Netgear router quirk perturbs college

If you own a Netgear router, Annie Stunden would like you to stop pinging her network.

The University of Wisconsin, Madison's CIO says that a software glitch in some Netgear products has the routers bombarding the school's publicly accessible Network Time Protocol (NTP) server to update network time and date. Such data is important for routers, because they generate a variety of time-sensitive logs.

Several versions of Netgear's consumer routers - models RP614, DG814, MR814 and HR314 - were shipped with code that has the devices pinging UW's NTP server to set their internal clocks. The pinging can be triggered when the router goes offline, is unplugged or is reset, usually without the knowledge of the product's owner. If the NTP is unavailable, the router will continue pinging the device until it answers.

As a large public institution, the university is used to seeing its share of hacker activity, Napster-like file swapping, and other bandwidth abuses from outside and within. But in May, UW network staff noticed an unusual amount of traffic hitting its NTP server, which it runs as a public service over the Internet, as do many other institutions with a large Internet presence.

"It was sort of a complex situation," Stunden says. "We found a lot of network traffic coming in a couple of months ago, looking like a denial-of-service attack on our network. We said, 'what's banging at us,' and when we looked into it, we found it was a very specific kind of traffic, coming from a specific kind of Netgear router."

One solution might have been to take the NTP server offline, or move it to another IP address, Stunden says, but the Netgear routers were pinging a whole sub-range of addresses. "It would not have done any good," she says. "Those Netgear routers would still come here. The only other solution would be to shut down a whole Class A address that we use, and that's not practical."

The method of programming routers to ping public NTP servers to set their clock time is common in the industry, says Leslie Adams, vice president of marketing for Netgear. Most NTP implementations on routers ping multiple sites in a random order.

"It's just a matter of making sure your products don't ping the same server all the time," Adams says. She doesn't know why Wisconsin's NTP server IP address was programmed into the affected routers. The products were developed by Netgear engineers and some OEM partners.

Netgear developed a firmware upgrade that fixes the problem and put it on the Web site. Although Netgear users would not know to apply the patch, because the NTP ping flaw does not affect performance or cause errors.

"Since customers don't know about the [bug], this could still pose a problem for the university," Adams says. "We're expecting the firmware upgrade process to take some time."

UW and Netgear are uniting to solve the problem. In addition to posting its router patch and sending an e-mail notice to registered customers, the vendor also is helping the university handle its NTP traffic flow.