
TP-Link firmware sends six DNS requests and one NTP query every 5 seconds - phikai
https://www.ctrl.blog/entry/tplink-aggressive-ntp
======
kees99

      firmware sends six DNS requests and
      one NTP query every 5 seconds
      (...snip...)
      TP-Link has hardcoded the following non-configurable
      NTP servers and server pools in their firmware:
      (...snip...)
      au.pool.ntp.org, nz.pool.ntp.org
    

Wait... so TP-Link is effectively DDoSing NTP pool?

Also, as pointed out in another thread here, vendor using country prefix
instead of applying for their own prefix is a violation of:

[http://www.pool.ntp.org/en/vendors.html](http://www.pool.ntp.org/en/vendors.html)

..which was put in place as a reaction to incidents just like this one:

[https://en.wikipedia.org/wiki/NTP_server_misuse_and_abuse#No...](https://en.wikipedia.org/wiki/NTP_server_misuse_and_abuse#Notable_cases)

~~~
nacs
Would it be possible for the NTP server to detect what type of device/OS is
sending the request and block it (ie: could au/nz.pool.ntp.org servers block
all TP-Link requests to teach them a lesson)?

If they can't do that maybe they can just detect IPs that are making requests
every 5 seconds as the TP-Link products are doing and block those since
they're in violation of the once-every-10-minutes-maximum rule for the NTP
servers)?

~~~
samstave
Out-of-the-loop: what products are using TP-Link?

Aside: maybe there should be a governing body for comm protocol behavior?
(Semi sarcastic)

~~~
ganoushoreilly
TP-link is a manufacturer of multiple devices and an OEM for others. I would
imagine, if consistent across firmwares, there are a lot of requests being
made. [https://en.wikipedia.org/wiki/TP-
Link](https://en.wikipedia.org/wiki/TP-Link)

------
ktta
PSA

Anyone with commodity routers, repeaters, etc. please check out LEDE project
[https://lede-project.org](https://lede-project.org). Check if your device has
support here - [https://lede-project.org/toh/start](https://lede-
project.org/toh/start)

LEDE firmware is amazing. You will be able to do a lot more with your router
and they have quick security fixes. The recent krack vulnerability was fixed
within 2 days after the announcement.

~~~
tambourine_man
Anyone care to explain the pro/cons of DD-WRT vs Tomato vs OpenWRT vs LEDE vs
etc?

~~~
cheald
LEDE is basically an OpenWRT fork which is being actively developed. The
biggest draw is that it's actively developed, and managed in a Linux-style
package manager setup, rather than monolithic baked firmwares that you have to
flash wholesale. Patching against things like KRACK was as simple as just
invoking the package manager.

DD-WRT and Tomato are both old tried-and-true alternatives to vendor
firmwares, and they require less tinkering to get into the state that you
want, but they both tend to have weird crufty edge cases that never get
properly fixed and don't seem to have any clear direction or leadership - they
are both a hodgepodge of forks that you have to spend time digging through
hundred-page forum threads to find information about. Development schedules
are sporadic, and you often end up with dozens of potential builds in varying
states of beta and testing which fix this or that but break this or that other
thing. When they work, they're great, but my experience with LEDE has been
consistently superior than my experience with DD-WRT or Tomato.

~~~
0xcde4c3db
Just to be clear, OpenWRT isn't 100% abandoned, but it's basically just a
handful of sporadic package version bumps and backported bug fixes, which
might not ever make it into an official numbered release. If the counts on
GitHub are accurate/comparable, LEDE has almost 2000 more commits than
OpenWRT. The OpenWRT website also seems to be semi-abandoned (the front page
has had a spam post on it for over a month; it looks like it was moved there
accidentally by a moderator intending to move it to a "trash" subforum).

~~~
rrauenza
I naively bought the Linksys WRT 1900AC about when it released because it
claimed dd-wrt support at release.

Then the dd-wrt folks mentioned that Linksys never actually gave them hardware
... and if I recall, hadn't really been included in the plans to support it at
all.

So then I waited and found whenever I looked for the dd-wrt firmware, it
always had lots of caveats and known issues.

I gave up. Shelved it and bought a pfsense box for the internet and use a
Ubiquity wifi AP.

