Talk:NTP server misuse and abuse

From Wikipedia, the free encyclopedia
Jump to: navigation, search
WikiProject Computing (Rated C-class, Low-importance)
WikiProject icon This article is within the scope of WikiProject Computing, a collaborative effort to improve the coverage of computers, computing, and information technology on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
C-Class article C  This article has been rated as C-Class on the project's quality scale.
 Low  This article has been rated as Low-importance on the project's importance scale.
 
WikiProject Time (Rated C-class, Low-importance)
WikiProject icon This article is within the scope of WikiProject Time, a collaborative effort to improve the coverage of Time on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
C-Class article C  This article has been rated as C-Class on the project's quality scale.
 Low  This article has been rated as Low-importance on the project's importance scale.
 

NPOV[edit]

As I've brought up on the now retracted deletion discussion on the soon to be dead deletion talk page, the NPOV of the title of the article is a problem. Wikipedia should describe the issue and the facts, not take the accusations of one part in a controversy as point of departure.

Secondly, I still don't see the term NTP vandalism as an established term, as it googles up no hits not connected to D-link.

I request that 'NTP vandalism' not be the title of the article, and any reference thereto be clearly attributed to the accuser. Let the reader determine whether it constitutes vandalism or not. See WP:NPOV Jens Nielsen 16:08, 12 April 2006 (UTC)

As Blackeagle writes on the AFD page [1] there is at the moment no word for this form of pracsis, and the amount of web pages that google has indexed with "NTP Vandalism" must give some kind of clue, that this was the word people had chosen for this kind of problem.
Yes, the word has first been used describing this issue, but the 2 prior had no word discribing this form of praxis.
Not to offend anybody, but there is another page on wikipedia that can be found on many google pages, all talking about the same "Incident", and that is the [2].
This also is a historical moment that might be of larger importance for some, but still has been spoken of by a wide audience under one specific name. I can't imagine anybody thinking that virgin birth should be marked with NPOV.
Therefore i still recomend that the name Poul-Henning Kamp has given the type of incident, has been used on so many pages (now according to google, more than 100.000/500 times as many as for 3 days ago), that it has reason enough to accept the expression as pretty wide spread. I expect that the amount of webpages that tell about this as "NTP vandalism" will be far higher few days from now.
When will the AFD page be removed? I think that there has been used many good arguments on that page, that still point towards keeping this page under "NTP vandalism".
If this page only was a "anti D-Link" smear, with the sole intent to bring the company in miscredit, then I'd admit that it was NPOV material, but the page discribes several different incidents, concerning several different firms, all with the same problem. I think that the page is written from a very neutral perspective as it is now, and therefore I propose it should be left alone as it is, with it's original title "NTP vandalism". Yehaah 18:05, 12 April 2006 (UTC)
Nah. Just because a large audience use a POV term does not mean that we should use it without context. Find a neutral title, move the article and create a redirect so that people may still find it, then explain the POV term and its origin in the article. Virgin Birth is a silly example, that title does not express a POV. NicM 07:35, 13 April 2006 (UTC).
I agree with NicM's observations. Jens Nielsen 16:53, 13 April 2006 (UTC)
In case you don't understand, the fact is that vandalism is an emotive term implying a deliberate, malicious action, which does not seem to be the case in most of the examples the article discusses. However, they are all examples of misuse of an NTP server, so I would say "NTP server misuse" is a better title. NicM 07:40, 13 April 2006 (UTC).
I agree with NicM's point about vandalism, and I add that there are still hardly any notable google news hits on the subject, [3],and the only two notable ones use the more appropriately NPOV title of 'D-Link accused of 'killing' time servers' and 'Net clocks suffering data deluge'. I propose as alternative title 'D-link controversy', 'D-link NTP controversy', or 'D-link time server controversy'. Jens Nielsen 16:53, 13 April 2006 (UTC)
I don't think the article title should focus exclusively on D-Link. Right now the article looks at the phenomona in a more general way and covers three different incidents. Any new title should be at least as broad as the current one.Blackeagle 23:45, 13 April 2006 (UTC)
Also, I don't know what term are using for your Google results, but I can't find many uses of the term outside of phk's letter and none referring to the other incidents. It is definitely not neutral for us to decide the other events are vandalism. NicM 07:44, 13 April 2006 (UTC).
True. Jens Nielsen
Net abuse is a common term that has both a pejorative connotation because of its non-technical use and a non-pejorative technical term. Misuse is certainly less emotive. Perhaps the wording around 'hush money' should reflect that this is what Pul-Henning Kamp calls it (without any judgement as to whether it is or is not hush money), as that is also a pejorative term. 217.146.112.220 13:46, 14 April 2006 (UTC)
The term "Net abuse" is irrelevent, Wikipedia does not have an article of that name. Nobody is saying that the term "NTP vandalism" is invalid and should never be used or discussed, but the point is that the term carries a POV and so it is not appropriate that we use it for the title of a Wikipedia article or in the article without caveats and explanation. You are correct that some other parts of the article need to be edited for POV also. NicM 07:47, 17 April 2006 (UTC).

