Why the NSA Wants You to Reboot Your Router Every Week

The National Security Agency has been telling Americans to do something simple to fight back against router malware. Just reboot your router. The advice sounds too basic to matter. It's based on how modern botnet attacks actually work, and a weekly power cycle disrupts most infections before they cause real damage.

This guidance lines up with warnings from the FBI and CISA about state-sponsored attackers targeting home and small office routers. Criminal groups and foreign intelligence services have been compromising consumer routers from Asus, TP-Link, D-Link, and Netgear. They turn those routers into proxies, surveillance points, or jumping-off spots for bigger attacks. Most of these infections live in your router's memory, which is exactly what a reboot wipes.

Why a Simple Restart Actually Works

Most router malware in 2026 is designed to live in RAM rather than write itself to permanent flash storage. The reason is technical, but the result is convenient. Attackers want their code to disappear if the device gets analyzed, so they load malicious processes into volatile memory.

When you unplug your router, that volatile memory gets cleared. The infected process is gone. The router boots up clean from its firmware. The attacker can come back the same way they got in the first time. Each reboot still resets the clock and breaks ongoing operations like proxy traffic routing or credential harvesting.

This won't help against firmware-level attacks that flash themselves into the device. Those are rare, partly because they're harder to write and partly because they get found faster. The common stuff that turns your router into a botnet node usually doesn't survive a power cycle.

How Often Should You Reboot

The NSA's specific recommendation is once a week. Some security firms suggest every few days for high-risk users. For most households, weekly is fine. Pick a low-traffic time like Sunday morning or late at night. The reboot will knock everything offline for two or three minutes.

You can schedule reboots automatically on most modern routers. On a Netgear router, log in at the 192.168.1.1 login page, then go to Advanced > Administration > Set Password > Schedule Reboot. Asus routers have a similar option under Administration > System > Scheduled Reboot. TP-Link Archer models bury it under System Tools > Reboot Schedule.

If your router doesn't support scheduled reboots, plug it into a smart plug like a Kasa or TP-Link Tapo. Set a daily or weekly off-on cycle in the app. The end result is the same.

What a Reboot Won't Fix

Rebooting is good hygiene, but it's not a complete defense. Several types of attacks survive a power cycle and need other steps to fix.

Default passwords are the biggest gap. If your router still uses the credentials it shipped with, attackers don't need malware. They just log in. Check our default router password list if you've forgotten what came stock with your model. Then change it to something long and unique.

Old firmware is the next problem. CVEs get published for popular routers every month, and patches usually follow within weeks. If you haven't updated your firmware in a year, you're probably running known-vulnerable code. Asus, Netgear, and TP-Link all push firmware through their apps now, but a lot of users never open the app after setup.

DNS changes also survive reboots. If an attacker rewrote your router's DNS settings to point at malicious servers, those settings sit in flash storage. They come back when the device boots. Check your DNS settings in the admin panel and reset them to something trusted like 1.1.1.1, 8.8.8.8, or your ISP's defaults.

Which Brands Have Been Targeted Most

Some routers show up over and over in botnet reports. Older TP-Link Archer models from the AC1750 era have been heavily exploited. Linksys business routers that home users sometimes pick up have been targets. Asus routers with the AiCloud feature exposed to the internet have been hit. MikroTik routers configured by ISPs in Latin America and Southeast Asia have appeared in massive proxy networks.

The common pattern is age. Routers older than five years probably aren't getting security updates anymore. If your ISP gave you the router and hasn't updated it, you might be running firmware from 2019. That's a long time to go without patches in router years.

How to Tell If Your Router Has Been Compromised

Most botnet infections are designed to be invisible. The attacker doesn't want you to notice anything. They don't slow your internet or change your settings in obvious ways. Some signs do leak through.

Your internet feels sluggish even when nobody at home is using it. The router runs hot when it shouldn't. DNS lookups send you to odd-looking sites. Login pages reject old passwords you know are right. New devices show up in the connected client list that you don't recognize.

If any of that sounds familiar, do a factory reset rather than just a reboot. Hold the reset button for 30 seconds. Set the router back up with a strong password and current firmware. Then verify clean public IP behavior afterward using our check your IP address page.

The Bigger Picture for Home Networks

The NSA's reboot advice fits into a wider shift in how security agencies think about consumer routers. For years, home networks were treated as nobody's problem. ISPs handed out cheap gateways, users plugged them in, and nobody thought about it again. That worked when home networks weren't valuable targets.

That's changed. Remote work means home routers carry traffic that used to live inside corporate networks. Smart home devices have made every house a small data center. State actors have noticed, and so have criminals. The NSA, FBI, and CISA all now publish guidance aimed directly at home users, which would have been strange a decade ago.

A weekly reboot won't make your network bulletproof. It will make it less useful to the people trying to attach themselves to it. Combine the reboot with a strong admin password, firmware updates, and a check of your DNS settings. You've then handled the main attack surface most people leave open.

If you're not sure what your router can do, your 192.168.0.1 admin page is the place to start. The reboot schedule, firmware update, and password change are usually within a few clicks of each other in the admin panel.