[KB8111] Detected network device sending malicious traffic

Issue

  • A device in your network (possibly a router) may be infected and is probably being used as a part of an Internet of Things (IoT) botnet
  •  If the device functions as a router, it might not be infected itself but could be configured to forward malicious traffic to your network from external sources. We recommended reviewing the router settings
  • The possibly infected device is sending (or forwarding) malicious traffic to other devices in your local network

Details


Click to expand

IoT devices such as home routers or DVRs that are not properly secured (for example, devices with outdated firmware or default usernames/passwords) are vulnerable to exploits. They can become a part of a botnet that can be further used to launch DDoS attacks or other remote attacks.


Solution

  1. Identify which device is infected
  2. Repair the infected device
  3. Prevent devices from becoming infected in the future

I. Identify which device is infected

  1. Open the Network protection log and write down the IP address of the device that is sending the malicious traffic.

  2. In the Network threat blocked notification window, click Continue blocking.

    Figure 1-1
  3. If you do not know which device the IP address is assigned to, check your router's DHCP table or the list of active clients. You can also check for the IP address using Connected Home Monitor in your ESET product, if available.


II. Repair the infected device

  1. Restart the device.

  2. Perform a factory reset (for example, in the case of a router).

  3. Install the latest firmware available for the device from the manufacturer.

  4. Change the default device password.

If you are unable to remedy your device, contact the device manufacturer.


III. Prevent devices from becoming infected in the future

  1. Do not make the administration interface of the device accessible from WAN.

  2. Ensure to keep the device firmware up to date, if provided by the device manufacturer.

  3. Use a strong password and two-factor authentication where possible.

  4.  Review the port-forwarding settings on your router from time to time, and remove unnecessary rules.