Hacking the router: characterizing attacks targeting low-cost routers using a honeypot router

In this paper hacker attacks against low-cost routers have been investigated with the goal to get a better understanding of the intents of hackers and to find ways to improve defense mechanisms for these devices. This has been achieved by characterizing and analyzing real hacker attacks performed against a honeypot router device in a cloud environment. RouterOS from MikroTik has been run in a cloud environment as a honeypot to capture hacker attacks. Using this environment, multiple attacks have been discovered, including traffic related to CVE-2018- 14847, which contributed 71.1% of all traffic on MikroTik specific port 8291. Some successful DNS redirection at- tempts were discovered and attacks were received that managed to reboot the honeypot router by sending one or multiple RST packets.