If I may make an observation here:

The reason I chose the word "vandalism" is that, at least in Danish, "vandalisme" indicates the (inadvertant) destruction of something of value, by somebody who does not perceive that value.

The origin of the word is from the "Vandals", a germanic tribe which was displaced and ended up sacking Rome for no particular good reason and without realizing that they would end the "Pax Romana" by doing so.

Compare to this the word "misbrug" (which translates to "abuse") which indicates a knowing or even planned act of misuse.

Since the programmer, who wrote the disputed code, in his ignorance had absolutely no idea that the inclusion of my stratum 1 server would cause any trouble, and because it was not the NTP packets _as such_, but rather the AUP policy breach that caused problems, I felt that "abuse" would be less precise than "vandalism".

That said, once D-Link was informed about the vandalism, and chose to not attempt remediation, it obviously became abuse.

Provided my reasoning above holds, I think in the general case, and consequently the disputed article, would be more aptly served by 'vandalism' as the damage in all the documented cases have been caused by people who didn't grasp the implications of their actions, more than by their intended action.

Finally I would also say that while it is a refreshing diversion to see people hold heated debates about such finer linguistic points, I'm not religious about it, I can live with either word.

Poul-Henning

I'm afraid that regardless of the meaning of the word "vandalism" in Danish, in English the word has a different meaning which carries strong negative connotations: MW defines it as "willful or malicious destruction or defacement of public or private property;"[4] which is not neutral, particularly in the non-D-Link cases where we (as in Wikipedia authors) are branding it vandalism, not reporting that others have. Abuse is also POV; misuse is the only word I can think of that implies simply that the NTP servers were used incorrectly (true) without implying this was deliberate or malicious (probably true, but not neutral for us to allege). I would expect the article to discuss what you say and why you say it, but when not doing so, it must be neutral. Even if the article was solely about the D-Link case, it would still have to make to be much more neutral than it is at the moment. NicM 07:40, 17 April 2006 (UTC).
Does anyone have any serious suggestions aside from "NTP server misuse," so we can try to find something everyone likes? NicM 07:53, 17 April 2006 (UTC).
Not really, except that we can probably shorten it to "NTP misuse" (yes it's the servers that are affected, but I don't think clients beeing the offer will ever be much of a problem). Hallvor 18:55, 22 April 2006 (UTC)
Why not just accepting that there is a non-objective word for this issue. —The preceding unsigned comment was added by 82.83.207.51 (talkcontribs) .
Because that isn't true. In any case, if there is no further discussion in the next few days, I will move the article to NTP server misuse and clean it up to reflect the new name. NicM 10:01, 28 April 2006 (UTC).

"There is, however, no evidence that any of these problems are comprised of deliberate vandalism." That's not correct. The CSIRO NTP servers were used despite requests in the public NTP listing that hosts use stratum 2 servers in preference to stratum 1 servers. The devices using the stratum 1 NTP servers despite requests not to do so is close enough to deliberate vandalism in my book. --Gdt 07:11, 17 October 2006 (UTC)

NTP vandalism not D-Link-specific[edit]

NTP vandalism is not a smear against D-Link. It's practiced by thousands of clueless clients that query NTP servers too frequently and ignore the NTP KILL request. Also, [ http://www.cs.wisc.edu/~plonka/netgear-sntp/ Netgear did the same thing back in 2003]. Dananderson 22:10, 11 May 2006 (UTC)

Yes it is, cluelessness does not imply deliberate malicious action. Vandalism does. NicM 07:59, 1 June 2006 (UTC).

