MikroTik Devices Landscape, Realistic Honeypots, and Automated Attack Classification

Joao M. Ceron, Christian Scholten, Aiko Pras, Jair Santanna

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

Abstract

In 2018, several malware campaigns targeted and succeed to infect millions of low-cost routers (malwares e.g., VPN-Filter, Navidade, and SonarDNS). These routers were used, then, for all sort of cybercrimes: from DDoS attacks to ransomware. MikroTik routers are a peculiar example of low-cost routers. These routers are used to provide both last mile access to home users and are used in core network infrastructure. Half of the core routers used in one of the biggest Internet exchanges in the world are MikroTik devices. The problem is that vulnerable firmwares (RouterOS) used in homeusers houses are also used in core networks. In this paper, we are the first to quantify the problem that infecting MikroTik devices would pose to the Internet. Based on more than 4 TB of data, we reveal more than 4 million MikroTik devices in the world. Then, we propose an easy-to-deploy MikroTik honeypot and collect more than 17 millions packets, in 45 days, from sensors deployed in Australia, Brazil, China, India, Netherlands, and the United States. Finally, we use the collected data from our honeypots to automatically classify and assess attacks tailored to MikroTik devices. All our source-codes and analysis are publicly available. We believe that our honeypots and our findings in this paper foster security improvements in MikroTik devices worldwide.

Original languageEnglish
Title of host publicationProceedings of IEEE/IFIP Network Operations and Management Symposium 2020
Subtitle of host publicationManagement in the Age of Softwarization and Artificial Intelligence
Place of PublicationPiscataway, NJ
PublisherIEEE
ISBN (Electronic)978-1-7281-4973-8
ISBN (Print)978-1-7281-4974-5
DOIs
Publication statusPublished - Apr 2020
Event17th IEEE/IFIP Network Operations and Management Symposium, NOMS 2020: Management in the Age of Softwarization and Artificial Intelligence - Virtual conference, Budapest, Hungary
Duration: 20 Apr 202024 Apr 2020
Conference number: 17
https://noms2020.ieee-noms.org/ (Conference)

Publication series

Name2020 IEEE/IFIP Network Operations and Management Symposium (NOMS 2020)
PublisherIEEE
Volume2020
ISSN (Print)1542-1201
ISSN (Electronic)2374-9709

Conference

Conference17th IEEE/IFIP Network Operations and Management Symposium, NOMS 2020
Abbreviated titleNOMS
CountryHungary
CityBudapest
Period20/04/2024/04/20
Internet address

Keywords

  • Hacker attacks
  • Honey-pot
  • Low-cost routers
  • MikroTik
  • RouterOS
  • Security
  • Vulnerabilities

Fingerprint Dive into the research topics of 'MikroTik Devices Landscape, Realistic Honeypots, and Automated Attack Classification'. Together they form a unique fingerprint.

Cite this