Lizard Squad's DDoS attack service mostly powered by thousands of hacked home routers

By Shawn Knight ยท 25 replies
Jan 9, 2015
Post New Reply
  1. Lizard Squad, the group of hackers responsible for knocking Microsoft's Xbox Live and Sony's PlayStation Network offline during the holidays, began offering its DDoS attack as an on-demand service earlier this month to anyone willing to pay their nominal fees.

    Read more
  2. Darth Shiv

    Darth Shiv TS Evangelist Posts: 1,811   +472

    I thought by default the admin page was not externally accessible?
  3. cliffordcooley

    cliffordcooley TS Guardian Fighter Posts: 9,730   +3,703

    ^^ yeah you would think that would be the case. So much for having firewalls, if they don't work for you by default.
  4. Axle Greese

    Axle Greese TS Enthusiast Posts: 31

    How does a person know if his router's been hacked?
  5. Nima304

    Nima304 TS Guru Posts: 365   +81

    Remote administration is disabled on every single router I've ever seen (eight years of system administration work now) by default. Doesn't hurt to make sure, though; I always do.
  6. cliffordcooley

    cliffordcooley TS Guardian Fighter Posts: 9,730   +3,703

    For the record, how exactly does one do that?
  7. How does setting DNS settings to Open DNS help?
  8. Nima304

    Nima304 TS Guru Posts: 365   +81

    I'm not going to assume any technical knowledge, so here's a full tutorial. First, you're going to need to find your router's IP address. Directions sorted by operating system (I'm assuming you're using Windows):

    On Windows Vista/7:

    1. Click on the Start Menu.
    2. Type "cmd" into the search box, then hit Enter.
    3. Type "ipconfig" into the box that pops up. This will output a bunch of information.
    4. If you're on Wifi, look for something like "Wireless LAN adapter Wireless Network Connection." If on Ethernet, look for "Ethernet adapter Local Area Connection."
    5. Under that connection, you should see "Default Gateway," followed by some numbers that probably look like or Put that into the address bar on your computer.
    On Windows 8 (copied from Microsoft's website):
    1. Swipe in from the right edge of the screen, and then tap Search.
      (If you're using a mouse, point to the upper-right corner of the screen, move the mouse pointer down, and then clickSearch.)
    2. Enter cmd in the search box, and then tap or click Command Prompt
    3. Complete steps 3-5 from the Windows Vista/7 instructions.
    Once you have that IP address pasted in your web browser, go to the address. It's going to want a username and password. Now, I'm not sure what router you're using, but either the username and password is on the physical device (which will be a box given to you by whomever provides your Internet access), or it's going to be a combination like admin/admin, or admin/1234, or something like that. Look up your router's model number and search for the default username and password on the Internet, and see what you get.

    Once you get onto your router, you're going to need to look for advanced settings of some kind. As stated before, I'm not sure what kind of router you have, and different routers have different interfaces. Once you find advanced settings, look for something along the lines of "Remote Administration."

    In Remote Administration, make sure everything is disabled. There might be an option to allow/disallow ICMP requests (or it might say ping). You can disable this if you'd like, but it honestly has next to zero security benefit. If you want peace of mind, just disable everything. Honestly, remote administration is one of the worst ideas I've ever seen used in this kind of technology.

    Let me know if you have any questions or difficulties following these instructions.
    risc32 and cliffordcooley like this.
  9. Nima304

    Nima304 TS Guru Posts: 365   +81

    DNS servers that belong to ISPs generally suck, but the point being made here is that OpenDNS will blacklist domains that are known to host malware. By switching to their DNS servers, you're adding an extra layer of defense because your computer won't be able to go to websites that are blacklisted by OpenDNS. This was all in the article linked from KrebsOnSecurity.

    Personally, I don't really see a need. However, Verizon and Comcast (major ISPs in my area) generally have shitty DNS servers with shitty response times and shitty uptime, so I always change my DNS servers to Google's ( and Never had any problem with them, although I'll change if we see some information about Google doing DNS poisoning attacks from its servers.
  10. cliffordcooley

    cliffordcooley TS Guardian Fighter Posts: 9,730   +3,703

    Your instructions are fine, though I don't see anything listed as "Remote Administration".

