firmware sends six DNS requests and
one NTP query every 5 seconds
(...snip...)
TP-Link has hardcoded the following non-configurable
NTP servers and server pools in their firmware:
(...snip...)
au.pool.ntp.org, nz.pool.ntp.org
Wait... so TP-Link is effectively DDoSing NTP pool?
Also, as pointed out in another thread here, vendor using country prefix instead of applying for their own prefix is a violation of:
Would it be possible for the NTP server to detect what type of device/OS is sending the request and block it (ie: could au/nz.pool.ntp.org servers block all TP-Link requests to teach them a lesson)?
If they can't do that maybe they can just detect IPs that are making requests every 5 seconds as the TP-Link products are doing and block those since they're in violation of the once-every-10-minutes-maximum rule for the NTP servers)?
I'm a bit rusty, but I believe the way NTP works (at least the reference version which is commonly used) is that if a client sends too many requests in a short time, they are ignored except to reply with a "back off packet" which is called the KoD (Kiss of death) in NTP terms.
Security audits have found some issues with abusing the KoD so I'm not sure if it still works like that or if it tends to be disabled. (I was on one of the teams doing the audit, I found the "Skeleton Key" defect)
TP-link is a manufacturer of multiple devices and an OEM for others. I would imagine, if consistent across firmwares, there are a lot of requests being made. https://en.wikipedia.org/wiki/TP-Link
LEDE firmware is amazing. You will be able to do a lot more with your router and they have quick security fixes. The recent krack vulnerability was fixed within 2 days after the announcement.
LEDE is basically an OpenWRT fork which is being actively developed. The biggest draw is that it's actively developed, and managed in a Linux-style package manager setup, rather than monolithic baked firmwares that you have to flash wholesale. Patching against things like KRACK was as simple as just invoking the package manager.
DD-WRT and Tomato are both old tried-and-true alternatives to vendor firmwares, and they require less tinkering to get into the state that you want, but they both tend to have weird crufty edge cases that never get properly fixed and don't seem to have any clear direction or leadership - they are both a hodgepodge of forks that you have to spend time digging through hundred-page forum threads to find information about. Development schedules are sporadic, and you often end up with dozens of potential builds in varying states of beta and testing which fix this or that but break this or that other thing. When they work, they're great, but my experience with LEDE has been consistently superior than my experience with DD-WRT or Tomato.
Just to be clear, OpenWRT isn't 100% abandoned, but it's basically just a handful of sporadic package version bumps and backported bug fixes, which might not ever make it into an official numbered release. If the counts on GitHub are accurate/comparable, LEDE has almost 2000 more commits than OpenWRT. The OpenWRT website also seems to be semi-abandoned (the front page has had a spam post on it for over a month; it looks like it was moved there accidentally by a moderator intending to move it to a "trash" subforum).
I naively bought the Linksys WRT 1900AC about when it released because it claimed dd-wrt support at release.
Then the dd-wrt folks mentioned that Linksys never actually gave them hardware ... and if I recall, hadn't really been included in the plans to support it at all.
So then I waited and found whenever I looked for the dd-wrt firmware, it always had lots of caveats and known issues.
I gave up. Shelved it and bought a pfsense box for the internet and use a Ubiquity wifi AP.
I ran openwrt and then lede on a wrt1900ac v2 for about 1.5 years until last week. Initially, stability was spotty, but the latest Lede images worked generally well. However, while vlans with Lede worked perfectly with my two TP-Link WDR3600s, the Lede ultimately had issues with it. I tried one last thing, probably bricked it, and that was the last straw...ordered three Unifi aps and couldn't be happier.
OpenWRT/LEDE is great assuming your device is well-supported and well-tested. Unfortunately, the wrt1900ac line was never as open as Linksys claimed it was, the LEDE devs didn't get the support they needed from Linksys when they needed it, and so certain things still don't seem to work.
LEDE has a very active anti-bufferbloat research people working with it.
LEDE has, in general, active, managed, and unified development. You'd have to hunt down a specific Tomato/DD version that works for you. Sometimes the latest version of DD/Tomato works, sometimes it doesn't. LEDE? Just download the latest stable release, done.
The big one for me is that LEDE uses a recent kernel. DD-WRT and Tomato use the kernel that was provided by the hardware vendor. They have an easier job to get things running because most hardware vendors have some crazy (perhaps binary only) kernel modules.
When buying hardware, look at the LEDE hardware support list. Recently I have bought a TL-WDR4300 (get right version) and a Buffalo Airstation N600 router. LEDE runs good on these and the router has enough flash and RAM. Running hardware vendor firmware is not good, IMHO.
I love my Tomato router, I'm on my second in about 7 years. Asus N66u I think. The first I bought and configured myself, which was a tiny bit of pain finding the right binary, etc. The router I'm using now I bought from FlashRouters.com at a fairly high margin above what I could buy the router alone, but they're fast and I trust them. I just recently bought a backup router from them too, and preconfigured it for minimal downtime should the current one break.
FWIW, it can be worth checking beyond whether or not your device is _supported_. I had DD-WRT running on an ASUS RT-AC68U for a while, and ended up switching back to a fork of the official firmware (Asuswrt-Merlin) for better performance once I upgraded to a >100Mbps WAN connection (IIRC it was something to do with hardware-accelerated NAT).
There's a patch to enable Qualcomm FastPath in LEDE, this offloads simpler TCP and UDP traffic from the Kernel stack and gets me 960Mbps LAN to WAN on a Netgear R7800.
Because stuff is only upstreamed when it's totally stable and known to work on a wide range of devices, it's still a tad experimental (albeit many people are using it successfully)
Thanks for the tip; I'll have to check this out! My router's OpenWRT wiki page has had an ominous warning about reduced NAT throughput for some time. Turns out that my router should be supported (Atheros AR9344 MIPS 74Kc based).
