Brazilian DDoS Protection Firm Linked to Massive Botnet Attacks on Local ISPs

By

Introduction

A Brazilian cybersecurity company specializing in distributed denial-of-service (DDoS) mitigation has been implicated in a sustained campaign of large-scale DDoS attacks against other network operators in Brazil. Security researchers discovered evidence that the firm's infrastructure was compromised and used to launch these digital assaults. The company's CEO maintains that the malicious activity stemmed from a security breach and was likely orchestrated by a competitor aiming to damage the firm's reputation.

The Breach: Exposed Archive Reveals Malware and SSH Keys

For years, security experts tracked a series of powerful DDoS attacks originating from Brazil and targeting Brazilian internet service providers (ISPs). The source remained unclear until a confidential source shared a suspicious file archive found exposed in an open directory online. The archive contained several Python-based malware programs written in Portuguese, along with the private SSH authentication keys belonging to the CEO of Huge Networks—a Brazilian ISP that primarily offers DDoS protection to other local network operators.

Huge Networks, founded in Miami in 2014 but operating mainly in Brazil, started as a protector of game servers against DDoS attacks before evolving into an ISP-focused mitigation provider. Prior to this incident, the company had no public abuse complaints and was not associated with any known DDoS-for-hire services. However, the exposed archive suggests that a Brazil-based threat actor maintained root access to Huge Networks' systems and built a powerful botnet.

The Botnet: How Insecure Devices Were Enlisted

The perpetrator built the botnet by routinely scanning the internet for vulnerable routers and unmanaged domain name system (DNS) servers that could be co-opted into launching attacks. The botnet leveraged both compromised routers and misconfigured DNS servers to amplify the volume of traffic directed at targets.

DNS servers normally resolve domain names into IP addresses only for trusted clients. However, some servers are configured to accept queries from anywhere on the internet, enabling so-called "DNS reflection" attacks. Attackers send spoofed queries that appear to originate from the victim's IP address, causing DNS servers to flood the target with responses. By using an extension of the DNS protocol that allows large messages, attackers can dramatically magnify the attack—for example, a 100-byte request can trigger a response 60 to 70 times larger. When thousands of compromised devices and open DNS servers are used simultaneously, the resulting traffic can overwhelm even robust networks.

DNS Amplification: Technical Breakdown

DNS reflection and amplification are common techniques in DDoS attacks. In a reflection attack, the attacker spoofs the source IP of the target, so the DNS server sends its response to the victim rather than the attacker. Amplification multiplies this effect by using the DNS protocol's support for large response sizes. Attackers craft queries that yield unusually big replies, increasing the traffic volume with minimal effort. The botnet controlled by the threat actor exploited these methods, using both compromised routers (which can also generate traffic) and open DNS servers to bombard Brazilian ISPs.

Huge Networks' Response and Ongoing Investigation

Shortly after the discovery, Huge Networks' CEO stated that the malicious activity was not authorized but resulted from a security breach. He suggested a competitor might have orchestrated the attack to harm his company's public image. Security researchers continue to analyze the exposed archive and monitor the botnet's activity. The incident highlights the risks that DDoS protection firms can become targets themselves—and the importance of securing internal infrastructure, especially when managing sensitive customer networks.

For further reading, see our introduction and the section on DNS amplification techniques.

Related Articles

• Global Telecom Espionage Campaign Disrupted: Google and Mandiant Take Down GRIDTIDE Backdoor
• AI Agent Identity Theft: New Report Warns of 'Agentic' Security Crisis as Enterprises Lose Control
• Securing the AI Frontier: Mitigating Agentic Identity Theft with Zero-Knowledge Governance
• Russian State Hackers Hijack Aging Routers to Harvest Microsoft Office Tokens
• How the Silver Fox Group Deploys the ABCDoor Backdoor: A Step-by-Step Breakdown of the Attack Chain
• Selecting the Optimal Peristaltic Pump for Your Fluid Transfer Needs
• New Tool Automates Hacker News Analysis to Identify Top Coding AI Models
• Copy Fail: The Critical Linux Privilege Escalation Threat You Need to Understand