Networking Tips and Tricks: Don't Be an NTP Killjoy

By Carla Schroder | Jun 25, 2007 | Print this Page
http://www.enterprisenetworkingplanet.com/netsysm/article.php/3685461/Networking-Tips-and-Tricks-Dont-Be-an-NTP-Killjoy.htm

Today's network administration grab bag includes how to not be a shamefully bad time server abuser, and an introduction to the Hackable RedPost Signage Platform, which is a jumbo-sized digital display that runs on Damn Small Linux.

Shameful Acts of Time Server Abuse

Time server abuse is not the problem it once was, thanks to the good folks who set up the NTP (Network Time Protocol) pool. But it still happens, and it's silly, because it's so easy to do it the right way.

Time server abuse is any act that violates the access rules of an NTP server, or damages it. Most public NTP servers are set up as an act of generosity; nobody makes money from them. The worst form of time server abuse is pummeling the poor thing until the person running it gets surprised by a giant bandwidth bill, or it crashes, or performance degrades but it keeps limping along. Most abuse is not malicious, but clueless; either way the damage is done. The most common form of abuse is violating the server's access policies. These are not deep dark secrets, and never have been.

Time server abuse is not perpetrated just by inexperienced network administrators — the worst cases are from vendors of networking devices. One might think that big companies all full of engineers and other paid brainiacs would not commit such acts of stupidity. But it has happened a number of times. Netgear was the first famous NTP server abuser. In 2003 it released four routers that were hard-coded to use the University of Wisconsin's NTP server. The result was a distributed denial-of-service attack that continued to escalate, at one point reaching nearly 150 megabits per second.

Netgear released firmware updates and gave a big bag of money to the University of Wisconsin, but the problem persists to this day because most of the people who own the defective routers will never patch them.

SMC and D-Link committed the same blunder. D-Link's case was more noteworthy because when the problem was first brought to their attention, they responded with attack lawyers. As the story unfolded, it turned out that D-Link was violating the access policies of nearly 50 Stratum 1 servers. That's an impressive achievement.

So the very least that clueful network administrators who care more about being responsible netizens than unleashing attack lawyers can do is to configure their own NTP clients sanely. It's very easy. First install the ntp program, which includes ntpd, the NTP daemon. This runs all the time keeping the correct time on your computer. You don't need to touch a thing; it takes care of itself. Then make these entries in /etc/ntp.conf:

driftfile /var/lib/ntp/ntp.drift

server 0.north-america.pool.ntp.org
server 1.north-america.pool.ntp.org
server 2.north-america.pool.ntp.org

Residents of regions other than North America can find their appropriate NTP pools at www.pool.ntp.org.

Most of the major Linux distributions configure ntpdate to run when a network interface comes up, and are sensibly configured to use either the distribution's own NTP servers or the NTP pool. For example, Fedora uses clock.redhat.com, and Ubuntu uses ntp.ubuntu.com. ntpdate does not run as a daemon. It is good for making instant time corrections, and corrections larger than 20 minutes. ntp will eventually correct a system that is far out of sync, but it will take hours or even days.

What if you are using a commercial router? First find out if it is one of the nasty offenders. Then fix it, or change it to use the NTP pool. If this is not configurable, replace with a good router.

The Hackable RedPost Signage Platform

We've all seen those dinky, expensive digital photo frames. I think it's an great idea, though it does bring us one scary step closer to stories like Ray Bradbury's "The Pedestrian."

The RedPost/Kit is far more than a mere digital photo frame. It's a high-quality 19" LCD and MiniPC (which is based on the MicroClient Jr.) mounted in a, and I quote:

"Sweet Elkhart, Indiana-built-to-order, plasma-cut, roboticly-welded, powder-coated steel case you can call your own."

The RedPost is designed to be hackable. You're not buying just a prefab giant slideshow frame that you can stuff full of pictures of your pets, though that is certainly something you can do with it. You're buying a video display that you can adapt for all kinds of uses. The first thing that came to my mind was using it to display network monitors such as MRTG or OpenNMS in a convenient location, instead of squirreled away in the hidden network admin's lair. The second brainstorm was displaying some kind of soothing movie in locations that need a lot of soothing energy, like medical clinics and government offices. Something like waves on a beach or a serene forest scene, or cathartic images of burning all the forms they're forcing you to fill out.

Playing moving pictures will have to wait, because the MiniPC is equipped with a 200MHz Vortex86 CPU and 128 megabytes of SDRAM. Not enough for movies, but plenty for displaying slideshows and HTML pages. It boots from a USB flash drive. It has three USB slots and one Compact Flash slot. You can upload new images via wireless, or just plug in another Flash device.

It has multiple mounting holes so you can attach it to a wall or hang it from a post, or figure out something else entirely. It also has multiple wireless antenna holes, and the steel case will protect the innards from stray radiations and other bad things.

I asked the folks at RedPost if they planned to include sound. Sure, sound effects can and will be misused, but it would be nice to have soothing sound effects to go with my beach and forest scenes. The excellent Eric Kanagy replied: "The MiniPC inside the case has audio in and out jacks on it. We haven't worked on drivers for it, but they're probably out there and it's definitely possible. Philosophically, I don't think signage should use sound. It should be able to communicate effectively without having to grab your attention by distracting you with sound."

In the real world, you just know that "humorous" network admins are going to program it to shriek "I'm melting!" instead of sending you a nice dignified page. But we musn't blame the tool.

Forking over $549 gets you the device, plus a USB drive containing a customized Damn Small Linux and a 802.11 b/g wireless interface with antenna. The customized DSL comes with all system settings already configured, a Samba server for easier file transfers, and an application for cycling your images. You even get a choice of case colors, including no color at all, but only the very serious, unadorned steel.

Currently the RedPost requires a fair bit of geekiness to customize, but the fine RedPost folks are hard at work developing a Web 2.0 front-end that will allow ordinary mortals such as a restaurant manager, store owner, or school administrator to manage it themselves.

Resources