>You will be able to do a lot more with your router and they have quick security fixes
Just a counter point to this. Lede on its own doesn't have a very smooth in place upgrade system. If you are in the loop, sure you can do upgrades, but most people would never log in to their routers after setting it up. I think something like google wifi is not a bad solution either, with the obvious privacy tradeoff. It runs chromium os, and will update reliably on its own.
I realize people's opinions differ on this, but having Google's wifi router is one of the most privacy compromising things one can do.
Security wise, sure, great idea. But there's so much data to collect at the router level. From wireless MAC addresses (which it already does), and to every single IP address visited by every device in the household.
I might sound paranoid, but with continuous news of Google's privacy intrusive choices on Android, iOS etc. I will not trust them with that data, ever.
This is one of those things where the language is being deliberately twisted. "Secure" means "only people you authorise can see the data", but now it's assumed that you authorise Google (or other provider) implicitly.
Apple Airport is probably the best router I have ever owned. Not the fastest, but extremely Stable, based on NetBSD and from a company that makes money on my hardware rather then my Data.
I really hope they will have an 802.11ax version once they iron out all the crap that is going on in there.
My biggest issue with Apple routers is that you _need_ an Apple device to do anything with them.
I have an AirPort Extreme, and while I'm not opposed to having Apple devices, I also don't exclusively buy from them, but rather what I deem to be the best product for my purposes at the time of purchase. That currently means an iPhone, an iPad, and a Dell laptop running Linux, but has in the past included both Apple laptops and Android phones and tablets. Because of my choice of router, I need to make sure that I always have at least one Apple device, preferably as a main device for convenience (because running a server means I need to mess with ports now and then).
A simple web interface would've solved this. They could still have their own app to make it just as user friendly for people who don't have an Apple device immediately at hand.
I will likely never buy a Mac again becauss I absolutely need Linux, and they're making their Macs worse and worse for Linux. I plan to eventually replace my need for a tablet with one of those Dell XPS convertible machines with a touch screen. That means there will come a time when I need to choose between letting the router be a factor in what phone I buy, or get a new, non-Apple router, and that kinda sucks.
I can’t attest to how well it works, but the Airport Utility is available on Windows. This obviously doesn’t help you if you are looking to manage using an Android or Chrome device.
I have used that a tiny bit in the past (many years ago), and while not great, it works. However, it's abandoned, with the most recent version being released in 2012, and only officially supports Windows 7.
Besides, the only system I have with Windows is my gaming desktop, and that's only runnin Windows because there's a couple of games I play which don't support Linux. My laptop runs Linux, and while it's not running Overwatch, my gaming desktop is running Linux.
I think a more likely solution is to just keep an iOS device around while router is in use.
We've used Apple Airport access points at a previous company, and while they work great, they are a pain to configure: you have to either interrupt a Mac-using coworker and use his machine, or try the more limited Windows version of the software on Wine and hope it works.
Apple Airports are also not compatible with all network configurations - it would not work with my fiber connection due to the MTU, and I had to buy a router from another brand.
Kernel updates do need a reboot. That's there for any linux based device. There are some improvements in kernel live patching. Not saying that google wifi, or any router uses them.
I don't use the device so this is purely speculation, though I would assume they'd have configurable setting to push/apply updates at off-peak / night times?
Nice referral links on your page. I see from your comment history that you've spammed HN with it several times in the past as well.
---
Edit: To be clear, there's nothing inherently wrong with affiliate links. To me, though, it's the same as someone here mentioning their product or service in a comment without disclosing their affiliation.
It's one thing to tell another person "The FooBar 9000 is a good router.". It's quite another to say, "The FooBar 9000 is the BEST router on the market. Oh, look, here's Joe. He sells those and you can buy one from him right now.", without mentioning you have previously worked out a deal with Joe.
It's not the affiliation that's the issue. It's the lack of transparency about the affiliation. (And, in this case, for me personally, it's that the OP apparently tries to work in a link to his page anywhere he can in HN conversations.)
I fail to see the problem with affiliate links in that context. The site openly disclosed that they use affiliate links to amazon. The site provides a value, a ranked list of compatible devices. I might actually use it if I were shopping around for a device. Building and maintaining it probably takes some effort. It deserves to get paid. If you think that all for-profit pages should be banned from mention then this here would be a barren place, devoid of links to useful services.
added after the parent modified his post:
Even after you changed your comment, I fail to see a problem. The poster explicitly says "I maintain", openly disclosing his affiliation with the site. The site does not recommend a specific device as "the best", it provides a list, ranked by a disclosed set of criteria from which you can pick. You can actually change the filters and the sort order - cheapest, graded by performance, ... We can agree or disagree on the specific sort criteria picked or the completeness of the list, but the grandparent actually does sometimes engage into discussions about this, soliciting feedback (and I presume implementing it). It adds value over the device lists that LEDE and OpenWRT provide.
The grandparent does mention the page every time the context makes sense, but alas, when else would he mention it? Would you prefer if the grandparent just posts the link as a reply to each and every post? He built something that adds value, so why not mention it? It's not like it's the only thing the GP ever posts. Seems more like a lurker from the comment history, but come on, the last mention was 141 days ago, it's not like it's spammy.
All in all your comment comes off as being jealous someone built something that provides a little income.
> The site openly disclosed that they use affiliate links to amazon.
Did it? I was on an iPad and only realized they were affiliate links after I clicked on one and it took to Amazon. Immediately, I looked at the URL to see if there was a referral tag in there. I then went back and noticed "DISCLOSURE" at the very bottom, in the footer, but I don't recall seeing any mention of it before that.
