A problem with NetGear routers has caused a massive denial of service attack at a university - with fears that other organisations might be similarly affected.

The trouble started when a huge number of NetGear routers set off a 150Mbit/s flood of requests to the University of Wisconsin-Madison’s time service earlier this year. This accidental denial of service attack is continuing, because NetGear has no way to enforce a firmware upgrade to the routers.

The problem is in NetGear’s implementation of the network time protocol (NTP) widely used by Internet devices to set their internal clocks using public “time servers”, in order to keep internal logs and deliver time-based services. The NetGear routers were hard-coded to always access the University of Wisconsin’s time server, using port number 23457. However, when any request goes unanswered the affected routers continue sending requests, as often as once per second.

The flood began in May and was rapidly tracked to low-cost NetGear routers that are installed in many homes and offices, including one that this reporter uses and reviewed for a rival site. Dave Plonka of the University counted at least 500,000 individual culprit devices out of 707,147 defective machines that NetGear reckons it has sold.

NetGear has produced patches for all the affected products – the RP614, RP614v2, DG814, MR814 and HR314 routers – which now refer their NTP requests to “time-a.netgear.com” and “time-b.netgear.com”, instead of directly to public NTP services, and re-request at ten minute intervals.

However, these patches are not being taken up very quickly by users, according to Plonka, because the flaw makes very little impact on those users. The University’s time service is running as well as possible – it has plenty of other legitimate clients – and even when the routers lose the time, most users will be blissfully unaware of any problem.

I can confirm this – I noticed no problem at all with my DG814. The internal clock is used by features such as a logging, policy scheduling, and very few users actually do any of these things. NetGear cannot do a product recall, as most of the products are not registered.

“Both the magnitude and duration of the Netgear-caused incidents continue to present a serious operational problem for UW-Madison,” said Plonka, in a full account of the incident posted last month. “While essentially involved in a game of Russian roulette at the moment, we are hoping to utilize the expertise of both UW-Madison and the Internet operator community to design and implement a good solution.”

Plonka will not discuss legal discussions on the damages caused by the flaw except to say that “an agreement is being forged”. The products will likely remain in circulation, and a high proportion will be unpatched, for some five to ten years, he expects.