    There is a setting listed as "Enable Web Access from WAN?" which is set to "No". The description is "This feature allows you to config RT-N10 from the Internet.". I'm not sure if this is the setting you are referring to.
    Darth Shiv likes this.
  11. Nima304

    Nima304 TS Guru Posts: 365   +81

    That's exactly it. The theory behind that feature is that you can change router settings while outside the network (so, for example, tech support for a company wouldn't have to drive down to a location if they could change things remotely), which makes sense until you realize that it's much safer and much more secure to set up remote access to a computer inside the network, then access the router from that computer, instead of exposing your router's login page to the Internet.
    Darth Shiv and cliffordcooley like this.
  12. I'm pretty sure BT (uks leading ISP) has been busily updating its supplied Home routers. They (FBI ?) should just follow the money, that normally nets the bad guy.
  13. I wonder if the culprit behind North Korean internet shutdown was carried by Lizard squad.. :D
  14. Darth Shiv

    Darth Shiv TS Evangelist Posts: 1,811   +472

    Yeah same. Wonder what routers are being targeted and how?
  15. risc32

    risc32 TS Addict Posts: 209   +96

    Thanks for that write up nima 304! I've been using windows pc's and a few macs since the mid-late 90's and know more than the average bear about computers, but I have to confess, I know little about routers. thanks.
  16. treetops

    treetops TS Evangelist Posts: 2,073   +219

    Couldn't someone drive around with a laptop programmed to try to log into the firmware of every network it encountered with known default admin PW/UN? Then subsequently infect any router that allowed access?

    Could malware also be broadcasted out in the same manner from infected routers?
    Last edited: Jan 11, 2015
  17. Kibaruk

    Kibaruk TechSpot Paladin Posts: 3,286   +903

    As long as they have bridge tech yes it could be feasible
  18. Hi,

    You dont need access to the router from the Internet to hack it. How many people you know that received an email and just click on the attachment? So yes most of the router have remote administration disable but if you dont change the default password its easy to send an email and run a little script to log to your router and change the settings.
    jobeard likes this.
  19. DontAskTwice

    DontAskTwice TS Rookie

    Yes, remote administration is disabled, but that doesn't stop the attack being that it generates from within. Most routers come with a default password to the network on the side of the box. Whether that method is used from war driving or a rootkit style attack on a system, it allows you on the network. From there, it's simple. EVERYBODY's router ships with the SAME default information. Username is usually admin, password is usually blank or "password." That's the information that needs to be changed.
  20. Darth Shiv

    Darth Shiv TS Evangelist Posts: 1,811   +472

    There are quite a few caveats there now.

    1) Attacker must be physically close to the target.

    2) Wifi network must have default or weak password (to get to the admin page, you need to be on the Wifi). A WEP network is trivially crackable (within seconds on a modern laptop or smartphone) so all WEP networks are effectively unencrypted.

    3) Admin must have default password.

    How are they getting thousands of these exploitable routers if it requires 1)? Is there a master list of compromised routers that wardrivers are adding to?
    cliffordcooley likes this.
  21. DontAskTwice

    DontAskTwice TS Rookie

    All I'll say is this, I do security assessments and I'd estimate that 70% of consumer routers such as netgear, linksys, belkin, ISP gateways, are left with default passwords on the management console and to the access period. Comcast sets up routers with the wireless password as the user's phone number. Some people don't like the hassle of setting it up, so they simply leave it open altogether. Walk around your neighborhood sometime, you'd be amazed. To to get to "thousands" it doesn't take much when you're talking millions of devices. As far as their being a list, I'm certain.
  22. Kibaruk

    Kibaruk TechSpot Paladin Posts: 3,286   +903

    Also ISPs modem/routers are ussually remotely managed, with weak 1 password for all of them, in a ton of countries.
  23. Darth Shiv

    Darth Shiv TS Evangelist Posts: 1,811   +472

    Another case of convenience over best practices. It's the absolute most critical part of a home internet connection - the router security yet ISPs want to be able to offer services to non-IT savvy people and do so with absolutely horrible security practices.

    If they want to do that, they need to also block that port from internet access (and maybe allow access on request if default passwords etc are changed).
    cliffordcooley likes this.
  24. nndar

    nndar TS Rookie

    I cant log onto playstation network with my pc or ps3 how can I fix that
  25. nndar

    nndar TS Rookie

    and my remote managment is off

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...