> If you think that all for-profit pages should be banned from mention then this here would be a barren place, devoid of links to useful services.
I wanted to ignore this since I don't enjoy subjective arguments, but since you seem to be virtue signalling about disclosures, I'd like to point out that your own page with Amazon affiliate links [http://evilrouters.net/bookshelf/] does not disclose your affiliation to Amazon (which is itself a violation of section 5 of the Amazon affiliate program agreement), nor does your DISCLOSURE page (whose link is also at the very bottom right of your page). The other commentator's disclosure page (http://rooftopbazaar.com/disclosure/) comes across as a proper honest disclosure to me. Sorry, your comments seem like hypocrisy to me.
Thanks for pointing that out. With the exception of a couple spontaneous, hastily written blog posts, that blog has been pretty neglected for about the last ~5 years. I've been meaning to remove the Adsense ads and add HTTPS for a long while too, but I haven't got around to doing either. Before just now, it's probably been several months since I even looked at that site.
Anyways, the "disclosures" page has no references to Amazon because I removed them several years ago when I quit being a part of the Amazon Affiliate program. I thought I had removed the affiliate tags as well but apparently not. They were still there but they haven't been valid for at least three or four years now (and, thus, not generating any commissions).
Regardless, I have removed them from the page. The page is cached and I don't remember the magic incantation to force varnish to purge the cached version but rest assured it'll get refreshed in the near future.
I'm sorry you had to spend your time searching through my web sites to try to find something that made me look hypocritical. Also, I'll point out that I don't go around posting links to that "bookshelf" page on HN comments. That is what would have made my statements hypocritical, not the fact that I had affiliate links on some random web page somewhere.
It says first thing on the top that links go to amazon. There's a link at the bottom to the full discussion. What's the issue if the links to amazon are affiliate links? It's not like they're forcing you to buy or that the value you get from the site is reduced by that. They don't hype a specific device either.
> Did I say anything even remotely close to that?
I very much understood your complaint about "spammy, since he links to a page that he's affiliated with" to go in the direction that nobody should link to a monetized service he's somehow affiliated with, yes.
It talks a lot about Amazon, but there's no mention of using affiliate links.
The issue is that there's a conflict of interest when a page that gives you advice on what to buy uses affiliate links. If they get a cut of my purchase, then they're incentivized to get me to buy the most expensive alternative rather than the best one, and to buy something rather than stick with what I have if what I have is adequate.
This is not an insurmountable problem, but disclosure is important so I know what's going on.
I count single digit mentions in 1669 days that procotor is registered on HN. That would be lousy self promotion. I believe that proctor genuinely believes he built something useful and wants to share it. The snark in jlgaddis post rubs me the wrong way.
But still self-promotion if people want to be dogmatic about it. Some people, and some discussion forums, have an absolutely zero tolerance attitude to self-promotion.
I have no issue with it if:
* It isn't almost all that the account is for (caveat: personally I don't care enough in this case to have checked the account's comment history), i.e. the person contributes usefully to discussions noticably beyond what is needed for the self-promotion.
* The posts are at least relevant to the discussion at hand (which it appears to be here)
* The page/post/other is sufficiently honest about the affiliate links, because otherwise they could represent a conflict of interests (recommending what makes most out of affiliate relations rather than what is actually best by a good objective measure). This last part can be quite subjective, and again I've not looked at this particular case myself yet.
> But still self-promotion if people want to be dogmatic about it.
If you want to be dogmatic about it, then no links to your bio, no mention of the good work you do, no link to a company that employs or employed you, no link to your blog, ...
I shared a link to my blog the other day, we had a discussion on p2p internet and I recalled Opera Unite and linked a page I wrote about it some time ago.
That page has affiliate links, IIRC, which you probably block with ublock/adaware, should I not have shared it?
If it was relevant to the discussion, and you actually included some of the content in the discussion (i.e. quoted the relevant parts with a link to the fuller article for people who want to check greater detail, rather than just a link) so people didn't have to jump off-site to read your contribution, then I don't see a problem with that.
It was more a mention, then a link to a page I knew had more info for the curious ... seems silly, to me, to try and find some other page with that info just in case someone sees an affiliate link.
In part the page is about my reaction, which is inter alia what was pertinent, that info definitely isn't elsewhere.
> Lousy of not, it’s still self-promotion. This is true whether it occurs once or many times.
If a few mentions of something you built counts as self promotion, then even the description and the link to the blog that jlgaddis has on his profile page is self-promotion. It promotes a blog that he writes, possibly to further his professional career.
> Clearly. However, you aren’t defending your accusation of jealousy. Jealousy was the key word that I was addressing.
Ok, let me rephrase that to be more clear: It rubs me in a way that makes me personally believe that something more than "I don't like self promotion" is at play. And I believe that it's jealousy. You obviously don't, but that's personal perception I guess.
I don't mind the info in your profile nor the affiliate links on your blog. Quite to the contrary, keep them, keep adding content that's useful for others. Promote it, make money off it - everyone wins in that case. Useful content for me, money for you, I'm absolutely in favor of that. All I'd expect in that case is to be a little liberal when others do.
I agree that the use of affiliate links isn't a huge issue, but I'm not sure I'd agree that the site _openly_ discloses the use of Amazon affiliate links. To learn that information, you have to notice "Disclosure" in the footer (which doesn't indicate what sort of disclosure it is), and even then the resultant page doesn't have a straight-forward statement along the lines of "This site makes use of Amazon affiliate links".
