WingNews logo WingNews GitHub [2]
top | item 17908028

MikroTik routers are forwarding owners’ traffic to unknown attackers

261 points| DyslexicAtheist | 7 years ago |blog.netlab.360.com

145 comments

order
[+] r1ch|7 years ago|reply
It's worth pointing out that the default configuration of almost every Mikrotik router these days comes with a firewall that blocks inbound access to all ports. Admins have to go out of their way to expose winbox to the internet (as many did - including myself - under the belief the protocol was somewhat secure running over TLS).

Unfortunately NIH syndrome runs at an all time high at Mikrotik. Even the RouterOS webserver and SMB implementations were custom written, and both were later found to contain remotely exploitable bugs. I'm sure there are other holes lurking in their implementations of ipsec, openvpn, etc, so I no longer open up anything and rely on port forwarding to more secure and battle-tested services like OpenSSH / Wireguard for remote management.

[+] eps|7 years ago|reply
This explains a lot.

Mikrotik boxes are really quirky. They basically have user-facing bugs, symptoms of which can have no explanation except for them fronting some massive clusterfuck on the inside. They used to do bizarre things with timestamps of freshly copied files, when the modified time would oscillate around some convergence point. Some wierd directory names (like .popup ?) were reserved for no apparent reason and an attempt to create them failed with "file not found". That sort of thing. And we even didn't own any of their devices, we were just in a splatter zone from our clients constantly walking into Mikrotik issues. It was few years ago though, so perhaps things have improved since then.

[+] philamonster|7 years ago|reply
>...so I no longer open up anything and rely on port forwarding to more secure and battle-tested services like OpenSSH / Wireguard for remote management.

Absolutely. I purchased an rb2011uiasrm when I got gig fiber at home. I enjoyed hardening the router and ran IPsec VPN for a bit but prefer using another box w/OpenVPN and HMAC auth. I just don't see no matter the promise of security a good reason for explicitly allowing remote access from internet to a core device, MikroTik or otherwise.

[+] kibwen|7 years ago|reply
Can anyone suggest a wireless router that someone can buy today that either ships with or can be flashed with OSS firmware? I've been trying to shop around for one compatible with DD-WRT or OpenWRT and been rather disheartened so far; every promising model I've found either requires you to play roulette with the specific hardware version of the router that you receive (which is never advertised on product pages), or is out of stock entirely, or costs upwards of $250 (which is tough to sell to my friends, when their ISP charges $10/mo to rent a router with much less hassle).
[+] arminiusreturns|7 years ago|reply
Ubiquiti EdgeOS based edgerouters are what I prefer as a greybeard sysadmin type who has dealt with everything under the sun. It's VyOS (Vyatta) based, they are now complying with gpl afaik, and their hardware is really good for the price/performance ratio. The edgerouter-x or lite can be found for ~$99 and is a great piece of gear.

Another option would be your own hardware with pfsense (bsd) or ipfire(linux).

Even further would be your own hardware with linux and write your own nftables or bpf.

[+] alias_neo|7 years ago|reply
For something with hardware offload, get a Ubiquiti EdgeRouter. I run one at home, it's debian based, I have lots of tools I've written in Go compiled and running on it for various purposes and you can install debian packages for things you need.

The other option I've heard good things about are the PCEngines devices. They don't, as far as I'm aware, have hardware offload, so make sure their performance suits, but they use OSS U-Boot and you install the OS of your choice. It's one of the most open devices in a router form factor I've come across.

Depending on the number of ports you need, you could also use one of the Jetway devices. They make them with varying numbers of ports as SBCs in a case and you add RAM/M.2 SSD. I got a Celeron one with 2 ports and run it as a Suricata IPS. It performed just fine with my 100M pipe.

[+] yjftsjthsd-h|7 years ago|reply
I know this doesn't help friends and non-technical folks, but I finally gave up and bought an APU[0], installed Debian, and configured dnsmasq+hostapd+iptables. With unattended updates, it was the most secure thing I could think of. Well, I suppose using openbsd would have been potentially more secure, but there were driver issues with the wireless card that I wanted.

[0] https://pcengines.ch/apu2.htm

[+] doctorpangloss|7 years ago|reply
The Netgear Nighthawk series is almost always available on Amazon and is generally well supported by dd-wrt.

Specifically, the best deals can be had on the oldest model, the R6700v3, from an Amazon warehouse deal for $70. This is what I use, and it works without issue with dd-wrt. You'll need to flash it 3 times.

The best device is probably the R7800 model. It uses a very fast, non-Broadcom (OpenWRT-supported), modern chip. The only way this matters in practice is if (1) you have a gigabit Internet connection and (2) if you need QoS turned on for scoring an A+ in "bufferbloat" on speedtest.net--i.e., you play games.

If you don't use QoS, you will be able to serve 1 gigabit with dd-wrt's "Shortcut Forwarding Engine," which is an accelerated "in-Linux-kernel IP packet forwarding engine." If you don't have a gigabit connection, the typical Linux routing stuff that dd-wrt uses is fine.

