DDoS botnet hijcking thousands of home and office routers

The router security message really should have been driven home years ago, but it seems that a lack of basic security practices by ISPs, vendors and users has resulted in large numbers of hacker-controlled routers being used to launch DDoS attacks.

A new report from web security specialist Incapsula says it has uncovered a DDoS botnet comprising tens of thousands of hijacked routers. It's now sharing the attack details in an attempt to raise awareness about the dangers posed by under-secured, connected devices.

The DDoS campaign is a series of application layer HTTP flood attacks which Incapsula first encountered in late December. Attack traffic was recorded from 40,269 IPs belonging to 1,600 ISPs worldwide. The IP addresses were traced back to 60 command and control systems used by perpetrators to remotely direct malicious traffic.

The botnet from which attacks are being launched consists of a large number of SOHO routers, predominantly ARM-based Ubiquiti devices. Security investigators initially assumed that the routers were compromised by a shared firmware vulnerability. However, further inspection showed that all the units were remotely accessible via HTTP and SSH on their default ports. On top of that, nearly all were configured with vendor-provided default login credentials. This allowed the routers to be injected with variants of the Mr.Black malware the signature of which Incapsula identified during the attack.

More than 85 per cent of all the compromised routers are located in Thailand and Brazil, while the majority of the command and control servers are in the US (21 per cent) and China (73 per cent).

Prior to publishing the report, Incapsula contacted the router vendor and ISPs whose networks it found to be most open to abuse.

It urges router owners to disable all remote (WAN) access to their router management interfaces, change the default admin login and, if they believe their router is already compromised, upgrade to a newer version of the device's firmware.

The full report is available to download from the Incapsula website.

Image Credit: Piotr Adamowicz / Shutterstock