I also feel like the following is possibly _slightly_ misleading, or at least intended to induce the use of the provided links:
> By using any link on this site – affiliate or not – you will get a better deal by purchasing a corresponding product through that link than you would by going directly through the linked company’s site
I put openwrt on my $20 tp-link router that couldn’t even handle a single torrent and now it functions like a beast. Installation was so easy. I just downloaded the openwrt firmware file and uploaded it using the tp-link web ui like an official update.
I'm interested in installing a different firmware on my home router, but there are many offerings. Is there any reason you recommend LEDE over the others? (e.g. Tomato)
Maybe the name LEDE is not familiar to you, but LEDE is an openwrt fork, which is essentially going to get named to openwrt again through a merge since that's where most of the openwrt work is happening. From the various open or semi-open firmware, LEDE is the most active and open I think. Various other firmware will still be quite tied to vendor binary drivers.
Tomato, DD-WRT, etc. try to be extremely user friendly. Not that LEDE doesn't, but people who have some technical expertise tend to benefit a lot more from LEDE with all their packages. Especially if you can compile an image yourself (it is pretty easy on linux), then you can have all the features tailored to your preference.
In a nutshell: OpenWRT existed. They kinda sorta pretty much stopped doing anything. LEDE sprang up as a fork, with several of the OpenWRT folks. Then they all decided to work together and joined back up. Now it's anybody's guess what will happen next, if anything, as nothing has really happened since.
That is not true in my experience, the LEDE site is quite active, spewing out builds very frequently, even fixing KRACK almost immediately. Don't know what you consider as "nothing has really happened"
Thanks! I have been running DD-WRT for a while and was displeased that their updates were unofficial builds served over HTTP, ugh. LEDE looked right up my alley and this evening I went ahead and installed it from the SSH window of my DD-WRT install. After a few hours I had the OpenVPN server in "road-warrior" mode with all firewall rules functioning and now I just finished up getting my USB drive mounted on it. It's really slick, thanks a ton for the suggestion!!
This. I've got a TPLink Repeater (RE450) and a Netgear R7800 router, both are running LEDE and have given me a slew of great features out of the box, and many more that can be installed after the fact using the packaging system.
There's also a third router, an old TP-Link 1043ND running as a wireless bridge to connect devices in my AV setup, once again running LEDE.
And repeaters are also supported by Lede, the TPLink RE450 being one such (I should know, I run a totally LEDE stack at home, and have an RE450 to get the signal better upstairs).
My most recent frustration with TP-LINK was they they DO NOT provide their firmware updates over HTTPS. They do not provide checksums for their firmware files either. (When I asked for these things, their support weren't helpful on Twitter.)
So you're expected to download some unsigned binary over an untrusted connection and trust that with all your traffic.
Definitely not buying TP-LINK next time. Good to know this there's a bandwidth problem like this!
TP-Link does a pretty good job on basic Layer 3 Lite switches and desktop wireless cards, but the junky software on their routers and repeaters is enough to make me not use them. Unfortunately they do the same thing worth firmware upgrades for their switches as well, no signatures, no hashes, no TLS.
Good to know. While I've liked their dumb switches, if they can't be bothered to secure their firmware downloads, there's no way I'm buying one of their "smart" products.
Well, it's not a feature. You can both provide official firmware over HTTPS (or provide checksums for them, or both), and let people flash custom firmware, at the same time.
Maybe what I wanted to express was more like this:
TP-Link has a sloppy attitude towards the security of their stock firmware. It might work, but it is full of security holes. HTTPS and checksums/signatures wouldn't change that.
Maybe they could do everything right with their firmware and provide top notch security and updates. But then their firmware would be a factor for market differentiation and at that point they would be incentivized to put effective code signing schemes in place. Other market players do that. Look at AVM Fritz Box products - nice hardware, security updates for many years and the result is: they are known GPL offenders and have strong code signing in place.
Instead TP-Link delivers you crap firmware on nice and cheap hardware and they don't care what you run on it.
It's not so clear cut. You need to benchmark before and after.
Often acceleration modules on Broadcom, Qualcomm, Mediatek etc are proprietary and without acceleration in OpenWrt/Lede the router is going to be dog slow.
The wifi modules are also proprietary and need be well supported by Openwrt/Lede or you will see throughput drops.
Of late it's just best to use what's in the router and not bother. And we move to faster connections on consumer routers with slow main SOCs the proprietary accelerators will become even more important.
You're right. I always consult LEDE's supported hardware wiki first before making a purchase decision. It's not user friendly at all and since EU's Radio Equipment Directive [1], things haven't become easier.
Yikes. I've generally had good experiences with TP-LINK, so this is a bummer. But as others have noted, open source firmwares are available, so there's an upside.
What makes you think they're unsigned? Surely there's at least some basic checksumming if not cryptographic signatures inside of that blob? There's no reason to even bother with delivering it over https if you put a good signature on the blob itself.
I would assume it does not do those things, or else creating/flashing custom firmware like DD-WRT would presumably be impossible. They could be doing some verification in the firmware itself, but obviously that only saves you from bad downloads - anybody serving you up a malicious firmware can easily just serve one up without the verification checks inside.
Their firmwares for newer devices do indeed include signature support. A malicious firmware on their server will fail the signature check and not be flashed. Signature checks occur only in the flasher, not in the bootloader, but that would require physical access to the device, at which point all bets are off anyways.
No. The point is, you could be downloading a corrupted copy of the firmware with exploits, for example. If your firmware has such exploits, what good is the fact that most of your traffic goes over https?
Not to side with him, but I think what GP was trying to say is that exploit on router firmware doesn't necessarily mean that your computer will get owned too - which is true. However owning a router makes further attacks much easier. Also, owning a router is advantageous for attacker in itself.
"138KB * 24 * 3600 / 5" should be 2.3287GB per day.