With regards to model roulette, you can always buy it off eBay for the specific model. These routers are so common I see listing for them in Craigslist in the Bay Area right now.

I would argue the two main reasons to do this are for improved security/stability and QoS. If you're not interested in these features, buy something that Wirecutter recommends in your price range. But compared to $70, I believe a truly decent router can be had for $50 (the Archer series others have mentioned) that is also truly ancient.

The Apple Airport devices run ARM NetBSD and you can SSH into them. The last generation ran NetBSD 7 and executed binaries from NetBSD userspace when compiled statically.

OpenWRT does not ship closed-source Broadcom drivers, so it tends to have worse support across the board. I don't think their OSS-related reasons for doing so are material to you.

[+] sokoloff|7 years ago|reply
I just last weekend retired a pair of Asus RT-AC66U routers/access points. They ran stable for years on Tomato (version tomato-RT-AC66U_AT-RT-AC6x-3.4-140-AIO-64K.trx) and I think all the hardware revisions work, but confirm that yourself.

I retired them mostly because the Ubiquiti management is much easier and that hardware also affordable (though the software is not open, so not a fit for your use case).

[+] pbasista|7 years ago|reply
There are a lot of them, but depending on which features you need and where you live, it might be difficult to get one.

Take a look e.g. at OpenWrt's list of devices "Ideal for OpenWrt": https://openwrt.org/toh/views/toh_available_864

Consider TP-Link Archer C7, for instance. It is an older one, but has reasonably fast hardware, supports IEEE 802.11ac and is available on Amazon. New costs ~75 USD, a "certified refurbished" version costs ~50 USD.

[+] technofiend|7 years ago|reply
Until very recently I would just go to Microcenter and purchase a cheap refurbished small form factor PC plus two Intel NICs and run OpenBSD. For less than $200 you have a fully functional router albeit at a higher power cost than a true appliance.

If you really need a small / low power usage appliance then some Ubiquiti devices run OpenBSD as I mentioned in another reply below.

Anecdotally OpenBSD also supports wireguard if that's a concern.

https://www.openbsd.org/octeon.html

https://marc.info/?l=openbsd-ports&m=152712417729497&w=2

[+] isatty2|7 years ago|reply
You can build your own router with inexpensive hardware and run pfsense on it. You can find many guides for that online.

Otherwise, get an edgerouter.

[+] linuxlizard|7 years ago|reply
So far, I've had very good luck with the ASUS AC1300 (asus_rt-ac58u) and OpenWRT. I still need to add to the openwrt wiki but it was pretty easy. (Luck == I've bought two so far, plan to buy more)
[+] rando444|7 years ago|reply
(1) Ask the manufacturer

(2) If you get the wrong router, just return it and get another.

(3) Buy a router at a brick and mortar store so you know what you're getting.

[+] tomatocracy|7 years ago|reply
I have one of the Linksys WRT-AC series (WRT-1900ACS but they are all pretty similar I think) - they're very well supported by OpenWRT (stock firmware is a derivative of OpenWRT in fact at least on some of them). Hardware specs are good, including reasonably fast CPUs (good enough to saturate a VPN at 100Mbit at least which is the uplink I have here). The open source wireless chipset support is towards the better end too - not perfect but a lot better than some others.

If you're flashing your own images of OpenWRT, there are a few conveniences which are a bit more uncommon in the hardware which are useful if you ever need to debrick - eg easily openable case, UART header comes pre-installed (you don't need to solder your own), etc.

[+] bipson|7 years ago|reply
Interestingly enough, MikroTik routers are mostly well supported by OpenWrt it seems. At least that's what my search for something that is beefier than regular OTS Routers has yielded. Flashing OpenWrt is a little cumbersome though.

TP-Link, the former manufacturer of my choice, unfortunately has become a version roulette it seems.

If power consumption does not bother you, maybe banana pi? Or something atom based?

[+] Ahl4Gom6|7 years ago|reply
I'm running openwrt on an R7800 and so far had no issues. But that's just the router, you'll still need a modem.
[+] jsjohnst|7 years ago|reply
I personally love pfSense and there’s tons of hardware for $100-250 that supports it.
[+] pjmlp|7 years ago|reply
Here in Germany there is the Fritz brand.

If I am not mistaken FRITZ!OS is a Linux distribution.

[+] CallMeZach|7 years ago|reply
I like Mikrotik hap ac(at work) or hap ac lite (at home). they simply work. always.
[+] paulcole|7 years ago|reply
I just pay the $10/month. The complete lack of hassle makes it worth it to me. Of all the things in the world I want to do, futzing with some OSS firmware is pretty close to the bottom of the list.

What’s your reason for suggesting friends buy a modem/router beyond the cost?

[+] hrudham|7 years ago|reply
My MikroTik started going nuts late last week; it managed to upload ~90Gb worth of data in 3 days (downloads weren't nearly as bad). Considering I only have a 300Gb cap, that hurt. I subsequently re-flashed it, and secured it properly this time, which solved the issue.

