NETGEAR wishes to begin a dialogue before this goespublic. We're not expecting an immediate solution; in fact, I'm fairlycertain there is no complete solution without UW-Madison's involvement.

Netgear's support organization was completely unresponsive. Curiously,I did finally receive the email message below from Netgear'semail-based customer support system, some 23 days after I submitted theproblem report on June 16.Figure 7. Email from Netgear SupportDate: Wed, 09 Jul 2003 09:35:46 +1000From: support@esupport.netgear.comSubject: RE:NETGEAR products abusing University of Wisconsin time server [#111678]To: plonka@localdomainThank you for your email. We apologize for the delay in responding.Due to an unexpected increase in email volume we have been unable torespond in a timely manner. Your issue may have already beenresolved. Please reply to this email if you still require assistanceand we will respond as quickly as we can. If your issues is resolvedyou do not need to reply and we will consider the case closed.Again thank you for your patience and understanding.Please help us serve you better by clicking heremailto:support@netgear.com?subject=Feedback_us if you would like toprovide any other valuable feedback. (Note: this feedback is not sentto an agent so you will not receive a reply.)

Shortly after beginning a dialogue with Netgear, I proposed theformation of a review team to discuss possible solutions. Netgearagreed, and a review team was formed with about fifteen members, athird from each of these areas:Netgear employeesUniversity employeesIndependent experts from their respective fields: Regional Internet Registries Internet Measurement Research Network Time ProtocolThe independent experts agreed to participate without prematurelydisclosing the details of the situation.A number of action items and directions were developed during the reviewprocess. These included:Fix the SNTP ClientPropose the Network Operational OptionsInform the Internet CommunityClarify Internet Best Current Practice and Protocol StandardsThe Flawed SNTP ClientThe Flawed Netgear SNTP Client implementation in the products affectingUW-Madison has the following characteristics:Uses a hard-coded IP address for the NTP server 128.105.39.11,that of ntp1.cs.wisc.edu.Uses a fixed UDP source port number 23457.

This was incredibly advantageous as it allowed UW-Madison to identifyand count the Netgear clients. However, due to the widespread use ofNetwork Address Port Translation (NAPT, or NAT/PAT)upstream from some Netgear products, the SNTP request source portnumber is sometimes rewritten before the request packet reaches itsdestination.Note to network operators: Please do not block UDPtraffic involving port 23457 nor traffic involving our NTP server's IPaddress of 128.105.39.11. While we appreciate attempts to help, itmay interfere with the best possible solution to this problem.Polls at one second intervals until it receives a responsefrom the NTP server, after which it uses a longer poll interval such asone minute, ten minutes, two hours, or 24 hours,depending upon product model and firmware version.Impact to Netgear CustomersAs of this writing (August 2003) the University is making its besteffort to service the Netgear time requests. As such, usersof the affected products should not normally notice any problems due tothis flaw. Furthermore, based on experience so far, it seems thatonly a small subset of the customers are even aware of the time-relatedfeatures of these products (which include logging, policy scheduling,and email notifications).In parallel, Netgear has produced and continues to work on firmwarethat does not exhibit the aforementioned problems. Customers canupgrade to newer firmware versions, which are available for downloadfrom Netgear's support site. At the time of this writing (August2003), the most current version of firmware available for the RP614v2,RP614, DG814, and MR814 models does not utilize UW-Madison's timeservice nor does it poll too frequently.Code Upgrades for Affected Netgear ProductsBased on information supplied or confirmed by Netgear, the followingproducts contained these SNTP design flaws. Where applicable, I havelabeled each with the earliest version of code containing a fix:Figure 8. Affected Netgear ProductsRP614v2, RP614: 4-Port Cable/DSL Router with 10/100 Mbps Switch

