If you woke up one morning to find your car had been stolen, that would be bad. If you found out your stolen car had been used to drive through the front windows of three businesses, that would be worse. And if it just so happened that you never bothered to lock your car doors, that would be worst of all. Bad enough that you should probably not tell anyone ever.
But that wouldn’t happen to your car. That’s what you’re probably thinking. Your car would never be used to cause damage to businesses because, of course, you keep your car doors locked.
That’s all fine and good. But how’s your router security? Keep reading to find out how small office and home office (SOHO) routers are being used in DDoS attacks to inflict damage to websites and businesses, and what you need to do to prevent your own router from joining a botnet army.
In order to understand how the routers of innocent people are being used to target websites, you have to understand that a botnet is a collection of computers or other internet connected devices that have been infected by malware. As a result, these devices are under the control of a botnet owner or owners who are able to issue commands to the devices to perform malicious tasks, like participate in DDoS attacks, or send spam. These compromised devices are often referred to as zombies.
Computers or other devices can become infected by malware from things like unknowingly visiting a harmful website or accidentally downloading a malicious email attachment.
The routers-turned-DDoS-attack-weapons were first noticed by internet security firm Incapsula in December of 2014 when they encountered application layer HTTP flood attacks against dozens of client websites. In April of 2015, these attacks ballooned, with double the original number of attacking IPs and additional attack vectors.
When Incapsula investigated, they uncovered a much bigger barrage of DDoS attacks that were targeting hundreds of domains in addition to their own clients. The DDoS campaign was found to be coming from a botnet consisting of a massive number of SOHO routers.
The finer details
In all, from December, 2014 to April, 2015 attack traffic was recorded from over 40,000 IPs belonging to 1600 ISPs. The affected routers were largely found to be ARM-based Ubiquiti routers, which were distributed to customers by ISPs all over the world. Not only are all affected routers remotely accessible through HTTP and SSH on their default ports, but most of the units still had the vendor provided default login credentials. The username hadn’t been changed, nor had the password.
Furthermore, all affected routers had been infected with variants of a malware known as MrBlack, or the Trojan.Linux.Spike.A, with four variants on average infecting the units. In most cases, this was not the only malware present.
The attack traffic came from a total of 109 countries, with Brazil and Thailand home to 85% of the affected routers. The control and command centers, used by the attackers to direct malicious traffic, were largely located in China, the United States, and Hong Kong.
While there are similarities between this botnet and a botnet used in the past by famous hacker group the Lizard Squad for their DDoS for hire business, it’s not possible to definitively identify them as the attackers. In fact, according to attack patterns and attack targets, these compromised routers were being used by a number of groups and individuals.
What you need to do to protect your router
The vast majority of people don’t want their routers being partially responsible for DDoS attacks. After all, DDoS attacks can cost organizations upwards of $40,000 per hour and cause lasting damage to both hardware and software as well as consumer trust. DDoS attacks can also result in the theft of intellectual property, financial information, and personal information. They’re awful news all around.
On the off chance that someone were to not care that their router was being used to inflict that kind of damage, it’s also worth knowing that having such an easily compromised router can allow attackers to spy on your communications, hijack your cookies and get into local network devices, including CCTV cameras.
According to this article, there are a number of steps all router owners can take to secure their routers. Firstly, if you’ve checked your router and it’s an Ubiquiti and you believe it may have been affected, you need to update your firmware to the latest version. Incapsula recommends this resource to help you with that process.
Regardless of what kind of router you own, you really should change the login credentials from the defaults supplied. Ubiquiti router owners can consult these guides for information on how to do that. For other types of routers, look up or contact the vendor to find the user guides.
Also regardless of what kind of router you own, it would be greatly beneficial to disable remote WAN access. You will likely have to do this through your router’s admin page, in the access management tab or section. You want to set it so you are only allowing LAN (local area network) access and disabling remote WAN (wide area network) access. Your router’s user guide will guide you through this process as well.
A slightly inconvenient necessity
No one is pointing the finger of blame here. There are hundreds of thousands, if not millions, of routers under the control of hackers right this minute. No one has time to do that much pointing. If you set up your router according to instructions, left the default credentials in place, and haven’t thought about it since, there’s no reason to feel chagrined. You’re a part of a very big club.
Routers aren’t the easiest devices to deal with since they run in the background of our digital lives. However, going through the recommended steps to secure your device will ensure a safer internet experience for you and your family as well as, potentially, innumerable websites. If you wouldn’t leave your car doors unlocked, don’t leave your router door wide open either.
Image Credit: Flickr/Sean MacEntee