As a head-on solution, flash OpenWRT clients so that the problem does not reoccur.
Well, put a few “problem” routers in your place, connect via UART and write logs.

I will logically assume: if we are talking about any hole that is common in certain firmware of a certain model of routers, then an attacker, gaining access to the router, is forced to cover this hole one way or another after himself so that the rest of the coolhackers do not go his way and deprive him of a heap dedikov.
Here, in order to identify what has changed, you can look at the same nmap picture: which ports open to the outside have disappeared on the router, the state before and after the capture (if, of course, we are talking about it). What is the answer for various services (although it is unlikely that anyone will edit the bag service in the firmware of the router, right?). In this way, you can indirectly calculate the security service and, if it is not critical, recommend that customers turn it off on certain models.
You can also try to dump the firmware and see what has changed there.
You can google for coolhacker boards.
In general, it is strange that an attacker so clearly provoked a reset - by disabling dhcp? Maybe it's really about the hardware / software problem of specific pieces of iron?

as a start, you can hang out the pieces of iron in the client network and look in the console what is happening there.
a firmware dump will do little, except for a general confirmation of the changes, tk. and the kernel and rootfs parts are compressed in flash.

The mass nature of the problem does not indicate a specific hacker (it’s unlikely that the 80th port, and even the router is open by default to the outside, besides, there are few providers that give access to the 80th client ports from the outside). This is either a problem with the router itself (corrupting the settings) because it is hacked with an engineering password from inside the provider's network - namely, from client equipment with some kind of trojan, for example. In principle, it is possible to detect a hacker inside the provider's network, but if other providers are also affected - most likely it is some kind of malware that takes advantage of router vulnerabilities and apparently does it wrong - changes some settings impudently overwriting important ones (for some other router model calculated) hence the unmasking.

I don't think there is enough information.
Is there access to the routers from outside? If so, then:
1. you can change the remote control port, at least.
2. you can specify "Remote Management IP Address"
3. On the TL-WR741N (and we're kind of talking about it), there is an "Auto Mail Feature" in the system log section
Well, that's enough for a start. Or have I misunderstood something?
PS And then, if you are a provider, maybe it was worth taking pieces of iron with tr-069 support?

It really didn’t work for me, but maybe your firmware is older and it will work
weblance.com.ua/blog/160-kriticheskaya-uyazvimost-v-routerah-i-tochkah-dostupa-tp-link.html
I was surprised by the moment:

To exploit the vulnerability, it is enough for an attacker to: generate an HTTP request to
/userRpmNatDebugRpm26525557/linux_cmdline.html
use the osteam login account, the password is 5up, then you can execute arbitrary code with root rights
Source: weblance.com.ua/blog/160-kriticheskaya-uyazvimost- v-routerah-i-tochkah-dostupa-tp-link.html

At 741 ND, by default, port 80 for access from the WAN is closed and opens with handles to a specific IP (in my opinion, not even a range). There is another option, leave the standard password and WPS enabled which can break .