C-NET Editors' Choice, July 2002

RP614v2: upgrade to v5.13, released 2003/07/11

RP614: upgrade to v4.14, released 2003/08/20

MR814: 802.11b Cable/DSL Wireless Router

Innovations International CES, Design & Engineering Showcase Honors, 2003

MR814: upgrade to v4.13, released 2003/08/20

DG814: DSL Modem Internet Gateway

Macworld Editors' Choice

DG814: upgrade to v4.8, released 2003/07/09

HR314: 802.11a Cable/DSL High-Speed Wireless Router

HR314: upgrade to v1.4.2, released 2003/09/05

Flawed Product CountsI have counted more than 500,000 unique Netgear sources that queried ourtime server in one day. This measurement likely underestimates the actualcount because of Network Address Port Translation, which modifies thesource IP address and port number, and because some broadband residentialservices drop the customer's link when the service is not in use.As of June 30, 2003, Netgear reported a total of 707,147 affectedproducts manufactured. Some simple math: If there are 700,000 errantSNTP clients each of which can generate one SNTP request per second toour time server, then the worst-case aggregate rate will be about700,000 packets per second. Since each SNTP packet is 76 bytes insize, that is also 426 megabits per second of traffic.Figure 8a shows the actual number of unique NTP Netgear client IPaddresses observed per day by a router on UW-Madison's network.Theoretically, counting the clients in this way could overestimatethe count if the clients' DHCP servers changes the client IP addressfrequently. However, based on the number of productsreported as having been manufactured, it seems fairly accurate.Figure 8a. Netgear SNTP Clients Per DaySuggested FixesDuring the review process a number of improvements to the SNTP clientwere suggested.These included that an SNTP implementation:SHOULD use a poll interval within the range from 64 to 1024seconds or longerSHOULD use local NTP server(s) or multicast when available, as configured by the operator or determined by a discovery mechanism such as via the DHCP "Network Time Protocol Servers Option", which is defined in section 8.3 of RFC 2132.MAY performance exponential backoff of poll interval (within the aforementioned range) upon failure to receive a response from the NTP server(s)MUST NOT use a shorter poll interval upon failure to receive a response from the NTP server(s)MUST allow the operator to configure the query behavior with respect to whether or not it is enabled or disabled and with respect to which candidate time servers can be queried.SHOULD use the Domain Name System to determine candidate server(s) IP address(es), so that the NTP server's zone administrator can influence the client behavior.SHOULD resolve the server IP address via DNS before each poll/query, so that the pertinent DNS entries' Time-To-Live values are respected.SHOULD support the existing NTP access-control mechanism by, upon receiving a valid `kiss-of-death' packet, reporting the condition and discontinuing queries to the server in question until reinitialization.MAY use an implementation-defined fixed source port numberSome of these have been implemented in the initial fixbut others are only under consideration.Hopefully these suggestions will be evaluated duringan upcoming SNTP standardization effort.The Initial Fix: "Instant" CodeDuring the review process, we learned that Netgear already was havingSNTP-related code changes developed for the RP614v2 product prior to myinitial notification of the problems the flaw was causing to theUniversity.Regarding Firmware v5.13 RC7 for the RP614v2, Netgear made this newcode available to me on July 10. My testing found that the modifiedSNTP client had these characteristics, much as they described:Now requires a DNS server to be configured (or learned via DHCP) beforegenerating any SNTP queries.The code performs DNS queries for "time-a.netgear.com" and"time-b.netgear.com" at ten minute intervals until success, alternatingnames if no response is received. I verified also that it supportedresponses with CNAMEs or multiple A records as well.Following successful DNS resolution, it sends an NTP query to the resolvedIP address and waits for a reply. If no reply comes in ten minutes, itagain resolves the name, and requeries. It appears to give up after fiveretries.Whenever any configuration change is applied via theweb interface, it causes the device's clock to be zeroed, the NTPserver to be re-resolved, and subsequently queried.However I also found these bugs:The SNTP client in this code does not appear to validate the NTPresponse packet. It will accept any incoming packet to port23457 as a valid response even if the flags are set wrong (forinstance, indicating that it is another client query rather than aserver response).While the SNTP client is awaiting a response (afterquerying