Lizard Squad, the group of hackers responsible for knocking Microsoft’s Xbox Live and Sony’s PlayStation Network offline during the holidays, began offering its DDoS attack as an on-demand service earlier this month to anyone willing to pay their nominal fees.

Dubbed LizardStresser, the service was made available via multiple package deals with varying amounts of downtime. How exactly the hacking collective managed to pull off its public attacks as well as those requested by paying individuals has remained a mystery until now.

According to KrebsOnSecurity, the attacks are mostly powered by thousands of hacked home Internet routers. Considering the fact that many home routers are protected by little more than factory-default usernames and passwords, it’s easy to see how the Lizard Squad could amass a sizable army of routers.

The malware being used to affect vulnerable routers appears to date back to early 2014, Krebs notes. Upon infection, it turns the host into an attack zombie that also scours the Internet in search of other devices it can infect.

Krebs adds that the best line of defense is to simply change the default credentials on your router. It’s also a good idea to pick a strong password and of course, be sure to enable encryption when setting everything up.

Those looking to take it a step further are also encouraged to change their router’s default DNS servers to those maintained by OpenDNS.