~~~
rufugee
I ran openwrt and then lede on a wrt1900ac v2 for about 1.5 years until last
week. Initially, stability was spotty, but the latest Lede images worked
generally well. However, while vlans with Lede worked perfectly with my two
TP-Link WDR3600s, the Lede ultimately had issues with it. I tried one last
thing, probably bricked it, and that was the last straw...ordered three Unifi
aps and couldn't be happier.

OpenWRT/LEDE is great assuming your device is well-supported and well-tested.
Unfortunately, the wrt1900ac line was never as open as Linksys claimed it was,
the LEDE devs didn't get the support they needed from Linksys when they needed
it, and so certain things still don't seem to work.

------
alpb
My most recent frustration with TP-LINK was they they DO NOT provide their
firmware updates over HTTPS. They do not provide checksums for their firmware
files either. (When I asked for these things, their support weren't helpful on
Twitter.)

So you're expected to download some unsigned binary over an untrusted
connection and trust that with all your traffic.

Definitely not buying TP-LINK next time. Good to know this there's a bandwidth
problem like this!

~~~
snuxoll
TP-Link does a pretty good job on basic Layer 3 Lite switches and desktop
wireless cards, but the junky software on their routers and repeaters is
enough to make me not use them. Unfortunately they do the same thing worth
firmware upgrades for their switches as well, no signatures, no hashes, no
TLS.

~~~
flyinghamster
Good to know. While I've liked their dumb switches, if they can't be bothered
to secure their firmware downloads, there's no way I'm buying one of their
"smart" products.

------
kercker
Update: According to ktta
([https://news.ycombinator.com/item?id=15912467](https://news.ycombinator.com/item?id=15912467)),
there is mistake in my calculation too.

"138KB * 24 * 3600 / 5" should be 2.3287GB per day. And it's 2.3287GB * 30 per
month.

Update 2: "For comparison, a 5-minute check would be considered a pretty
aggressive checking interval, and would only consume 1,37 MB per month.
Instead, TP-Link goes through the same amount of data in just 82 minutes."

This assertion from the article has multiple errors too.

\-----------------------------------------------------

The whole argument of the author is built on a flawed calculation by the
author and the author exaggerated the number by a factor of 10.

715MB/month in the title and the article should be 71.5MB/month according to
other information provided by the author.

According to the author, "TP-Link product is using about 138 KB every 5
seconds — or 23,85 MBs per day — on timekeeping."

23,85 MBs per day is not right, because 138KB * 24*3600/5 is about 2.328 MBs
not 23,85 MBs.

~~~
ktta
Also I think it is 138 B, not kilobytes since that would be 2.3GB/day.

Whoops. Made it to the front page of HN with so many mistakes.

EDIT:

Since there seems to be interest in this let's do the test:

5 DNS requests + 1 NTP update according to the article (seems weird that it
would resolve all the the NTP servers, but lets roll with it)

DNS: dig <domain> (mean for request is 43.8 B and reply is 84.6 B)

NTP: busybox_NTPD -n -q -p time.nist.gov

\---------------------

Egress:

Single DNS request : 20 (IP) + 8 (UDP) + 44 (DNS) = 72 B

NTP request (2 packets): 20 (IP) + 8 (UDP) + 48 (NTP client) = 76 B

Total egress: 72x6 + 76x2 = 584 B

\----------------------

Ingress:

Single DNS reply: 20 (IP) + 8 (UDP) + 85 (DNS) = 113 B

NTP reply (2 packets): 20 (IP) + 8 (UDP) + 48 (NTP server) = 76 B

Total Ingress: 113x6 + 76x2 = 830 B

\----------------------

The total bandwidth used according to my calc is 1414 B. So their number of
138 KB is actually 1.38 KB (which is 1380 B, and that's closer to my number. I
rounded up if you look at my numbers)

So their number of 715 MB is actually right. Just an error with 138 KB -> 1.38
KB

------
herpderperator
Don't bother with repeaters. Get normal access points, and install several of
them if you need to disperse the range around a large area/building/complex.
If the SSID and security passphrases match, clients will roam seamlessly
between the different APs. I suspect the reason people buy repeaters is that
they don't realise that this is possible, or they don't want additional
cabling.

Repeaters add latency and I can't imagine any network engineer would ever
recommend one.

