Home / Blogs

Dynamic DNS Customers, Check Your Router Settings!

Chris Brenton

There have been quite a few news stories released over the last 24 hours regarding a wide-scale compromise of 300,00 Internet gateway devices. Here's the executive summary of what happened, how to check if you are vulnerable, and what you can do to fix it.

What's The Big Deal?

Security researchers Team Cymru have discovered a set of compromised servers which suggest at least 300,000 home routers, firewalls, and Internet connection devices have been compromised by attackers. Note that this problem could actually be much larger, as it appears this was only a single set of malicious actors. There could be other nefarious groups that are using the same techniques, but were not detected during Team Cymru's study.

What's Effected?

Team Cymru has identified hardware from the following vendors as being compromised:

  • D-Link
  • Micronet
  • Tenda
  • TP-Link
  • Other unnamed vendors

If you use any of these devices, you should check it to ensure your device has not been compromised.

How Did The Attackers Break In?

It appears the attackers have been using a combination of known exploits and configuration issues. This is helpful as it means that if you install all security patches and properly configure your device, you will most likely be safe from attack.

How Do I Check My Device?

Once a device is compromised, the attackers change the DNS settings on the device so that all requests for Internet hosts run through servers they control. This permits them to hijack sessions as their whim. So the key here is to identify if your DNS settings have been changed.

The best way is to log on to your device via the administrative interface and check the DNS settings. How to do this and where the settings are located will vary from device to device. The malicious actors in this attack were redirecting all DNS to the IP addresses and So if you see these addresses, you have a problem.

However, what you really want to verify is whether your DNS settings have been changed at all, because a different set of malicious actors may be using different IP addresses. Most people set this value to whatever their Internet Service Provider (ISP) tells them to use. If you are unsure what this should be, contact your ISP's support group.

But I Don't Know How To Log On To My Router!

The router is the best place to check these settings and if you have a problem, you will ultimately need to gain access. Try doing a Google search on your device's make and model with a keyword such as "administrative access" or similar. That should produce some useful information.

However, when the DNS on your router gets changed, it will usually change the DNS info on your local systems as well. So you may be able to check one or more of your local systems to see if they are properly configured. For example on a Windows system, run the command:

ipconfig /all | more

Look through the output for the "DNS Servers" setting. If you have Linux or Mac based systems, open a command prompt and run the command:

cat /etc/resolv.conf

Again, check to see if the value is set to the proper IP addresses.

By Chris Brenton, Director of Security at Dyn

Related topics: Cyberattack, Cybercrime, Cybersecurity, DNS


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper


Sponsored by Verisign

Mobile Internet

Sponsored by Afilias Mobile & Web Services

IP Addressing

Sponsored by Avenue4 LLC

DNS Security

Sponsored by Afilias

Promoted Posts

Buying or Selling IPv4 Addresses?

ACCELR/8 is a transformative IPv4 market solution developed by industry veterans Marc Lindsey and Janine Goodman that enables organizations buying or selling blocks as small as /20s to keep pace with the evolving demands of the market by applying processes that have delivered value for many of the largest market participants. more»

Industry Updates – Sponsored Posts

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Neustar to be Acquired by Private Investment Group Led by Golden Gate Capital

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Radix Adds Dyn as a DNS Service Provider

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll