Is Your Router Part of a Botnet?

Checking your computer for malware and viruses is easy. There are multiple antivirus tools designed to protect your laptop and desktop computers from malware. As long as you keep your security suite up to date, you can stop malicious scripts from taking over your computer and harming you.

Sadly, routers and other Internet of Things (IoT) devices are not immune to similar attacks. Recent cyberattacks specifically targeted routers and IoT devices for malicious purposes. Security experts are noting that internet-enabled methods can be used as botnets to launch a Denial of Service (DDoS) attack.

Botnets – networks of bots embedded in smart, internet-enabled devices – are now infecting millions of smart homes across the globe. More about various existing bots can be found here. Once infected, your accessories can be used to launch attacks at any time. So, is your router part of a botnet?

Understanding the Attacks

There are a few types of cyberattack that targets routers. Specifically, the most common one being a malicious DNS server. A malicious DNS server handling all of your internet traffic can be hazardous. When you visit the website of your bank, for instance, a malicious DNS server can redirect you to a phishing site, which will then steal your login credentials.

Phishing is another standard attack type targeting devices. Instead of manually luring you to a phishing site, a specific script embedded on your router allows attackers to redirect groups of traffic from all of the connected devices. Some attackers even go as far as sniffing packets as they are routed to the intended servers.

Injection of malicious content is another form of attack that is quite common. Banner ads that generate revenue streams for the attackers are often added to the pages you open. The same is true for popups and interstitial ads, which may appear more frequently when your device is infected. Most of the displayed ads are usually porn or adult ads.

Other more advanced attacks lead to your device becoming a part of the malicious network run by attackers. Routers can be told to send a large volume of traffic to another server, usually as part of a DDoS attack on that target. If you are not aware of the attacks coming from your device, you may have your IP address blacklisted without you even knowing.

The attacks that are targeting (and coming from) your router start with the attacker infecting it. There are several ways to achieve this: the most common one being through cross-site request forgery or a specially written JavaScript code. Pages with malicious code can also target devices the same way.

Another way your device may be infected is through direct access to the device’s remote administrative functions. Services like UPnP and Telnet need to be disabled or appropriately secured to prevent your device from being exposed. By limiting the use of these services, you are reducing your network’s attack surface by a substantial margin.

Identifying an Infection

The big question remains: is your device part of a botnet? That is a tough question to answer. Depending on the device in question and the topology of your network, you may not realize that your router is sending malicious traffic until it is too late.

Still, there are a few vital signs that you can identify. For starters, you can check if your device is accessible from remote terminals by accessing your public IP address directly. If you see the login page for your router appearing on your screen, you know you have a vulnerable network.

Next, check if the admin user credentials have been changed. If you cannot access the administrative page using your usual admin credentials, you may be looking at an infected router. Resetting the router and reconfiguring the network is the best way to go at this point.

You can also check the DNS configuration of your router. Make sure traffic is routed to a legitimate DNS server (or servers as explained here) and that you can identify the DNS servers in use correctly. Double-check if the DNS server IP addresses point to another local IP address.

Last but not least, review the router services you have running and the ports you leave open. Make sure you only use services that are necessary, and that all open ports are secured. The UPnP, as mentioned earlier, service is particularly vulnerable in many devices.

Hardening Security

If your device is infected, doing a full reset is a solution to consider. A full reset returns your router to its original configurations. Sure, you have to configure your network from scratch, but you are limiting the risk of exposing more of your system this way.

Once the reset is completed, there are several more things you want to do, starting with changing the default admin username and password to something substantial. As a bonus, disable remote device access entirely if you don’t plan on using the feature.

Keep your device up to date. Security holes get plugged in firmware updates, and the best OEMs always release new firmware for their devices. While you are at it, make sure you keep the devices connected to your device up to date as well.

You can go the extra mile and activate DNSSEC to prevent your requests from ever reaching a malicious DNS server. Not all devices support this feature, but you can still enjoy the extra layer of protection by activating it on your devices.

Last but certainly not least, check botnet status sites to make sure that your IP address isn’t listed. Status sites like Simda Botnet IP Scanner or Sonicwall Botnet IP Lookup are actively recording IP addresses when botnet attacks are detected.

Based on logs of previous attacks, routers, and devices that use forward proxy are also immune to attacks. A forward proxy acts as middleware. It creates an extra layer between the device and the rest of the internet.

With the information covered in this article, checking if your router is part of a botnet is easy. Preventing your router and IoT devices from exploits is also easy now that you have these steps to follow.