~~~
w0utert
_> > Don't bother with repeaters. Get normal access points, and install
several of them if you need to disperse the range around a large
area/building/complex._

Or better yet, buy a bunch of Ubiqity UniFi's, which were specifically made
for this purpose and should provide the most seamless and efficient way to
blanket your house in Wifi (provided you already have cabling to the access
points). They are not cheap, but also not extremely expensive compared to a
decent router either.

~~~
technofiend
>Or better yet, buy a bunch of Ubiqity UniFi's

Warning: do not follow this advice; Ubuiqiti products are like potato chips in
that you can never eat just one.

Oh I'll get the AC PRO access point, you think. Five minutes later you've set
it via quick QR code scan and the UniFi app. That was painless! No wonder
people recommend these things.

Oh wait I need to make some more device tweaks but UniFi won't do it.. better
get the cloud key thingy that manages the device. I'll have one of those.

A couple of months go by and you discover your Google Home device or NEST
doesn't work with beam steering. Wait, you can manage the advanced AC PRO
settings using their own software? Fine I'll build a small PC to run that
since if you're going to do it may as well see the stats all the time.

Hmm... KRACK/sploit-du-jour is out, maybe I'll just get a new Edgerouter since
it's already fixed there. Oh wait, there's a fringy area in my house I'll bet
another AC PRO or maybe an AirMax repeater would be just the thing.

Oh dear, I seem to be running out of ports, better go ahead and get a nice POE
switch since that'll declutter things a bit. Etc.

~~~
johnbellone
I agree. I purchased some Ubiquity gear a few months back after a condo
purchase, and ran into few problems:

\- UniFi brand works well for setup, but the cloud controller is necessary for
command/control management outside of iOS/Android app.

\- EdgeRouter is not a UniFi product and does not act as a cloud controller.

\- EdgeRouter X does not deliver 48V PoE; upgrade was needed to power the AC-
PRO.

\- EdgeRouter UI is horrid and it’s much easier to manage over SSH.

\- Cloud Controller is easy to setup, but doesn’t work with all product lines.

tl;dr The hardware is really good, but software is lacking, especially because
not all hardware is UniFi compatible.

~~~
technofiend
My response was tongue in cheek but seriously I recommend budgeting a VM or
Raspberry PI to run their controller software which offers the most
configuration options.

[https://www.ubnt.com/download/unifi/](https://www.ubnt.com/download/unifi/)

~~~
slantyyz
The Unifi cloud stick isn't that much more expensive than a PI, and is
probably the least amount of work to set up a dedicated controller.

I use an Atom based PC stick that I had lying around to run the controller (on
Windows) and it works great.

~~~
technofiend
I mistakenly thought the cloud key ran a lesser version of unifi than the
distribution found on their website, however googling around implies it's the
same version. So I suppose budget for a cloud key or a pi. A raspberry Pi 3 is
64 bit, runs Fedora natively and can serve up other functions beyond the key.
So I lean towards the Pi but if they're functionally equivalent I suppose it's
down to personal preference.

------
linsomniac
I ran a public NTP server for around a decade. I finally stopped, but these
sorts of vendor abuse weren't the reason why.

We started running them before the NTP pool (though we eventually did include
our servers in the pool). The worst it got was a largish regional ISP had put
our servers in their CPE, and one day they had an event where they rebooted
all of their CPE at once. That caused a noticeable spike in our network
traffic.

The real DDoS that caused us to stop offering public DNS service was:
misguided network admins. The week I had the second network admin calling me,
asking why my network was attacking their network, and then started yelling at
me over the phone and hung up in a huge huff. He had installed some sort of
IDS and it was triggering on NTP traffic, and rather than investigate it he
just called our emergency hotline and got me out of bed to deal with it.

"Those packets you are receiving are in response to packets you are sending
our NTP server asking for the time." was not the answer he was looking for I
guess. :-( Honestly, I was already mad from being woken up (the emergency
hotline says it is for service outages only), and that it was the second call
that week on it. So I take some blame in the call not going well. But this
dude never stopped yelling at me.

The problem with running a public service is: The administration doesn't scale
with the number of users.

