14,000 Routers Hit by Takedown-Resistant KadNap Botnet

The Kademlia Advantage

KadNap's Kademlia-based architecture eliminates this single point of failure. Instead of connecting to a central server, each infected router maintains a routing table of other infected devices. Commands propagate through the network in a distributed fashion, hopping from node to node using the Kademlia protocol's efficient routing algorithm. There is no central server to seize, no single IP address to block, and no obvious chokepoint where the network can be disrupted.

If some nodes are cleaned up or taken offline, the remaining nodes automatically reorganize their routing tables to maintain network connectivity. The Kademlia protocol was specifically designed to be resilient to node churn — devices joining and leaving the network — which makes it naturally resistant to partial takedowns. The botnet can lose a significant fraction of its nodes and continue operating with minimal disruption.

This design represents a meaningful evolution in botnet architecture. While peer-to-peer botnets have existed for years, KadNap's implementation of Kademlia is notably sophisticated, using cryptographic verification of routing table entries to prevent security researchers from injecting false nodes into the network as a disruption tactic.

The Asus Connection

The heavy concentration of Asus routers among KadNap's victims raises questions about the security posture of these widely used consumer devices. Asus consumer routers have been the subject of multiple security advisories in recent years, with vulnerabilities ranging from authentication bypasses to remote code execution flaws. While Asus regularly releases firmware updates to address these issues, the vast majority of consumer router owners never update their firmware.

Unlike smartphones and computers, which typically update automatically, most consumer routers require manual firmware updates that involve downloading files from the manufacturer's website and uploading them through the router's administration interface. Many users are unaware that their router even has firmware, let alone that it needs updating. This creates a permanent population of vulnerable devices that botnet operators can harvest at will.

Defending Against KadNap

For individual router owners, the most effective defense is straightforward: update your router's firmware. Asus provides firmware updates through its support website and has introduced an automatic update feature in newer models. Changing default administrator passwords and disabling remote management access from the internet are also essential steps that close the most commonly exploited attack vectors.

For the broader security community, KadNap highlights the need for new approaches to botnet takedowns. Traditional methods that rely on seizing command-and-control infrastructure are ineffective against peer-to-peer designs. Alternative strategies might include coordinated vulnerability disclosure and forced patching through ISP cooperation, automated detection of botnet traffic patterns at the network level, or legal frameworks that hold device manufacturers accountable for shipping products with known security deficiencies.

As consumer Internet of Things devices proliferate — routers, cameras, smart speakers, and appliances — the pool of poorly maintained, internet-connected devices available for botnet recruitment continues to grow. KadNap is a warning of what happens when that pool meets sophisticated malware engineering.

This article is based on reporting by Ars Technica. Read the original article.