DDoS Attacks on Home Routers: The Weapon you Didn’t Know You Had in Your House

security_broadband_isp_routers

It’s always kind of nice to think we might be more important or more useful than we actually are. Stop us if we’re getting into embarrassing confession territory here, but we don’t think we’re the only ones who have occasionally fantasized that we might somehow hold the key to some important mission, that something we possess could be used for a much greater purpose than we’d ever imagined.

Well, a DDoS trend where home routers are not only targeted for attack, but are actually used to carry out larger attacks on companies like ISPs is sort of like that, only terrible. You see, you could be holding the key to something big – but in this case its best you didn’t.

Here’s what you need to know to keep your home router from being targeted with a DDoS attack, and to keep it from being a part of some hacker’s large-scale attack.

The vulnerabilities of your home router

router-vulnerabilities-DNS-hijacking

Recently we’ve been seeing DDoS attacks on home routers coming through vulnerabilities in two main protocols: SNMP, or Simple Network Management Protocol, and NTP, Network Time Protocol.

With the SNMP DDoS attacks, what hackers are able to do is take over routers that have left default passwords in place. If successful, the attack sets the router’s default TTL (time to live mechanism) to 1, which means the network won’t have enough time to connect to other systems that aren’t on the same link-layer network. This attack also turns off IP forwarding. Not only does a DDoS attack on your SNMP do exactly what it says it will, deny you service, but it also allows your router to be hijacked and used as a bot to attack a third-party.

NTP DDoS attacks are widely known as NTP amplification, because these attacks can get big, and get big fast. In an NTP DDoS attack, the attacker spoofs the IP address of the victim server, and sends repeated traffic count requests to an NTP server. The NTP server sees these requests as legitimate, and sends a list of 600 hosts to the spoofed IP address. Over and over and over, with the response from the NTP server being much larger than the request, hence the term amplification. This high-volume attack absolutely binge eats bandwidth and other resources, and when things like botnets get involved, you could be looking at a major DDoS situation across an entire ISP. This is something that’s become more and more of an issue – Incapsula has been noticing an increase in NTP amplification since February of 2014.

Recent router attacks

Just a few weeks ago we saw a big SNMP DDoS attack that spoofed traffic from Google’s public recursive DNS server, targeting default passwords. This is particularly worrisome because obviously a router is going to accept traffic from what it thinks is Google’s DNS server, and if those default passwords are still in place, you’re looking at a router that’s ready to be hijacked and turned into a bot.

Internet security researchers were quick to point out that this attack seemed to consist of sequential scans, indicating that the attackers are doing an internet-wide search for vulnerable routers. At this point, we can only speculate about why someone would do that, but we can say with confidence that the outcome won’t be good.

The reason hackers love SNMP and NTP DDoS attacks is because with relatively low expertise, relatively little effort and relatively few resources, major destruction can be caused. In fact, back in February, the largest (at the time) DDoS attack on record was reported. The attack reached 400+ gbps at its peak and involved 4592 NTP servers on 1298 networks. Almost unbelievably, the attack seemed to have originated from a single server running on a network.

It’s tempting to think of the hackers behind these attacks as criminal masterminds gathered together in some lair in a foreign country, but the truth is, bored teenagers are very often the ones behind them. Today, even kids and non-professional hackers can execute small to medium-sized DDoS attacks.

What you need to do to secure your router

We’d like to be able to tell you that home routers are vulnerable to DDoS attacks because of things like errors in the code, or in the security policy. You know, things that aren’t the user’s fault. While it is theoretically possible that errors in coding or security policy could be exploited in a DDoS attack, it is far more likely that hackers will target – and successfully exploit – errors a user has made during configuration.

If you’re ready to get safe, here are the six rules you need to follow in order to ensure your router is as secure as you can make it.

  • Block inbound traffic where the source address comes from your internal network.
  • Block outbound traffic where the source address doesn’t come from your internal network.
  • Block both inbound and outbound traffic where source or destination addresses come from the ranges of private addresses. These ranges are 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and 169.254.0.0/16.
  • Block all source-routed traffic.
  • Block broadcast packets. This includes directed broadcasts.
  • Block packet fragments.

Hey, configuring a router is tricky stuff. The first think you absolutely want to do is make sure you don’t leave any of the default passwords. If you are only going to follow one piece of router security advice, make it that one.

Leave a Reply

Your email address will not be published. Required fields are marked *