Software and devices without a vendor zone


#1

Found an other project with hardcoded pool.ntp.org zone names.

Created already a issue


Recent NTP pool traffic increase
#2

Yeah, there are way too many of these. Last I looked about 60% of DNS queries were for the “non-vendor” DNS names, and I suspect a higher proportion of the NTP queries (since someone signing up for a vendor zone hopefully reads more documentation and looks at their implementation a little more carefully).

Anyone “spotting” others, please leave a note here. It’s quite a lot of work to get it changed for each vendor, but having a list might both create a little attention to the issue and for another “incident” in the future it might make it quicker to figure out who it is.


#3

I did a Google search for:

pool.ntp.org” include return filetype:c

and was able to spot many in a few minutes:

But I wonder, do we really want to have a vendor for every piece of software that uses the pool? It doesn’t seem realistic…

In any case, I think that we should get in touch with DD-WRT, this is a popular piece of software.


#4

I reported the issue with DD-WRT:
https://www.dd-wrt.com/dd-wrtv2/bugtracker/view.php?id=4813


#5

I contacted Zentyal about their use of pool.ntp.org:
https://wiki.zentyal.org/wiki/En/3.5/Time_synchronization_service_(NTP)


#6

Created an issue with Adafruit for their CC3000 Lib but they’re likely using the pool in many of their projects.


#7

So you would like a report of devices that are not using a vendor specific fqdn for ntp pool?

If so I can tell you for sure the hs110 smart plug from tp-link is doing queries for just regional ntp pool… And what drives me nuts is EU based or UK specific - and I am using their product in the US.

My current log shows it looking for
uk.pool.ntp.org

I redirect this to my local ntp…

I don’t have access to is source, but just from logging its dns I can see who its asking for…


#8

I’m going to contact TP-Link and ask for a technical contact. Hopefully we could notify them about that issue.

Has someone a router of TP-Link and could verify that there is the same issue ?

Additionaly i’m going to contact AVM. They use 0.europe.pool.ntp.org as default.


#9

Answer from AVM:

The issue was forwarded to the corresponding product owner.


#10

Yes. I’m not really sure how much it’ll help, but I think it’s worth a try. In particular if others (like Jan-Philipp, thank you!) are up for politely trying to inform the vendors.


#11

Well they make 100’s of thousands of products that are deployed in not millions… All over the world with tp-link… So having them use the correct ntp should at min keep them in their region right :wink: hehehe

I think is a great idea and will keep an eye out for any other sort of mischief…


#12

I wrote TP-Link. I waiting for a reply :slight_smile:


#13

hi guys,

I analyzed an issue that sprang from a forum question on the Flightradar24 website, it appears the fr24feed program that is typically run on raspberry PI’s has a bunch of hardcoded pool servers in them from all over the planet.

Maybe your unique leverage can bring them to sanity…

greetings,

Harm


#14

I’d guess less than 10k systems deployment worldwide? It’s a niche hobby area, not saying we shouldn’t encourage them to use the pool properly but it’s likely there are a lot bigger abusive systems out there.

It also shows that a lot of the work to find systems abusing the pool will need to be done by DNS analysis.


#15

It’s not to discourage them, but to help make them use the pool correctly. If they have their own hostname we have a (vague) chance of diagnosing what’s going on if their use goes haywire and it gives us a moment to have an educational opportunity explaining a bit about how to use the pool (for example not using 1.{every-continent}.pool.ntp.org many times an hour/day/whatever like the FR24Feed thing apparently does).


#16

Good points :slight_smile:


#17

Reply from TP-Link:

Thank you for your feedback. Could you possibly set up a “vendor zone” for this?

@ask: Could you setup one and send it to me ? Or must they do that ?


#18

Great, thank you. They should do it so they can fill out the forms for contact information etc.


#19

Ok, thanks.

A minute ago i saw that my NAS (Synology) also use the pool as default without vendor zone. I mailed Synology


#20

I’d independently contacted Flightradar24 about their usage based on the thread @hnapel mentioned. I’ve just had a reply from them saying their client does do those lookups but they will review. I’ve pointed them in the direction of the Vendor page and copied you in @ask (hope that was ok!).