I am not sure I can support the term "NTP Vandalism", for the reasons mentioned above. But, I strongly disagree with the word "misuse". I think "abuse" is a much better term. Therefore, I propose "NTP server abuse". I am using this term in an article I am writing for ;login: magazine (being published by the USENIX association). Moreover, D-Link, Netgear, and SMC are not the only cases of server abuse of this sort -- there is another case, noted by David Malone in the April 2006 issue of ;login:. Brad Knowles Wed May 31 19:08:44 CDT 2006.

Abuse, like vandalism, implies deliberate action. Were all of these cases deliberate? It doesn't seem so. Perhaps the best compromise would be NTP misuse and abuse NicM 07:59, 1 June 2006 (UTC).
In the D-Link case, the initial state would be "misuse", and potentially also criminal negligence. However, once they sicc'ed their lawyers on PHK simply because he notified them of how they were mis-using his server, all further actions from their clients could easily be categorized as "abuse". On this basis, I could support changing the name to NTP server misuse and abuse, or time server misuse and abuse, or something shorter but effectively equivalent. Brad Knowles Fri Jun 2 22:42:27 CDT 2006

Technical details of "amicable resolution"?[edit]

I'm confused at how the PHK / D-Link case was "amicably resolved". From a technical point of view, it seems that simply not worrying any more about the existing misuse / abuse is going to cause the bandwidth consumption problem to continue indefinitely. At the very least, I would think they should have agreed to reassign the gps.dix.dk host name to a new IP address (possibly an address belonging to D-Link) — so all that traffic wouldn't keep on getting sent to Denmark — and then given PHK's server a new name, and spread the word about the new host name to the users in Denmark. But as far as I can tell from doing traceroute gps.dix.dk just now, the machine is still in Denmark somewhere. Does anyone know any more technical details of how this case was "resolved" (and why they didn't do something like what I just described)? Richwales 02:48, 29 June 2006 (UTC)

Because it it doesn't help. AARNet still sees lots of traffic for the abandoned CSIRO NTP server IP addresses. Installing a NTP server on those IP addresses would actually generate less traffic as the NTP clients would not re-try continually.--Gdt 07:07, 17 October 2006 (UTC)

I suspect the most likely resolution was something along the lines of paying enough money to cover his? costs and agreeing to fix the problem in the future. BTW, are you sure the D-Link routers didn't use a hardcoded IP address? In which case reassigning the hostname would achieve no purpose. Nil Einne (talk) 12:44, 11 May 2011 (UTC)

Tardis and Trinity College, Dublin[edit]

The Tardis and Trinity College, Dublin is confusing if you just read our description. Reading the sources, it's clear this didn't really involve a NTP server but a HTTP server which used to function an NTP server as well. Tardis implemented an option to get time via HTTP servers in case firewalls blocked NTP servers but didn't do it very well. For example, they only included 4 total HTTP servers and allowed users to set the update interval to 1 minute and also used a GET rather then a HEAD request increasing the amount of data transferred and didn't include a user agent so admins had no way of knowing what was making the requests. Anyway for this reason I'm not sure if it belongs (unless we rename it to time server rather then NTP server as per the request above) but if it does, it needs to be clarified since as it stands, it's confusing (what the heck does HTTP have to do with NTP?) Nil Einne (talk) 12:53, 11 May 2011 (UTC)

Software error or DOS attack?[edit]

"One particularly common software error is to generate query packets at short (less than five second) intervals until a response is received."

I have seen IPs sending more than 30 packets within one second to my NTP server for more than ten minutes. Is this still the described software error or is it already some sort of a DOS attack? What is a reasonable limit (e.g. connections per IP per minute/second) for a firewall to keep within NTP specifications? Even RFC 1305 seems to be not really helpful - at least I couldn't find an answer there. --Liberal Freemason (talk) 16:05, 26 June 2011 (UTC)