CSIRT.CZ Warns Against a High-Risk Configuration of RouterOS

June 29, 2012

In a recent incident in which we witnessed several DNS amplification attacks, we have been informed that some of the DNS servers involved were running on Mikrotik devices. Mikrotik is a brand of routers popular primarily among advanced users because its products allow great flexibility in their settings. This customisability, however, also carries some risks.

In a recent incident in which we witnessed several DNS amplification attacks, we have been informed that some of the DNS servers involved were running on Mikrotik devices. Mikrotik is a brand of routers popular primarily among advanced users because its products allow great flexibility in their settings. This customisability, however, also carries some risks.

For this reason, we decided to investigate the latest stable version of the Mikrotik device software (RouterOS 5.18). It turned out that the DNS server of these devices is accessible on all of its ports and access to it must be regulated with the integrated firewall. This is a significant difference compared to the conventional routers intended for households and small businesses. In these devices, the DNS server is usually only accessible over the IP address of the internal network. With Mikrotik, this is not the case. If Allow Remote Requests is enabled in the IP/DNS section, translations are automatically allowed not only for your network, but for the entire Internet as well.

mikrotik.png

This allows hackers to use a Mikrotik device configured this way to launch a DNS amplification attack. In addition to slowing down your Internet connection, this may result in you being accused of participation in a DDOS attack. The victims of the attack will be receiving packets from your Mikrotik device without them initiating any communication with you.

As a possible solution to the use of the DNS server built into RouterOS, we recommend limiting access to port 53 only to computers in the local network. This prevents the possibility of your connection being abused for such attacks.