In May 2018 DrayTek became aware of CSRF (Cross-Site Request Forgery) attacks against web-enabled devices, including DrayTek routers.
In some circumstances, it may be possible for an attacker to intercept or create an administration session and change settings on the router. Initial reports show that in some cases DNS settings are altered.
To check if your router has been compromised, look at the DNS and DHCP settings on your router. If you have a router supporting multiple LAN subnets, check the settings for each subnet. Your DNS settings should be either blank, set to the correct DNS server addresses from your ISP, or DNS server addresses of a server which you have set (e.g. Google 184.108.40.206).
If you see a rogue DNS server setting of 220.127.116.11 or changed DHCP settings– it means that your router settings have been changed. In this case you can correct the changes or restore the router configuration from the last good known backup configuration.
Note that the IP address 18.104.22.168 may not be the only rogue address and so, if you find any DNS IP that is different to your own setting, you should either upgrade the firmware or adjust security settings as described below.
DrayTek has now released new firmware that address this security vulnerability.
The firmware can be downloaded from:
If you are unable to, or opt not to, update the firmware, it is recommended that you check and adjust the security settings as shown below to prevent a possible attack.
1. Upgrade to the latest firmware
2. Enable Auto Logout
3. Disable SSL VPN service if it is not used.
4. Disable “Allow Management from the Internet” if it is not required.
5. If remote management from the Internet is required, enable the following settings:
- IP Access List
- Do not use default port
- Enable Brute Force Protection