2 min Security

Hackers hijacked DNS traffic on D-Link routers for three months

Hackers hijacked DNS traffic on D-Link routers for three months

A hacker group has been hacking in-house routers over the past three months – especially D-Link models – to adjust DNS server settings and hijack traffic intended for legitimate sites and redirect them to rogue cloning.

The attackers use known exploits and router firmware to hack into vulnerable devices and make silent changes to the DNS configuration. Most users will not notice these changes, writes ZDNet. The following models appear to be targeted by the group:

  • D-Link DSL-2640B
  • D-Link DSL-2740R
  • D-Link DSL-2780B
  • D-Link DSL-526B
  • ARG-W4 ADSL routers
  • DSLink 260E routers
  • Secutech routers
  • TOTOLINK routers

Security researcher and founder of Bad Packets Troy Mursch says he has observed three separate waves, in which hackers launched attacks to poison the DNS settings of routers. These waves took place at the end of December 2018, the beginning of February and the end of March. Moreover, the attacks are still continuing.

Operation of attacks

The purpose of the hack campaign is to inject IP addresses from rogue DNS servers into other people’s routers. According to Mursch, the hackers have so far used four IP addresses. On those four rogue DNS servers, the IP addresses of legitimate websites have been replaced by the IP addresses of clones who run the hackers.

On such a rogue clone, a user may be asked to log in and share his password with the attackers. However, it is not known which legitimate sites the hackers targeted during the three campaigns. However, it is clear where the traffic was diverted to.

“The vast majority of DNS requests were diverted to two IPs on a crime-friendly hosting provider (AS206349), and another one goes to a service that makes money from parked domain names (AS395082).


Owners of the aforementioned devices are advised to check the DNS settings of their router and to compare DNS IP addresses with those provided by their Internet Service Provider. If one of the following IP addresses is detected, the router’s DNS settings have already been adjusted by the hackers, and the firmware must be updated as soon as possible:

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.