~~~
Forbo
NTP uses UDP, so he was probably the victim of a spoofed NTP request
amplification attack. He probably didn't have clients that we're actually
requesting the time, the requests were just spoofed to look like they came
from his IP.

~~~
linsomniac
My recollection was that the volume coming from this one site was tiny, not
like a DDoS. I don't recall if he said as much or if I was reading between the
lines, but it sounded like he had just set up some sort of IDS, and it
reported this traffic as an attack, and he just took that at face value.

We did have some UDP multiplication attacks at other times, mostly on our
authoritative DNS servers. I don't recall that we ever had any against our NTP
servers that I noticed. But we did block the broadcast address so the best
multiplication vector was via DNS requests, IIRC the NTP responses were fairly
short.

------
keypusher
Somewhat unrelated but if you are looking for a rock-solid router, check out
Microtik. I've been through half a dozen routers over the years, with and
without custom firmware, and having owned a Mikrotik Routerboard for the last
year, it's the first one that just works 100% and never drops connections.
Easy to set up if you know what you are doing and customizable if you want to
dig in.

~~~
garaetjjte
Yeah, Mikrotik have great devices for reasonable prices, but it is irritating
that you can't run own applications on it, there is no publicly available
working kernel to run under MetaROUTER, and they want 45$ for GPLed sources

[https://mikrotik.com/downloadterms.html](https://mikrotik.com/downloadterms.html)

------
NelsonMinar
This kind of stupidity happens to NTP frequently. The ironic thing is NTP is
so lightweight that sometimes it's better to just answer the query than try to
block the traffic. The DNS traffic is more expensive than the time query!

Note this was reported on the NTP Pool Discourse about 3 weeks ago:
[https://community.ntppool.org/t/software-and-devices-
without...](https://community.ntppool.org/t/software-and-devices-without-a-
vendor-zone/28/26)

------
kuon
I discovered PC engines APU boards and now I do all my routers/network thingie
with it and OpenBSD. I'm quite sure there are some nice GUI "ala pfSense" too,
but I like my configuration files better.

------
sschueller
I purchased cheap crap TP-Link access points and replaced the firmware on each
one with open-wrt[1] and they all works extremely well for many years now. The
Stock firmware is total junk and crashes all the time.

[1] [https://openwrt.org/](https://openwrt.org/)

------
unwind
One silly thing that I hadn't thought of; the use of NTP for devices like this
should mean that the NTP operators can gather pretty accurate statistics about
each device's market share.

I guess the same folks who design software that spams things like this don't
bother working too much on making it hard to fingerprint their devices,
either. On the other hand, I haven't looked at the NTP protocol recently.
Perhaps this isn't even possible due to the protocol's simplicity?

~~~
gcb0
dns is a better target for this. Google even had rob pikes team do this
sinkhole for them. which says its an expensive and worth goal and not some
afterthought.

------
Jaruzel
Slightly tangential, but I've recently been writing a command line tool to
talk to some TP-Link Smart Plugs, and discovered that they regularly talk to
'devs.tplinkcloud.com' even if you don't enable a TP-link Cloud account.

More details here (not my site): [https://www.softscheck.com/en/reverse-
engineering-tp-link-hs...](https://www.softscheck.com/en/reverse-engineering-
tp-link-hs110/)

~~~
Faaak
I changed the server url on mines to "localhost". I control the plugs via a
script on a docker container (they pilot water pumps). It works well that way.

