In a shocking twist, a Brazilian firm specializing in protecting networks from distributed denial-of-service (DDoS) attacks was found to be a key enabler of a massive botnet that launched prolonged attacks against other Brazilian ISPs. Security researchers uncovered evidence that threat actors had breached the company's infrastructure, using it to build a powerful botnet from poorly secured routers and DNS servers. The company's CEO claims the activity stemmed from a security breach, possibly orchestrated by a competitor seeking to damage his firm's reputation. Below, we answer key questions about this incident.
What Exactly Happened at the Brazilian DDoS Protection Firm?
For years, Brazilian ISPs faced relentless DDoS attacks, but the source remained a mystery. That changed when a confidential source shared a file archive exposed online. The archive contained Portuguese-language malicious Python scripts and private SSH authentication keys belonging to the CEO of Huge Networks, a Miami-founded company operating in Brazil that provides DDoS mitigation services. Analysis revealed that an attacker had maintained root access to Huge Networks' infrastructure, exploiting it to mass-scan the internet for vulnerable routers and misconfigured DNS servers. These devices were then enlisted into a botnet capable of launching devastating amplification attacks aimed at other Brazilian network operators.
What Is a DNS Amplification Attack, and How Did It Make the Botnet So Powerful?
A DNS amplification attack is a type of reflection attack that exploits open DNS servers. Normally, DNS servers only respond to queries from trusted domains, but many are misconfigured to accept queries from anywhere. Attackers send spoofed DNS requests that appear to come from the target's IP address, causing the server to send its response to the victim. By using the EDNS0 extension, attackers can craft queries that yield responses 60 to 70 times larger than the request—for instance, a 100-byte query can trigger a 7,000-byte response. When combined with thousands of compromised devices and open DNS servers, this creates a massive flood of traffic, easily overwhelming the target's network.
How Did the Botnet Builder Compromise Huge Networks' Infrastructure?
The exposed archive revealed that the botnet operator had gained root access to Huge Networks' systems. The exact method of compromise is not detailed in public reports, but the presence of the CEO's private SSH keys in the archive suggests the threat actor either stole these credentials or exploited a vulnerability to obtain them. Once inside, the attacker used the company's resources to conduct large-scale internet scans, identifying insecure routers and unmanaged DNS servers. These devices were then added to the botnet. Interestingly, Huge Networks itself had no history of abuse complaints or involvement in DDoS-for-hire services, making the breach particularly disturbing for the firm's reputation.
Why Were Brazilian ISPs the Primary Targets?
The campaign specifically targeted Brazilian ISPs, and the attacks originated from within Brazil as well. While the exact motive remains unclear, several theories exist. The botnet builder might have been a disgruntled competitor seeking to disrupt rival network operators. Alternatively, the attacks could be part of a regional cyber turf war. The CEO of Huge Networks suggested that a competitor may have breached his company to tarnish its image, as Huge Networks offers DDoS protection to many of those same ISPs. This would explain why the botnet was built using Huge Networks' infrastructure—to implicate the firm and erode trust in its services.
How Did Security Researchers Uncover the Truth?
Security researchers had tracked the DDoS attacks for years without identifying the source. The breakthrough came when a trusted source provided a file archive that was inadvertently left exposed in an open directory online. The archive contained Python scripts that were clearly malicious and written in Portuguese. Crucially, it also included the private SSH keys of Huge Networks' CEO, directly linking the company to the botnet. This evidence allowed researchers to piece together the chain of events: the breach, the scanning, and the use of compromised devices to amplify attacks. The discovery was reported to KrebsOnSecurity, which then published the findings.
What Was the CEO's Response to the Allegations?
The CEO of Huge Networks acknowledged the security breach but denied any intentional wrongdoing by his company. He claimed that the malicious activity was the work of a competitor trying to damage his firm's public image. According to the CEO, the attacker gained unauthorized access to Huge Networks' systems and used them without the company's knowledge. He maintained that Huge Networks itself was not behind the attacks and emphasized that the company had no history of supporting DDoS-for-hire services. However, the discovery of the CEO's SSH keys in the archive raised questions about the company's security practices and whether the breach could have been prevented.
What Lessons Can Other DDoS Protection Firms Learn From This Incident?
This case highlights the importance of robust security measures for companies specializing in cybersecurity. DDoS protection firms themselves can become targets if their infrastructure is not properly hardened. Key lessons include: regularly auditing SSH key management and access controls; segmenting internal networks to limit lateral movement; conducting frequent vulnerability scans; and monitoring for unusual outbound scanning activity. Additionally, firms should have an incident response plan that includes transparency with customers when a breach occurs. The incident also underscores the evolving threat landscape, where attackers use a company's own resources against its clients, making trust a fragile asset.