And it's 2.3287GB * 30 per month.
Update 2:
"For comparison, a 5-minute check would be considered a pretty aggressive checking interval, and would only consume 1,37 MB per month. Instead, TP-Link goes through the same amount of data in just 82 minutes."
This assertion from the article has multiple errors too.
The total bandwidth used according to my calc is 1414 B. So their number of 138 KB is actually 1.38 KB (which is 1380 B, and that's closer to my number. I rounded up if you look at my numbers)
So their number of 715 MB is actually right. Just an error with 138 KB -> 1.38 KB
Yet I don't think the author has a real takeaway: It's not 138KB.
Looking at DNS requests to those domains, I'm averaging about 30 bytes for the request and 70 bytes for the response.
Significantly larger and more complicated DNS requests returning a ton of DNSSEC records are coming around 4KB with eight separate UDP packets required for the response.
There is no way that 6 DNS queries for simple records and 1 NTP query comes in at 138 KB.
Edit: A dig on the 6 domains listed + a NTP query to one of them, for me, is sitting at less than 1KB total. Where are these numbers coming from?
Take a look at the response sizes in this CloudFlare post - https://blog.cloudflare.com/a-deep-dive-into-dns-packet-size... - they are talking about how they get DNSSEC responses under the 512 byte limit. The "unoptimized" ones are 4KB in response size. Even assuming that these domains turned on an unoptimized DNSSEC setup, that's still 24KB for those and less than 1KB for the NTP portion. The 138KB seems to be completely fabricated.
Edit2: Assuming the author meant 138 bytes as ktta pointed out, 86,400/5 = 17,280 sets of requests per day. That's 2,384,640 bytes, or ~2.3 megabytes a day. On a 31 day month, we're at ~71 megabytes. 1/10th of the amount the author is claiming.
Edit3: Though, 138 bytes seems low to me for 6 DNS queries and 1 NTP. Going by the numbers I get from a dig to the addresses it's closer to 600 bytes, which puts it at around ~309 megabytes per month. Without seeing what types of queries the repeaters are making it's hard for me to have any idea what the real numbers are, but it doesn't seem like the article's numbers add up regardless.
Seems to me like 715 MB is about right, at least it's not off by a factor of 10.
There's no way you could fit six DNS queries and a couple of NTP queries into 138 bytes.
As pointed out by jlgaddis, based on the numbers in the article given for the size of DNS & NTP requests and responses, seems like the author meant 1380 bytes.
My third edit included a bit more on this - I'm closer to 600 bytes total than 1380. A few of them are sitting at closer to 80 bytes for a request+response for DNS, etc. With a quick while loop and tcpdump, I'm seeing the number as being off by about 2x from my testing.
My DNS numbers are all basically half his - all of my requests are sub 40 bytes, responses are all sub 80, some are sub 60. My NTP query and response packets are pretty close, though - sitting around 80 bytes for request and response.
Can you take a look at the edit and comment on where your numbers differ exactly? I tried to be as accurate as possible. I used the busybox_NTPD from https://busybox.net/downloads/binaries/
Don't bother with repeaters. Get normal access points, and install several of them if you need to disperse the range around a large area/building/complex. If the SSID and security passphrases match, clients will roam seamlessly between the different APs. I suspect the reason people buy repeaters is that they don't realise that this is possible, or they don't want additional cabling.
Repeaters add latency and I can't imagine any network engineer would ever recommend one.
>And if you rent rather than own, you likely can’t add cabling at all under the terms of your lease.
A POTS phonejack can use pair(s) in CAT 5 (or 5e, 6), and newish buildings often already run it to the wall jacks rather than CAT 3. Depending on access to the other end of the lines, and appetite for DIY upgrading a landlord's building, it's quite possible to temporarily swap the RJ11 hardware for some RJ45 and have a wired LAN ;)
>> Don't bother with repeaters. Get normal access points, and install several of them if you need to disperse the range around a large area/building/complex.
Or better yet, buy a bunch of Ubiqity UniFi's, which were specifically made for this purpose and should provide the most seamless and efficient way to blanket your house in Wifi (provided you already have cabling to the access points). They are not cheap, but also not extremely expensive compared to a decent router either.
Warning: do not follow this advice; Ubuiqiti products are like potato chips in that you can never eat just one.
Oh I'll get the AC PRO access point, you think. Five minutes later you've set it via quick QR code scan and the UniFi app. That was painless! No wonder people recommend these things.
Oh wait I need to make some more device tweaks but UniFi won't do it.. better get the cloud key thingy that manages the device. I'll have one of those.
A couple of months go by and you discover your Google Home device or NEST doesn't work with beam steering. Wait, you can manage the advanced AC PRO settings using their own software? Fine I'll build a small PC to run that since if you're going to do it may as well see the stats all the time.
Hmm... KRACK/sploit-du-jour is out, maybe I'll just get a new Edgerouter since it's already fixed there. Oh wait, there's a fringy area in my house I'll bet another AC PRO or maybe an AirMax repeater would be just the thing.
Oh dear, I seem to be running out of ports, better go ahead and get a nice POE switch since that'll declutter things a bit. Etc.
So true. Started with a couple AC AP PRO (incredible by the way). Ended up with an edgerouter poe and a poe unifi switch. I'm running the control on a vm on qemu/kvm and the seamless integration is wonderful. Once I plugged in the switch it popped up in the devices section and I could perform a one-click software upgrade, just like the WAP.
I will say that the features in the controller software rivals serious commercial offerings that I've used (Cisco, Meraki, Aerohive).
My response was tongue in cheek but seriously I recommend budgeting a VM or Raspberry PI to run their controller software which offers the most configuration options.
