Draytek [Security Advisory: CSRF & DNS/DHCP/Web Attacks] (https://www.draytek.co.uk/support/security-advisories/kb-advisory-csrf-and-dns-dhcp-web-attacks)
For what it's worth, the rogue dns server appears to be buried in chinatelcom somewhere- the last hop with a name I see is:
chinatelecom-ic-312676-las-b3.c.telia.net 100.017 ms
188.8.131.52 100.643 ms
This is in a business environment.
2 of our draytek routers have had their DNS settings changed but the syslog show that no one signed on.
Well that's just no fucking good at all.
Did your routers have their management interface exposed to the internet?
Thank you for sharing!
Draytek has provided a vulnerability bulletin and software update:
In May 2018, we became aware of new attacks against web-enabled devices, which includes DrayTek routers. The recent attacks have attempted to change DNS settings of routers.
I recommend patching as soon as possible.
We are just going through this at the moment, if you have a Draytek I suggest you check it asap.
thanks, so that's why this happened not too long ago. That'll be a nice round of updates.
Anyone know of a good centralized management suite for these things?
Draytek ACS allows for their routers and APs to be managed centrally. This is how we're upgrading all of our router's firmware. After testing, of course.
We found one of these Draytek pieces of crap in one of our customers, insisted they replace it. No clue who is buying this garbage, or why they would buy this over an edgerouter or a pfsense solution.
An exploited vulnerability does not mean that DrayTek routers are "garbage"...
Backdoors (...) have been found in Cisco products multiple times. MikroTik recently released (twice in a month) patches for RouterOS because critical and exploited vulnerabilities were discovered. Does that make Cisco or MT garbage?
Vulnerabilities (and severe ones) have been found in both Ubiquiti products and pfSense. That doesn't of course make any of them garbage.
The hacks about Vigor routers were found yesterday and today a new firmware along with steps for security checks were released by DrayTek. Imo the way and most importantly speed they treated this flaw is great.
No I thought they were garbage long before the exploit.
Haha. Yeah, Draytek are terrible. In the UK, it seems all 2bit IT support companies force them upon their customers as the best thing sinced sliced bread. They're just poo. To even try and compare them to Cisco or Mikrotik is a little bit daft.
Mikrotik had same issue last month?!
What makes them poo?
They're at least better than the ones ISP's generally issue, and a bit more budget friendly than the bigger names.
Do fixes like this migrate to new products?
I have today seen a linux server with the default nameserver changed to the rogue ip in /etc/resolv.conf. Interesting Point: the internet gateway is a attacked vigor 2920 with changed dns settings for dhcp server but the dhcp server was disabled. I`m still trying to figure out how the linux box got those entries with dhcp not enabled (it is itself a dhcp server).
OP Linked to Draytek's own support/security advisory page......They are the vendor....
Yes they are fully aware.
Routers, switches and firewalls. Network blogs, news and network management articles. Cisco, Juniper, Brocade and more all welcome.