Corero
Blog & News

The Anatomy of a Mikrotik RouterOS-Based Botnet Attack

Authors: Teressa Carlin and Huy Nguyen

In 2002, Mikrotik, a Latvian company known for its networking equipment and software, developed and launched RouterOS, an operating system used for routing, firewall, bandwidth management, wireless access points, and VPN servers, among other things. The system was designed to be easily deployable on various platforms, including X86 and ARM-based devices, as well as Mikrotik’s own RouterBOARD hardware, and is used by network administrators at ISPs and enterprises to manage and secure networks.

Unfortunately, according to Shodan, many of the RouterOS systems in use today are running outdated software, a fact which attackers are leveraging to compromise devices, turning them into botnets used in DDoS attacks. Below, our threat researchers lay out the anatomy of a RouterOS-based botnet attack they observed and offer ways in which to mitigate the attack.

What’s a RouterOS-based botnet?

Whereas traditional DDoS botnets typically are created when malicious actors deploy scripts or binaries onto compromised devices to launch attacks, RouterOS-based botnets differ in that the devices running RouterOS are compromised and then reconfigured, without a need for any new software to be installed, directly utilizing the embedded tools available in RouterOS to conduct DDoS attacks. The ability of an attacker to compromise a device, however, depends partly on which operating system version the router is running, and in some cases, multiple exploits can be used on a single version.

In our example, Corero researchers observed how once the attackers compromised a device, they would create a user “system” with full privileges. This system then used an application programming interface (API) call to configure Traffic Generator — a tool introduced in RouterOS v6 that allows users to generate traffic for purposes such as testing bandwidth, monitoring, or simulating network loads.

Figure 1: System user used by attacker via API

Traffic Generator can be used to stress-test networks, analyze performance, or simulate different types of traffic. Some common parameters include:

  • Packet-size: Specifies the size of the packets to generate
  • Rate: Packets-per-second (PPS) or megabits per second (Mbps)
  • Duration: How long to run the test

It also allows the user to define a packet structure, using a packet-template based on a variety of parameters such as:

  • ip-dst: List of destination IPs/subnet
  • ip-src: List of source IPs/subnet
  • ip-protocol: Specifies IP protocol for the packet
  • ip-ttl: Specifies TTL values
  • Data: Specifies the packet payload:
    • Uninitialized: Data after header is uninitialized, but not zero (fastest)
    • Specific-byte: Specific setting of data-byte
    • Incrementing: Filled with “00 01 02 03” etc.
    • Random: Filled with random bytes (slowest)

Our researchers watched as the attacker then proceeded to add their own packet templates. Each template is configured with specific settings to dictate traffic characteristics, with a separate command issued to initiate the packet generator with duration, packet size, and one or multiple templates. The tool also lets users modify any field in the TCP/IP headers.

Figure 2: List of packet-templates added by the attacker

Using these packet templates, malicious actors can attack subnets, spoof source IP addresses, randomize source/destination ports, and manipulate payloads. This complexity can make mitigating the DDoS attack particularly challenging, particularly in large-scale attacks, where it’s difficult to quickly distinguish between legitimate and malicious traffic.

Figure 3: A packet-template for UDP flood that an attacker added to a device

In our case study, the attacker attempted to build UDP packets, targeting destination port 30120 on a victim IP with random source ports ranging from 40000 to 60000, and used spoofed source IP addresses. The TTL for these packets started at 181, a technique often used to bypass certain network defenses. Furthermore, the attacker fully leveraged the Traffic Generator by utilizing “raw” in the header stack to construct the packets with the payload “67 65 74 69 6e 66 6f 20 78 79 7a”, which translates from hexadecimal to ASCII as “getinfo xyz”. Interestingly, this specific payload is used legitimately in a gaming protocol.

Whereas the feature-rich Traffic Generator is great for stress-testing, it becomes a double-edged sword when compromised by attackers and used for DDoS attacks. Its capabilities, combined with the sheer number and availability of bots, means attackers can saturate links with hundreds of Gbps of DDoS traffic.

Mitigating these attacks, therefore, is challenging and requires a comprehensive approach. It requires utilizing various tools and mechanisms to block attacks without impacting legitimate traffic to ensure the uninterrupted operation of business. If you haven’t already:

  1. Immediately upgrade your RouterOS version to be up to date.
  2. Change your username and password, preferably using a password generator tool.
  3. Proactively monitor your network for anomalous behavior.

Taking basic steps to secure your router in coordination with a strong, hybrid anti-DDoS solution will go a long way to defending against other risks and future attacks.