I mistakenly thought the cloud key ran a lesser version of unifi than the distribution found on their website, however googling around implies it's the same version. So I suppose budget for a cloud key or a pi. A raspberry Pi 3 is 64 bit, runs Fedora natively and can serve up other functions beyond the key. So I lean towards the Pi but if they're functionally equivalent I suppose it's down to personal preference.
I tried putting it into a docker container, but in the end didn't want to deal with the complexity -- bought a key. Does the VM/Raspberry PI get you anything the key doesn't?
A Raspberry Pi probably won't do. The controller requires MongoDB which itself is no longer supports the 32 bit architecture which most RPis are running on.
Basically all your objections boil down to the fact that the UniFi's are not very easy to manage.
I'd say none of this matters if you just want to have a few access points around the house for a WiFi network that currently runs on a single standalone router. Nobody said configuring the UniFi's is easy or convenient, but the premise is that you only do it once, using whatever computer you have that you can install the cloud controller on. You don't absolutely need to buy anything besides the AP's, it's only for convenience if your network changes a lot.
UniFi devices are a bit unusual as wireless APs: not only do they not act as a DHCP server, they require you to have one somewhere else on the network. Generally your uplink router will do this, but it surprised me when I wanted to use one as a standalone AP.
Some OSs (I'm looking at you Windows) can get 'sticky' and refuse to fail over to the stronger AP even if it does have the same SSID and passphrase. The only solution is to force disconnect and reconnect the wifi on your device, and even then it doesn't fix it all the time.
I've found the most 'reliable' arrangement is to not only have the same SSID and passphrase, but to have them all on the same frequency and if you can, make them all from the same vendor.
Also, if you are going to re-purpose an old router as an access point, make sure you turn everything off on it except the access point service. It mustn't hand out IP addresses or offer any DNS resolution. You want your devices IP to be provided by the main router regardless of which AP you connect to. It sounds obvious, but this the main stumbling block people encounter when trying to do this.
Powerline Ethernet might be a solution for the cable problem. I'm thinking of connecting the extra AP(s) through Powerline Ethernet to the router if there is no copper Ethernet available.
This might be the wrong thread to recommend it, but I've had good luck with TP-Link's Powerline Ethernet adapters. I switched to them from WiFi for my living room TV/Gaming/Streaming setup. I'm in a high interference wireless environment due to neighbor density (even in 5Ghz) and the TP-Link devices reliably push over 500mbps.
A downside of powerline ethernet devices is they use your house wiring as a hub-style network. While I think some support a form of MIMO, the more devices you have the worse performance will be. The TP-Links I have sport QoS, but I've not messed with it.
That's exactly what I did and it's worked out great. I'm getting upwards of 300Mb/s using powerline adapters. They were netgear brand, I apologize I don't remember the model, but I think it had "1200" in it. A lot will depend on what else you have on the breaker, from what I understand. But for my purposes the performance was more than adequate.
Powerline Ethernet is not really a good solution either. If you don't use your phone jacks, take the cover off one and check if it's actually using Cat5 or greater. You can then use those for network if you replace the connectors.
You really shouldn't make blanket statements like that. While I'd definitely recommend using existing category 5 wiring if it's available, I'm getting close to 300Mb/s via powerline adapters, so it really comes down to your individual situation. For me it's been more than adequate.
As a no longer suffering user of X10 now enjoying ZWave, the issue is usually crossing the out of phase 110 legs (every other full size breaker in the panel is on a different leg).
To cross the phases, the signal has to go to the power pole where the phases originate. X10 has a repeater you can install and sometimes people just install a passive one (a capacitor if I recall.)
In a smaller house, signalling to the panel and back out to circuits on the same leg is more likely to work than crossing the phases.
>> Repeaters add latency and I can't imagine any network engineer would ever recommend one.
Keep in mind that these TP-Links are consumer grade hardware, and that they make sense for some use cases. Not every consumer can or wants to run wire for another AP, regardless of what a network expert would say.
I use an RE450 at my dad's house (which happens to be next to mine) so when I'm there I can access the Internet. My parents don't have any computers, smartphones or tablets and don't use the Internet. The RE450 does the job -- very well I might add -- and was cheaper and easier than drilling holes in masonry to run a network wire between the houses.
The NTP and DNS requests are concerning, but they don't materially impact my bandwidth cap on the plan I'm on.
The restaurant I was 'stealing' wifi from (not to mention my landlord) probably would've had a problem with me running a hundred meters or so of ethernet cable so a $60 repeater + aluminium can parabolic dish and Bob's your uncle. Worked for around two years until the interference from my neighbors' wifi made to signal too dodgy and (I think) they got wise and changed the password.
In this specific case, the RE650 is sold as a repeater - but it also has an access point mode. If it wasn't for TP-Link's approach to software, it would be a nice enough AP: I get good speeds and coverage out of mine, and it's small enough that you can just plug it into a wall socket somewhere you can run a network cable to.
Oh well, I'll probably have to get an ubiqity or something.
Sometimes their simplicity wins out. I have a TP-Link repeater that just plugs into a wall socket and that's it, very quick setup. I just want it for a specific room that doesn't get wifi coverage; this was cheap and convenient, I'm happy with it.
I knew I could do it the proper way, but there would have been a lot of work involved, with very little payoff.
Well you’re normal WAP needs to be connected to the network itself somehow. A repeater does it wirelessly, while a normal WAP may not even have that option.
Does a router need two radios to support this dual mode? Or a single radio that supports transeiving? Or a single radio and two antennas? Or is a modified hostapd sufficient?
I ran a public NTP server for around a decade. I finally stopped, but these sorts of vendor abuse weren't the reason why.