------
Taniwha
oh, f--k, every TP-link box on the planet is hitting nz.pool.ntp.org every 5
minutes? you guys know we only have a couple of cables connecting us to the
rest of the world right?

Please don't buy TP-link, you're DoSing an entire country

~~~
chli
5 times a second !

~~~
PhasmaFelis
Once every 5 seconds.

------
0x0
Reminds me about the D-Link vs phk NTP drama years ago
[https://slashdot.org/story/06/04/07/130209/d-link-
firmware-a...](https://slashdot.org/story/06/04/07/130209/d-link-firmware-
abuses-open-ntp-servers)

------
edent
Wow! 11 years ago Dlink were the ones abusing NTP
[https://m.slashdot.org/story/67096](https://m.slashdot.org/story/67096)

Strange how these "mistakes" keep cropping up. Is it laziness, malice, or just
ignorance?

~~~
yeukhon
Laziness and ignorance (probably not even knowing what they were doing other
than just using these ntp servers) at the beginning. I bet someone just
“copied and pasted”.

------
mikerg87
Honest question. How would you begin discovering this kind of leakage? Do you
need some sorry of tap that records protocols and Mac addresses? Do these
firmware emplacements have this as a built in feature. With so many IOT
devices being plugged in seems like this would be handy

~~~
pixl97
Lots of enterprise equipment have features where you can mirror traffic off an
ethernet port and monitor it, but it is cheap and easy to do if you are poor
too. Dig up a 100MB hub, not a switch, and then with another computer plugged
into that hub run a program like Wireshark or tcpdump.

This is one reason why I don't run all-in-one router/wireless combos. Most
integrated (especially provided by ISP units) devices have no way to tell you
what is being sent over the air and then to your ISP.

------
hammock
@dang why did you change the title to this (from the article's title)?

------
AgentME
Didn't TP-Link backdoor one of their routers, additionally in a remotely-
exploitable insecure way that they never patched?[0] Am I alone in that
putting a company on my eternal shit-list? Looks like a good choice in
retrospect if they're still coming up with things like this.

[0] [https://tech.slashdot.org/story/13/03/15/1234217/backdoor-
fo...](https://tech.slashdot.org/story/13/03/15/1234217/backdoor-found-in-tp-
link-routers)

------
easytiger
> To put this number in context: an always-on Windows device will use around
> 1,6 KB per month.

Windows doesn't do time sync properly so that's hardly a relevant comparison

------
xamlhacker
Well I run a TP-link repeater and now thinking of getting something better.
Someone know any routers or repeaters with reputation for good firmware?

~~~
Thlom
The Ubiquity Unifi stuff looks good and not very expensive.

~~~
gh02t
Speaking from experience, it _is_ good. Takes a bit of networking know-how to
set it up though, and you still need a router. Their consumer oriented stuff
like the AmpliFi is quite excellent too and a bit friendlier.

I use an Edgerouter Lite, a Mikrotik switch and UniFi APs for myself and was
so pleased I bought the AmpliFi mesh for my parents.

~~~
jagermo
I have a similar setup, without the switch and the Unifi APs are just
excellent. Smooth setup, great range.

So, if you can run a cable, I second Unifi.

Op, if you can not run a cable, maybe look into a mesh network. Repeaters
"loose" about half of the bandwidth anyway, a mesh might be good alternative.

If you want to set up an open source enviroment, there is libremesh
([http://libremesh.org](http://libremesh.org)).

If you just want to buy something, there are products from Netgear (orbi),
Linksys (Velo) or Ubiquiti (Amplifi). If you have a Fritz!Box-setup from AVM,
you might be able to use their mesh features (site in German, because if you
have a FritzBox, you probably speak German ;)
[https://avm.de/mesh/](https://avm.de/mesh/))

~~~
danesparza
Ubiquiti also has a line of Unifi mesh gear: [https://unifi-
mesh.ubnt.com/](https://unifi-mesh.ubnt.com/)

------
d2wa
This issue has been fixed by a new firmware release from TP-Link. The updated
firmware changes the behavior to use ICMP pings on the local network rather
than NTP+DNS requests out on the public internet.
[https://www.ctrl.blog/entry/ntplink-
fixed](https://www.ctrl.blog/entry/ntplink-fixed)

------
ausjke
Just replace its firmware and load the router with LEDE/openwrt instead.

