This resulted in one of the largest distributed denial-of-service attacks known at the time.
The most troublesome problems have involved NTP server addresses hardcoded in the firmware of consumer networking devices.
The University of Wisconsin–Madison NTP server continues to receive high levels of traffic from NETGEAR routers, with occasional floods of up to 100,000 packets-per-second.
NETGEAR has donated 5,000 to the University of Wisconsin–Madison's Division of Information Technology for their help in identifying the flaw.
Subsequent investigation revealed that four models of NETGEAR routers were the source of the problem.
It was found that the SNTP (Simple NTP) client in the routers has two serious flaws.
A total of 707,147 products with the faulty client were produced.
NETGEAR has released firmware updates for the affected products (DG814, HR314, MR814 and RP614) which query NETGEAR's own servers, poll only once every ten minutes, and give up after five failures.
One particularly common software error is to generate query packets at short (less than five second) intervals until a response is received.
The traffic was ultimately traced to misbehaving copies of a program called Tardis with thousands of copies around the world contacting the web server and obtaining a timestamp via HTTP.
Ultimately, the solution was to modify the web server configuration so as to deliver a customized version of the home page (greatly reduced in size) and to return a bogus time value, which caused most of the clients to choose a different time server.
Some NTP servers would respond to a single "monlist" UDP request packet, with packets describing up to 600 associations.
By using a request with a spoofed IP address attackers could direct an amplified stream of packets at a network.