Using the hardware reset button doesn't fix things, so heads up for others in that situation. Use MikroTik's NetInstall to re-install RouterOS instead.

[+] paul7986|7 years ago|reply
Curious is this the VPNFilter malware or some new router virus?

Lately I’ve been having IP & Internet issues like....

- match suddenly banned me as a subscriber to okcupid and match. They won’t tell me why either & ive been a subscriber on/off for years. Never or ever would I do anything inappropriate though my match.com account I feel was hacked. Yet they don’t want to listen :-(

- my 6 month old roku device suddenly would no longer find my router.

- yesterday just bought a new Roku & was unable to activate it after many attempts.

Anyone else having weird Internet/IP device issues too?

[+] baybal2|7 years ago|reply
>MikroTik is a Lithuanian company founded in 1996 to develop routers and wireless ISP systems.

Mikrotik is Latvian, not Lithuanian.

[+] isostatic|7 years ago|reply
My home router has the following

  /ip firewall filter
  add action=accept chain=input connection-state=established
  add action=accept chain=input connection-state=related
  add action=accept chain=input dst-port=5000 protocol=udp
  add action=accept chain=input dst-port=6000 protocol=udp
  add action=accept chain=input dst-port=6001 protocol=udp
  add action=accept chain=input protocol=icmp
  add action=accept chain=input dst-port=22 protocol=tcp src-address-list=Mgmt
  add action=accept chain=input dst-port=179 in-interface-list=LAN protocol=tcp
  add action=drop chain=input in-interface=btopenreach
  add action=drop chain=input
Clearly it's possible that an attacker could come in from the back door (desktop, XSS etc), I could lock down the BGP more, and tighen up Mgmt beyond it's current fairly wide subnets (a /16 owned by work and my wired range), but it becomes a hassle, which leads to more disabling of the "action=drop" while debugging. My backup script emails me when the configuration changes

To check if your proxy is enabled (probably shouldn't be)

  /ip proxy print 
  enabled: no
[+] 24gttghh|7 years ago|reply
You could limit only certain ICMP types as well, and change your SSH port. And you can ask yourself: Do I really need access to my firewall from work?
[+] lucb1e|7 years ago|reply
What OS or software is that? Is that a Mikrotik router with default firmware that accepts such rules as you posted?
[+] dboreham|7 years ago|reply
Also change the winbox port if you need it to be enabled.
[+] TeMPOraL|7 years ago|reply
> After enabling the Mikrotik RouterOS HTTP proxy, the attacker uses a trick in the configuration by redirecting all the HTTP proxy requests to a local HTTP 403 error page, and in this error page a link for web mining code from coinhive.com is inserted. By doing this, the attacker hopes to perform web mining for all the proxy traffic on the users’ devices

> What is disappointing for the attacker though, the mining code does not work in this way, because all the external web resources, including those from coinhive.com necessary for web mining, are blocked by the proxy ACLs set by attackers themselves.

Smart enough to breach Mikrotik routers. Dumb enough to fuck up linking in coinhive JS. That screams "script kiddie buying delivery method on an open market".

Also, how is coinhive still a thing?

[+] ballenf|7 years ago|reply
> Also, how is coinhive still a thing?

It's too bad coinhive is so easy to abuse. I'd much rather live in a world where websites are financed with my electric bill rather than my data.

[+] justinclift|7 years ago|reply
> Attackers mainly interested in port 20, 21, 25, 110, and 143, corresponding to FTP-data, FTP, SMTP, POP3, and IMAP traffic.

That strongly suggests password harvesting. Those ports/protocols often (not always) are used for unencrypted user/pass combinations. :(

[+] jessaustin|7 years ago|reply
I always disable winbox on installation.

  /ip service disable winbox
Why would anyone want to use that? My theory is that it has something to do with how in many cases the MT sshd has to be told to figure out the terminal:

  $ ssh [email protected]
...and this information is really hard to find. If the terminal settings aren't right and you can't fix them, ssh is unusable and you're stuck with either winbox or webfig. Fortunately, if the ssh session is wrapped in a mosh session then mosh will handle MT's terminal settings.
[+] 4ad|7 years ago|reply
Afaik winbox is the only way to reconfigure the device in case of serious IP misconfiguration, or if layer 3 networking does not work for some reason (I just had to debug a switching loop...), as winbox can connect by MAC, rather than IP.
[+] JohnnyWesh|7 years ago|reply
Just yesterday updated my Mikrotik to latest current. And now read that news. Great!
[+] teilo|7 years ago|reply
Then you're just fine. The vulnerabilities were patched months ago.
[+] burkesquires|7 years ago|reply
Do NOT visit...trojan at URL!
[+] JohnnyWesh|7 years ago|reply
I think u use Mikrotik without an update! =D
[+] burkesquires|7 years ago|reply
That stinks. I tried to help the community by providing a warning and I get downvoted. What is the motivation to help? From now on I will not issue any warnings.
[+] isostatic|7 years ago|reply
Really? In what way?