LEDE is an Openwrt fork, and it might merge back to Openwrt sometime.

LEDE is under active development and its newest release is 17.01.4
[https://downloads.lede-project.org/releases/](https://downloads.lede-
project.org/releases/)

------
tom_usher
I've been seeing an unusual amount of NTP requests in my PiHole logs but never
got round to figuring out the cause - nice to have an explanation.

Hope this is fixed in a firmware update, my repeater is quite a nice device
otherwise.

------
devy
TP-Link is a major networking equipment manufacturer globally and one of the
largest in China, just behind Huawei. They are one of the few who design
equipment firmware/software and hardware in-house[1] and certainly have
resource (man+money) to get the network protocol implementation right
(sometime they don't) for their products and I wonder if the author has
proactively reach out to them so that they can fix it for all (rather than
public shaming and/or product ban)?

[1]: [https://en.wikipedia.org/wiki/TP-Link](https://en.wikipedia.org/wiki/TP-
Link)

------
void-star
Strongly suspect this device doesn't have a RTC...

------
Sami_Lehtinen
About every 5 seconds Ubuntu is making DNS lookup for: daisy.ubuntu.com.

------
wnevets
slightly off topic, can anyone recommend a good router for home use? It seems
like every major brand router is just awful.

~~~
frankzinger
As others have said, check out Mikrotik.

I recently bought [https://mikrotik.com/product/RB952Ui-5ac2nD-
TC](https://mikrotik.com/product/RB952Ui-5ac2nD-TC). It was much cheaper than
my previous stock Netgear router but it's orders of magnitude better.

This live demo of their web UI at [http://demo.mt.lv/](http://demo.mt.lv/) and
[http://demo2.mt.lv/](http://demo2.mt.lv/) should give you a good idea of what
you get.

------
LordKano
I know there's a joke to be made here.

"TP" link firmware is peeing in the pool of ntp servers...

I think I need more coffee first.

------
colanderman
> an always-on Windows device will use around 1,6 KB per month

How is this possible? Is the author ignoring Windows Update?

~~~
djaychela
I'm thinking he's just referring to the traffic relevant to the TP-Link
firmware - otherwise there's no way to make any relevant comparison.

------
cthalupa
I use a TP-Link travel router while on the road to get access for all of my
devices in hotels that have device caps, and for my Android TV devices which
don't gracefully handle hotel login prompts.

I have to say that the convenience, ease of use, and reliability of the
product far outweighs any concerns I have over ~715MB over the course of a
month. It boots quickly once plugged in, it reliably handles 4-5 devices
utilizing it as a bridge for the hotel wifi, and I have never had it crash,
give me any sort of wonky behavior, or anything of that nature.

~~~
0x0
Don't forget that those 715mb you take have to be delivered by someone running
those servers at the other end, multiplied by the number of devices. Don't be
a vandal on the internet. Don't be the reason for why we can't have nice
things like community ntp pools.

~~~
cthalupa
If the NTP pool has an issue with what TP-Link is doing, they should talk to
TP-Link. If TP-Link is unresponsive to their concerns, then they should be
public about it. It is not the responsibility of random consumers to know
about how two other parties interact with each other.

This appears to be entirely a supposition that the NTP pool cares that TP-Link
is doing this, without any evidence from the actual people in charge of it are
concerned. As best I can tell, this blog is not run by Ask Bjørn Hansen and
neither he nor the ISC have voiced any concerns here.

~~~
JdeBP
Ask Bjørn Hansen encouraged TP-Link to comply with the vendors system and get
its own hostname, back in January 2017.

* [https://community.ntppool.org/t/software-and-devices-without...](https://community.ntppool.org/t/software-and-devices-without-a-vendor-zone/28/26)