We started running them before the NTP pool (though we eventually did include our servers in the pool). The worst it got was a largish regional ISP had put our servers in their CPE, and one day they had an event where they rebooted all of their CPE at once. That caused a noticeable spike in our network traffic.
The real DDoS that caused us to stop offering public DNS service was: misguided network admins. The week I had the second network admin calling me, asking why my network was attacking their network, and then started yelling at me over the phone and hung up in a huge huff. He had installed some sort of IDS and it was triggering on NTP traffic, and rather than investigate it he just called our emergency hotline and got me out of bed to deal with it.
"Those packets you are receiving are in response to packets you are sending our NTP server asking for the time." was not the answer he was looking for I guess. :-( Honestly, I was already mad from being woken up (the emergency hotline says it is for service outages only), and that it was the second call that week on it. So I take some blame in the call not going well. But this dude never stopped yelling at me.
The problem with running a public service is: The administration doesn't scale with the number of users.
NTP uses UDP, so he was probably the victim of a spoofed NTP request amplification attack. He probably didn't have clients that we're actually requesting the time, the requests were just spoofed to look like they came from his IP.
My recollection was that the volume coming from this one site was tiny, not like a DDoS. I don't recall if he said as much or if I was reading between the lines, but it sounded like he had just set up some sort of IDS, and it reported this traffic as an attack, and he just took that at face value.
We did have some UDP multiplication attacks at other times, mostly on our authoritative DNS servers. I don't recall that we ever had any against our NTP servers that I noticed. But we did block the broadcast address so the best multiplication vector was via DNS requests, IIRC the NTP responses were fairly short.
Somewhat unrelated but if you are looking for a rock-solid router, check out Microtik. I've been through half a dozen routers over the years, with and without custom firmware, and having owned a Mikrotik Routerboard for the last year, it's the first one that just works 100% and never drops connections. Easy to set up if you know what you are doing and customizable if you want to dig in.
Yeah, Mikrotik have great devices for reasonable prices, but it is irritating that you can't run own applications on it, there is no publicly available working kernel to run under MetaROUTER, and they want 45$ for GPLed sources
This kind of stupidity happens to NTP frequently. The ironic thing is NTP is so lightweight that sometimes it's better to just answer the query than try to block the traffic. The DNS traffic is more expensive than the time query!
I discovered PC engines APU boards and now I do all my routers/network thingie with it and OpenBSD. I'm quite sure there are some nice GUI "ala pfSense" too, but I like my configuration files better.
I purchased cheap crap TP-Link access points and replaced the firmware on each one with open-wrt[1] and they all works extremely well for many years now. The Stock firmware is total junk and crashes all the time.
One silly thing that I hadn't thought of; the use of NTP for devices like this should mean that the NTP operators can gather pretty accurate statistics about each device's market share.
I guess the same folks who design software that spams things like this don't bother working too much on making it hard to fingerprint their devices, either. On the other hand, I haven't looked at the NTP protocol recently. Perhaps this isn't even possible due to the protocol's simplicity?
dns is a better target for this. Google even had rob pikes team do this sinkhole for them. which says its an expensive and worth goal and not some afterthought.
Slightly tangential, but I've recently been writing a command line tool to talk to some TP-Link Smart Plugs, and discovered that they regularly talk to 'devs.tplinkcloud.com' even if you don't enable a TP-link Cloud account.
I changed the server url on mines to "localhost". I control the plugs via a script on a docker container (they pilot water pumps). It works well that way.
oh, f--k, every TP-link box on the planet is hitting nz.pool.ntp.org every 5 minutes? you guys know we only have a couple of cables connecting us to the rest of the world right?
Please don't buy TP-link, you're DoSing an entire country
Laziness and ignorance (probably not even knowing what they were doing other than just using these ntp servers) at the beginning. I bet someone just “copied and pasted”.
Honest question. How would you begin discovering this kind of leakage? Do you need some sorry of tap that records protocols and Mac addresses? Do these firmware emplacements have this as a built in feature. With so many IOT devices being plugged in seems like this would be handy
Lots of enterprise equipment have features where you can mirror traffic off an ethernet port and monitor it, but it is cheap and easy to do if you are poor too. Dig up a 100MB hub, not a switch, and then with another computer plugged into that hub run a program like Wireshark or tcpdump.
This is one reason why I don't run all-in-one router/wireless combos. Most integrated (especially provided by ISP units) devices have no way to tell you what is being sent over the air and then to your ISP.
I noticed it based on Pi-Hole [0] and seeing the excessive DNS Requests to those URLs... started googling and found this post which I thought summed it all up nicely. Looking at the author's post, it also appears they noticed it due to Pi-Hole as well.
EDIT: It was a different post that someone had seen this via Pi-Hole. Not sure how the original author discovered it.
Didn't TP-Link backdoor one of their routers, additionally in a remotely-exploitable insecure way that they never patched?[0] Am I alone in that putting a company on my eternal shit-list? Looks like a good choice in retrospect if they're still coming up with things like this.
Speaking from experience, it is good. Takes a bit of networking know-how to set it up though, and you still need a router. Their consumer oriented stuff like the AmpliFi is quite excellent too and a bit friendlier.
I use an Edgerouter Lite, a Mikrotik switch and UniFi APs for myself and was so pleased I bought the AmpliFi mesh for my parents.
I have a similar setup, without the switch and the Unifi APs are just excellent. Smooth setup, great range.
So, if you can run a cable, I second Unifi.
Op, if you can not run a cable, maybe look into a mesh network. Repeaters "loose" about half of the bandwidth anyway, a mesh might be good alternative.
If you want to set up an open source enviroment, there is libremesh (http://libremesh.org).