either time-a or time-b) it seems to accept any UDPresponse packet, even if the source IP address of that UDP packet isnot that of the time server that it queried.This code was made available for download on the Netgear web site forthe RP614v2 on or about July 11, 2003.Netgear continues to develop improvements to their SNTP client andhas vetted the design with the review team.Network Operational Options: To Serve or To Sever?These flawed devices are not easily reconfigurable. Representativesfrom both Netgear and UW-Madison believe that it is not a viable optionto rely on Netgear's customers to upgrade to the newer firmware (thefirst of which was released in July) to correct the errant behavior.Our review team has considered a number of possible options about howto deal with the errant Netgear time requests. While I won't discussall the details here, the two primarily endgames on which we've focusedare outlined below.Endgame A: UW-Madison Netgear Anycast Time ServiceIn this option we would deploy highly-reliable, redundant NTP serversat WiscNet's borders and route the inbound requests destined to128.104.39.11 to them using BGP anycast. (Anycast is atechnique that can often be employed to route traffic for somestateless RPC services, such as DNS or NTP, which are based upon UDP.)Implementing this option would likely include placing a pair ofrack-mount NTP servers at each of three locations within WiscNet:UW-Madison, UW-Milwaukee, UW-Eau Claire. These are nearest the threecurrent border Internet exchange points and therefore provide the mostdiverse paths for reliability of connectivity to the global Internet.One distinct advantage of this configuration is that UW-Madisonretains as much control as possible over its precious IPv4 addressallocations. Because this BGP anycast deployment resides solely withinWiscNet (which will honor a single /32 host-address route), this optionconsumes as little of UW-Madison's IP address space as possible - justthe address to which Netgear time requests were directed.Endgame A has some risk. Whether or not the servers' responsesreach the requesting client host is not wholly within the University'scontrol, consequently some amount of flooding will likely continue.There are many reasons other than server failure for disruptions in theend-to-end path between the SNTP clients and servers that could causethe clients not to receive the responses and to flood requests towardour servers anyway. These include asymmetric routing problems,firewalling policies, and disasters affecting any link between theclients and servers. Indeed, even while our time server is dutifullyresponding to all netgear SNTP requests, we still regularly observethat hundreds of them continue to flood. Apparently these "zombies"never receive our responses.To limit the possibility of the multiple servers being simultaneouslyisolated from the Internet, one could consider an even moregeographically diverse set of deployment locations, such as that doneby the AS112 Project, whicheffectively mitigates the damage caused to the Internet's root nameservers by RFC1918-related queries.Figure 10 is a diagram showing how this service would work. TheNetgear SNTP requests heading toward UW-Madison are shown in green.Note that multiple NTP servers, all with the same IP address, arelocated in multiple locations. WiscNet's border routers divert theinbound SNTP requests to the nearest server. The server responses areshown in red. If any of the servers fail, the traffic should routeto one of the remaining NTP servers with the same address.Figure 10. A WiscNet BGP-based Anycast Time ServiceEndgame B: Attempt to Suppress the RequestsTo prevent Netgear time requests from being forwarded to our networkwould require UW-Madison to sacrifice a block of IP address spacewithin the class B network which includes the IP address ofntp1.cs.wisc.edu.Because of the way the Internet's backbone routing is operated, and tokeep the number of routes manageable, network routes are sometimes notrespected unless they are sufficiently large. In today's Internet,that means a route might not be considered legitimate unless itrepresents 2,048 or 4,096 contiguous addresses. Respectively, networkoperators would call those size "/21" or "/20" (pronounced "slashtwenty") blocks because they represent networks having netmasks of 21or 20 contiguous bits.Figure 11 is a diagram showing this configuration. The BGP updatesoriginating from UW-Madison's border router are shown in red. The NetgearSNTP Requests are shown in green. The ICMP unreachable messages returnedto the client by BGP-aware border routers throughout the Internet are shownin blue. These inform the client that the network in which the NTP serverwould reside is unreachable.Figure 11. Using the Global BGP Routing Table to Squelch Requests e24fc04721