top of page

MikroTik under attack, DDoS and Internet Service Providers: What is the relationship?

MikroTik under attack
MikroTik under attack

A new wave of searches for MikroTik devices exposed on the Internet began two weeks ago, more precisely on April 16, and was detected by NetSensor's Threat Intelligence network, HackNet.

The campaign is looking for MikroTik equipment that is exposing its API on the standard port 8728/TCP.

After enriching and analyzing the data collected by HackNet, a lot of valuable and revealing information about this activity was identified.

Unusual origins

In the current scenario, the largest sources of malicious traffic are generally concentrated in the United States, China, United Kingdom, South Korea, India and Russia, as can be seen in the graph below:

However, when analyzing the origins involved in the search for MikroTik equipment, the scenario found is different, completely different, with practically all activity concentrated in France, Switzerland, Bulgaria and Lithuania.

When we take this information to a heat map, we see the change in the global malicious traffic scenario below:

For this completely different scenario, which shows the global search for the MikroTik equipment API:

Global search

The search was identified in a linear manner in all 22 HackNet points of presence in the world, characterizing a global search for MikroTik equipment on the Internet, without showing any type of preference by country or region.


One of the main reasons for this interest is to be able to take control of devices and recruit them to form a large network (botnet) with high offensive capacity to carry out large-scale denial of service (DDoS) attacks.

DDoS attacks: The origin of the problem

DDoS attacks of frightening proportions have been seen against Internet service providers (ISP), causing problems with the continuity of services and directly harming thousands of these providers' customers.

Investments have been made in technology, people and processes to overcome the problem when an attack is underway, but these are often "rudimentary" workaround measures to alleviate the problem at that moment.

Just like in the real world, focusing on trying to shield yourself from the enemy's firepower is like fighting crime just by campaigning to seize firearms. Much more is needed than that, otherwise the weapons will simply be replaced by others and the cycle will repeat itself, in a futile attempt to protect itself from a firepower that is renewed and grows more and more.

It is necessary to look at the origin of this "firepower" and work to prevent new weapons from being acquired by criminals.

Victims of their own neglect

Ironically, internet providers, which are one of the biggest victims of DDoS attacks, are also one of the main responsible for all this firepower in the hands of criminals.

In Brazil alone we have more than 10,000 ISPs, with the vast majority being small companies, fighting for business survival, with major restrictions on budget, technology and people trained in cybersecurity issues.

The result of this is poorly configured equipment, exposed on the Internet in an unnecessary way, with known access credentials, without receiving updates and running software versions with several known vulnerabilities. The consequence is hackers from all over the world looking for this equipment to transform it into new weapons in their powerful arsenal.

Blocking current origins

The actors identified in this new campaign are using structures with addresses located in France, Switzerland, Bulgaria and Lithuania as a base.

Anyone who does not need to communicate with these locations can choose to block these countries by geolocation.

To help mitigate this threat for those without geolocation blocking, security analysts can prevent more than 90% of identified sources by blocking the following IP address blocks:









NetSensor Customers

NetSensor customers using HackNet's artificial neural network protection are automatically protected from all identified sources on the global network, without the need for any human action.

Companies that use the HackAlert service are automatically notified if HackNet observes suspicious traffic coming from their internet addresses, with detailed information about the observed traffic.

NetSensor technologies can protect against this and many other threats against vulnerabilities across the entire structure, including protection for firewalls and internet routers.

Final considerations

We are living in a new war, the Digital War, which every day has proven to be more dangerous, with kidnapping and theft of information, unauthorized access and control of other people's environments, which can generate major problems for public and private companies, governments and even , compromising the entire functioning of large urban centers.

With the advanced resources and techniques used by criminals, it is essential to adopt security strategies that rely on intelligent technologies based on Artificial Intelligence (AI) and Threat Intelligence (Threat Intel) to quickly identify and neutralize new threats that arise. emerge in this constantly and rapidly changing scenario.

Read too:


Post: Blog2_Post
bottom of page