Finding botnets with a MikroTik RouterOS honeypot
MikroTik RouterOS is a powerful feature packed software router that is pretty widely used across the world. I have been meaning to setup a honeypot and there has been a large number of high volume DDoS attacks involving compromised RouterOS routers so this seems like a good candidate for a first honeypot. In order to setup the honeypot I span up 2 cloud instances one for RouterOS and the other to capture logging. To setup the logging machine I span up a Debian machine and then started on deploying RouterOS. I couldn't find any information on how the routers were being compromised but there was rumours of a vulnerability that was being exploited so I decided to use a slightly older RouterOS version at the time, RouterOS v6.42rc52. RouterOS Setup To install RouterOS on the GCP you can navigate to the software\downloads page on the MikroTik website and from there expand the "Cloud Hosted Router" tab where you find VHDX images available for download. Once downloaded the im