Distributed denial of service (DDoS) attacks come in several flavors. Some are big and noisy—240,000 internet-connected devices working as one in a botnet. Others are noisy and sneaky: they start with a high-volume attack and follow it with an assault on network applications. Yet others take the side door into a network—the internet-connected devices themselves.
Lately, there’s been flood of denial of service attacks through routers. That’s right, the boxes that blink harmlessly in your home or office, day and night. Sophisticated hacking groups are using routers to enter networks and monitor data that enters and leaves your network.
Here’s why router-based attacks might become the next big trend in cybersecurity:
Mirai attacks on routers. Many cyber criminals are using source code of Mirai botnet malware to attack routers and other IoT devices.
Foreign cyber espionage. Clever and persistent assaults on home routers, business firewalls, and ISP operations has enabled Russian hackers to spy on networks and steal data.
Chinese botnet Mafia? A Netlab 360 report out of China describes at least five botnet “families,” who are competing for territory and target their devices on one another. All the botnets– Muhstik, Hajime, Mirai, Mettle, and Satori—have developed tactics to target fiber optic routers.
Why DDoS router attacks are a big deal
Other than providing a big dose of scary IT security news, why is router attack awareness important? These attacks enable hackers to do more damage to more targets than ever before. The problem is, that users install routers with a set-it-and-forget-it attitude. Often, users forget about their routers after the initial setup until their internet connectivity fails. When this happens, there’s plenty of damage to go around to users, their businesses, suppliers, and partners, often without anyone knowing what happened.
The root causes include never-changed default passwords and other types of poor security, which enable attackers to get into internet-connected devices.
Why it’s smart to worry about router attacks
The problem is a big one, but what does it mean to businesses and individuals running a home office? There are several important reasons to worry about router attacks:
Routers are everywhere, and so are the threats. No one is immune from attack. Anyone, individual or business, large or small, can get hit.
If attackers get your router, they get everything on your network, as well as all the data that enters and leaves it.
Recent attacks have made router-related security risks very clear.
Unsecured routers are just one of a growing list of DDoS attack points. Printers, IP web cameras, cable boxes, and DVRs are just a few types of devices that hackers can hijack and involve in cyber attacks.
Attack method 1: DDoS attack via router
In April 2018, it was reported that 1.06 million vulnerable fiber routers appeared on Shodan, a search engine listing unprotected databases and devices. An authentication bypass flaw made it easy for hackers to get into a network by adding “?images/” to the browser’s URL address.
Security specialists linked DDoS attacks to a group of Russia hackers, who attack routers and other internet-connected devices. In May 2018, high-level U.S. and U.K. security officials jointly issued an extraordinary warning about Russian state-sponsored hacking activity. The hackers were adept at exploiting routers, firewalls, switches, and intrusion detection systems. Targets included government agencies, businesses, essential infrastructure providers, and small home offices.
These exploits, named VPNFilter, use more than 500,000 routers and storage devices in locations worldwide. Evidently, as soon as VPNFilter overcomes a router, criminals can:
Map the details of a network.
Harvest passwords and usernames .
Change code of firmware and operating systems.
Spy on network traffic and reroute it to Russian-controlled machines.
To these menacing capabilities, add cryptojacking, a new type of theft of IT services.
Attack method 2: cryptojacking
At any moment, hundreds of thousands of IoT devices mine for cryptocurrency by stealing CPU resources from unknowing victims. In July 2018, security researchers noticed activity typical of a huge cryptojacking campaign. This time, the attack was enabled by 415,000 MikroTik routers in Brazil. Website browser Coinhive used to provide scripts for legitimate Monero cryptomining. However rampant abuse of the script led many cybersecurity companies to ban its use on their sites.
The massive resources that hackers can gather to commit crimes is impressive, some might say even scary. But that doesn’t mean that users are totally defenseless. There are ways to reduce the security risk of router-based DDoS attacks.
What users can do
There is no magic wand that will make risks of router-based attacks go away. Instead, it’s a familiar list of security hygiene tasks, which include:
Checking for router firmware updates at least once every three months.
Changing default passwords—and creating an original one that’s strong—as soon as you take the device out of its packaging.
Turning off your network’s remote administration capabilities.
Turning off legacy internet protocols such as TFTP, Telnet, SNMP, and SMI.
Turning on and using your network’s guest network capabilities. This step puts visitors on a different network than your main one. This approach also shields your devices from IoT attacks.
Most importantly, though, paying ongoing attention to IoT device security is the key to keeping your home or office system safe. Cybercrooks will always be ready to use vulnerabilities in our IT infrastructure. IoT device makers are moving slowly toward improving software patches and away from default passwords. Now it’s time for users to do their part.
