back to article Team Cymru spots 300,000 compromised SOHO gateways

It's time to check the DNS settings on your broadband gateway, with security research group Team Cymru discovering an attack that could have redirected as many as 300,000 devices to a malicious resolver. Once a gateway is compromised, the devices behind it would be sent to the attacker's DNS, exposing them to drive-by attacks …


This topic is closed for new posts.
  1. adnim

    Remote access

    should be disabled by default.

    A SOHO router should not expose any ports to the Internet unless the user configures it to do so.

    It's so simple and obvious, I do not understand why this is not the default on all routers from all manufacturers.

    1. Anonymous Coward
      Anonymous Coward

      Re: Remote access

      Maybe you should take the time to read the Team Cymru report to understand how they believe the majority of the hacks took place. Then you'd understand that it is not thought to stem from any remote access.

      1. Anonymous Blowhard

        Re: Remote access

        Many of the (better) routers have internet and wireless access to the management interface disabled by default; but check to be sure.

        Also a good idea to change the IP address range of the LAN so it's not the obvious 192.168.1.x or 192.168.0.x but make sure it's still an RFC 1918 address:

        The JS attack can still get around this if the infected machine is on the wired LAN though; another good reason for using NoScript.

        1. Sir Runcible Spoon Silver badge

          Re: Remote access

          "but make sure it's still an RFC 1918 address:"

          If you are being source NAT'd on the way it doesn't matter, unless you are trying to connect to an address that falls within the range you have used. Not best practice I know, but facts is facts.

      2. pacman7de

        Re: read the Team Cymru report ..

        @anon: "Maybe you should take the time to read the Team Cymru report to understand how they believe the majority of the hacks took place. Then you'd understand that it is not thought to stem from any remote access."

        "Malicious Javascript is loaded by a computer inside the local network and forces a local machine to automatically change the routers DNS settings" WhitePaper

        Would this 'computer` be running on Microsoft Windows?

        This DNS redirecting hack is at least a decade old ..

      3. adnim

        Re: Remote access

        You read the "how is it done bit" ?

        Compromise via local machine using Jscript is only part of it.

        Using a static IP and DNS for all LAN side machines seems good enough mitigation.

        I do this for all machines on my LAN they each have a static IP and specified DNS servers.

        Of course most home and SOHO users just accept the defaults out of the box. And this is where potential problems arise. Ease of use over security is where the consumer and much of the professional hardware providers put all their eggs.

        All I am saying is it should be the other way around, Security first, convenience as a secondary consideration.

  2. pacman7de

    DNS settings on your gateway ..

    The Web interface isn't accessable from the Internet and I have manual DNS settings on the client desktop. Does this mitigate the risks of compromise ?

  3. Gis Bun

    You can also hardcode DNS settings on your computers... Over-rides the DHCP settings on the router. As an added bonus use OpenDNS....

  4. Anonymous Coward
    Anonymous Coward


    I found I had this at home last night. DNS of the ADSL modem router set to those in the article. I found it because an internet device (not a computer or a mobile) had stopped working over the weekend.

    It's a D-Link router, not on the vulnerable list. No Windows PCs on the network., only Macs, an iPhone (not mine!) and a PS3. Router password was not the manufacturer's. Scary.

    So how did this happen? A malicious javascript? And what should I do now, besides resetting the router's DNS and changing passwords for everything useful which might have been accessed with the router on the bad settings, and the router itself? The Macs are set to use specified DNS servers, not the router.

    Most worrying, the web interface of the router, which is about 2 years old, does not allow altering Remote Management. Time to get a new router? Any recommendations for a SOHO ADSL modem router which comes with remote management turned off out of the box?

  5. Grease Monkey Silver badge

    Here's a thought. If this is down to just two DNS servers are dodgy why are ISPs not simply blocking access to those addresses?

    Actually it would make sense if ISPs only allowed DNS requests from end users to go to their own DNS servers unless the user specifically requested it. It's hardly rocket surgery.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2021