If you just want to buy something, there are products from Netgear (orbi), Linksys (Velo) or Ubiquiti (Amplifi). If you have a Fritz!Box-setup from AVM, you might be able to use their mesh features (site in German, because if you have a FritzBox, you probably speak German ;) https://avm.de/mesh/)
> Op, if you can not run a cable, maybe look into a mesh network. Repeaters "loose" about half of the bandwidth anyway, a mesh might be good alternative.
Mesh network simplifies setting up many repeaters, but it "looses" bandwidth the same way (unless you connect it via cable/other frequency band) as repeaters.
If you don't want to pay $80 for the cloud key and don't want to run the controller on one of your machines, the unifi service can also be set up on a raspberry pi pretty easily.
The Unifi controller is a configuration front end for Unifi devices -- data on the network shouldn't be going through it. It might be a little slower to use, though I've never compared it with the cloud key, but for a home setup, that won't matter too much.
Why not use LEDE firmware? It's beats most consumer routers' firmware by a long shot. Search your router's model here - https://lede-project.org/toh/start
This issue has been fixed by a new firmware release from TP-Link. The updated firmware changes the behavior to use ICMP pings on the local network rather than NTP+DNS requests out on the public internet.
https://www.ctrl.blog/entry/ntplink-fixed
TP-Link is a major networking equipment manufacturer globally and one of the largest in China, just behind Huawei. They are one of the few who design equipment firmware/software and hardware in-house[1] and certainly have resource (man+money) to get the network protocol implementation right (sometime they don't) for their products and I wonder if the author has proactively reach out to them so that they can fix it for all (rather than public shaming and/or product ban)?
I find that my Synology router has been rock-solid and extremely performant. I have the RT2600ac and have been quite happy with it, and it has a nice web interface that you can configure automatic updates on, so it can even be distributed to people who aren't quite as network savvy.
I use a TP-Link travel router while on the road to get access for all of my devices in hotels that have device caps, and for my Android TV devices which don't gracefully handle hotel login prompts.
I have to say that the convenience, ease of use, and reliability of the product far outweighs any concerns I have over ~715MB over the course of a month. It boots quickly once plugged in, it reliably handles 4-5 devices utilizing it as a bridge for the hotel wifi, and I have never had it crash, give me any sort of wonky behavior, or anything of that nature.
Don't forget that those 715mb you take have to be delivered by someone running those servers at the other end, multiplied by the number of devices. Don't be a vandal on the internet. Don't be the reason for why we can't have nice things like community ntp pools.
If the NTP pool has an issue with what TP-Link is doing, they should talk to TP-Link. If TP-Link is unresponsive to their concerns, then they should be public about it. It is not the responsibility of random consumers to know about how two other parties interact with each other.
This appears to be entirely a supposition that the NTP pool cares that TP-Link is doing this, without any evidence from the actual people in charge of it are concerned. As best I can tell, this blog is not run by Ask Bjørn Hansen and neither he nor the ISC have voiced any concerns here.
> I have to say that the convenience, ease of use, and reliability of the product far outweighs any concerns I have over ~715MB over the course of a month.
So your convenience trumps the impact you’re causing to global infrastructure? Yes, you’re just one among millions, but still a slippery slope.
>So your convenience trumps the impact you’re causing to global infrastructure
Honestly? Yes.
Should I want TP-Link to fix it? Maybe. Should pressure be put on TP-Link to fix it? Yes.
But not by consumers. It isn't the responsibility of a random consumer that has no idea what an NTP server even is to understand whether or not the TP-Link router is going the "right thing" for all sorts of use cases they've never even heard of it.
From a consumer perspective, does TP-Link build a good product? Yes. And that's all consumers care about.
The pragmatic reality of the situation is if this is an issue, the public service providers need to do something about it.
You cannot expect consumers to worry about or even know about this sort of thing. They don't care. They'll never care. This blog post won't make these random consumers that see it as a highly rated product on e-commerce websites care. TP-Link won't care when the niche population of people that care about this don't buy their product because we're not the market.
If the NTP pool cares about what TP-Link is doing, they should reach out to TP-Link about it, and if there's no co-operation, be public about it.
Pissing into the wind on a random 3rd party blog about how consumers should switch because of something 99.9% of consumers don't care about isn't going to accomplish anything, whether we a conscientious net citizens should care or not.
What's the point of the NTP pool providers making their concerns public when consumers like you, who apparently are aware of the issue and what it means, don't care because TP-Link makes a "good product"?
Your attitude kind of reminds of the people that toss their cigarettes out their car window. When confronted they'll say something like "But my car doesn't have an ashtray, this is easier" or "But I don't want used cigarette butts in my car" or "What am I hurting? It's only one cigarette, and there are volunteers that clean up my cigarette butts from the roadside" or "If it was really a problem, they'd enforce it better, I've never been given a ticket for it"
Because I'll be more concerned if the NTP pool providers say "This is detrimental to our services" than if a random 3rd party blog (that has apparently not even checked their math) says I should worry about it.
Notably, they are ignoring the ones that make it possible for NTP to be aware of the problem in the first place. Right now, TP-link's traffic probably just looks like millions of unrelated devices misconfigured. NTP wants vendors like this to make requests to a particular subdomain so they can identify problematic vendors in the first place.
I've got a couple of MR-3020 "travel routers" myself, though I run OpenWRT on 'em. They're pretty decent little boxes and well worth the $15 or so that I paid for 'em.
Also, as pointed out in another thread here, vendor using country prefix instead of applying for their own prefix is a violation of:
http://www.pool.ntp.org/en/vendors.html
..which was put in place as a reaction to incidents just like this one:
https://en.wikipedia.org/wiki/NTP_server_misuse_and_abuse#No...