Visible to the public MikroTik Devices Landscape, Realistic Honeypots, and Automated Attack Classification

TitleMikroTik Devices Landscape, Realistic Honeypots, and Automated Attack Classification
Publication TypeConference Paper
Year of Publication2020
AuthorsCeron, J. M., Scholten, C., Pras, A., Santanna, J.
Conference NameNOMS 2020 - 2020 IEEE/IFIP Network Operations and Management Symposium
Date PublishedApril 2020
ISBN Number978-1-7281-4973-8
Keywordsautomated attack classification, Computer crime, computer network security, core network infrastructure, core networks, core routers, DDoS Attacks, easy-to-deploy MikroTik honeypot, hacker attacks, Honey Pot, honey pots, honey-pot, Human Behavior, human factors, Internet, Internet exchanges, invasive software, low-cost routers, malware campaigns, memory size 4.0 TByte, MikroTik, MikroTik devices, MikroTik devices landscape, MikroTik routers, pubcrawl, realistic honeypots, resilience, Resiliency, RouterOS, Scalability, security, telecommunication network routing, time 45.0 d, vulnerabilities

In 2018, several malware campaigns targeted and succeed to infect millions of low-cost routers (malwares e.g., VPN-Filter, Navidade, and SonarDNS). These routers were used, then, for all sort of cybercrimes: from DDoS attacks to ransomware. MikroTik routers are a peculiar example of low-cost routers. These routers are used to provide both last mile access to home users and are used in core network infrastructure. Half of the core routers used in one of the biggest Internet exchanges in the world are MikroTik devices. The problem is that vulnerable firmwares (RouterOS) used in homeusers houses are also used in core networks. In this paper, we are the first to quantify the problem that infecting MikroTik devices would pose to the Internet. Based on more than 4 TB of data, we reveal more than 4 million MikroTik devices in the world. Then, we propose an easy-to-deploy MikroTik honeypot and collect more than 17 millions packets, in 45 days, from sensors deployed in Australia, Brazil, China, India, Netherlands, and the United States. Finally, we use the collected data from our honeypots to automatically classify and assess attacks tailored to MikroTik devices. All our source-codes and analysis are publicly available. We believe that our honeypots and our findings in this paper foster security improvements in MikroTik devices worldwide.

Citation Keyceron_mikrotik_2020