Routers with weak default security settings may not only cause connectivity problems for ADSL subscribers, but may have also been used to aid in DNS amplification attacks on certain websites.
To fix the problem, Telkom told users to change the default password of the “support” user account on the router because it is accessible from the Internet.
Users must then also change their DNS settings to “obtain DNS info from the WAN interface”.
This comes after both Telkom and D-Link were informed towards the end of May 2013 that it was trivially easy to get a list of D-Link 2750U routers that are accessible from the Internet.
What’s worse, is how easy it is to log into these routers over the Internet due to default passwords for certain user accounts not being changed during the initial configuration of the router.
Telkom said at the time that the routers it supplies may be dispatched with factory default settings and passwords that is the user’s responsibility to change.
Everything the user needs to make such changes are in the user guides of Telkom-supplied modems, a spokesperson for Telkom told MyBroadband.
“Security is a personal decision and, while modems have the functionality to provide a safe environment, it is reliant on the user to activate the built in security measures to limit the risk of intrusion,” the spokesperson said.
D-Link vs Telkom: conflicting information
When asked in May whether the remote management feature that lets you log into a router over the Internet is enabled by default, D-Link said it is disabled.
A spokesperson for the company went on to say that they always recommend changing the default “support” account’s password when enabling remote management.
This is at odds with Telkom’s statement that the “support” account is enabled for remote login by default.
When asked about this discrepancy D-Link declined to comment further and said that they have non-disclosure agreement in place with Telkom.
Interestingly, an update for the D-Link 2750U ADSL router is now available from D-Link South Africa’s FTP server.
Routers enlisted in denial-of-service attacks
Among the details that these “hackers” (if using ShodanHQ and default router passwords can be considered hacking) are able to get their hands on this way is your ADSL username and password.
However, what they seemed to be most interested in is changing the domain name system (DNS) servers you use.
In brief, DNS is what translates domain names such as “mybroadband.co.za” to the Internet Protocol addresses needed to connect to servers on the Internet.
Users with the ADSL slowdowns reported that their DNS settings were changed to point to the IP addresses 22.214.171.124 and 126.96.36.199.
Changing your DNS settings could be a way for hackers to execute a DNS cache poisoning attack against you, or as Cybersmart boss Laurie Fialkov told MyBroadband previously, to enlist you in a DNS Amplification attack.
As Fialkov explained it, DNS Amplification attacks are a particularly destructive type of distributed denial-of-service (DDoS) attack.
This is the type of attack that took Spamhaus off the web for some hours and “almost broke the Internet”.
According to Fialkov, there are essentially three forms of DNS Amplification attack:
- Modify the DNS packet and change the source address to the IP of the server you want to take down;
- Hack into routers and change a user’s DNS settings to point to corrupt DNS servers (which is what seems to be happening on the D-Link 2750U routers);
- Malware (the least common).
D-Link not the only problem-router
When the news emerged in May that Cybersmart saw an increase in DNS Amplification attack traffic in South Africa, chief technology officer at Neology, Roelf Diedericks, confirmed that they had seen a similar increase.
Diedericks said that attackers find a foothold largely due to open resolvers, poorly configured DSL modems, and buggy firmware.
However, it is not only D-Link DSL routers that can be exploited for DNS Amplification attacks.
“Any modem that can be remotely administered has this problem,” Fialkov said. “It is a difficult problem to solve, because most modems aren’t changed from the default logins.”
Detecting and stopping router DNS settings changes
Fialkov said that they took the decision to only allow their DNS nameservers and a pre-apporved list of nameservers to respond to their ADSL customers.
“When routers are compromised in this way the Internet will stop working as opposed to getting slow,” Fialkov said.
This makes it much easier for them to debug, Fialkov said, as slow Internet can be caused by a number of other external factors.
“Also, it stops the exploit dead in its tracks immediately,” Fialkov said.
*Update: An earlier version of the article stated that it did not appear to be possible to get the ADSL password by logging in remotely, but this is incorrect for at least some routers. The article has been amended to reflect this.