A Brazilian firm specializing in DDoS protection was allegedly used to launch massive attacks against other Brazilian ISPs for years. The company’s CEO claims a breach orchestrated by a competitor. Here are the key questions and answers about this incident.
1. What is the main story about?
For several years, a series of massive DDoS attacks targeted Brazilian internet service providers, with the source traced back to a Brazilian DDoS mitigation company called Huge Networks. The firm, founded in Miami but operating primarily in Brazil, was supposed to protect networks but instead had its infrastructure hijacked by a threat actor. An exposed archive containing malicious Python scripts and the CEO’s private SSH keys revealed that an attacker had root access to Huge Networks’ systems, turning them into a botnet used to flood other ISPs with traffic. The CEO suggested a competitor might have breached their systems to damage their reputation.
2. How was the botnet discovered?
A trusted source (who wished to remain anonymous) shared an archive that was accidentally left exposed in an open directory online. The archive contained several Portuguese-language malicious programs written in Python. More critically, it included the private SSH authentication keys belonging to Huge Networks’ CEO. This gave security researchers clear evidence that the infrastructure of a DDoS protection company had been compromised and was being used to orchestrate attacks. The archive also showed that the attacker routinely scanned the internet for insecure routers and poorly configured DNS servers to build a powerful botnet.
3. What role did Huge Networks play?
Huge Networks is a Brazilian ISP that started by protecting game servers from DDoS attacks and later evolved into a DDoS mitigation provider for other network operators. Despite this defensive role, the company had no public record of abuse complaints and was not linked to any DDoS-for-hire services. However, the exposed archive proved that the firm’s systems were used as a platform for attacks. The CEO stated that the malicious activity resulted from a security breach, likely perpetrated by a competitor aiming to tarnish Huge Networks’ image. The company itself was a victim, but its compromised infrastructure became the weapon.
4. How did attackers compromise the firm’s systems?
The attackers gained root access to Huge Networks’ infrastructure, likely through stolen SSH keys or other vulnerabilities. Once inside, they built a botnet by mass-scanning the internet for two types of devices: insecure internet routers and unmanaged DNS servers. Routers with default passwords or unpatched firmware were easy targets. DNS servers that responded to queries from any source were enlisted as reflectors. The attackers then controlled these compromised devices to launch large-scale DDoS attacks. The CEO’s private SSH keys found in the archive suggest that the breach specifically targeted credentials, perhaps through phishing or an inside threat.
5. What type of DDoS attacks were used?
The attackers primarily used DNS amplification and reflection attacks. In a DNS reflection attack, the perpetrator sends spoofed DNS queries that appear to come from the victim’s IP address to many open DNS servers. Those servers then respond to the victim, flooding them with traffic. The amplification factor is significant: a query of less than 100 bytes can trigger a response 60–70 times larger. By combining thousands of compromised routers with many poorly configured DNS servers, the botnet could generate massive traffic volumes. This technique allowed the attackers to overwhelm Brazilian ISPs for years without revealing their own location.
6. How do DNS amplification attacks work?
DNS amplification exploits the fact that some DNS servers answer queries from any internet address (open resolvers). Attackers send a small DNS request with a spoofed source IP—the victim’s IP—to these servers. The server’s response, which can be much larger (e.g., using the ANY type query that returns many resource records), is sent to the victim. This amplifies traffic. For example, requests under 100 bytes can generate responses over 4,000 bytes. Attackers often use many open resolvers simultaneously with botnets to multiply the effect. In this campaign, the botnet used thousands of compromised routers to coordinate such attacks, making them highly destructive and difficult to mitigate without cleaning up the reflectors.
7. What was the CEO’s response?
The CEO of Huge Networks claimed that the malicious activity was the result of a security breach and blamed a competitor for trying to harm the company’s image. He asserted that the company had no intention of launching DDoS attacks. However, the exposed archive and years of attacks against Brazilian ISPs suggest that the breach was severe and long-lasting. The CEO did not provide details about how the breach occurred or steps taken to prevent future incidents. The incident underscores the risk that even DDoS protection firms can be turned into attackers if their own systems are not secured.
8. What does this reveal about the DDoS protection industry?
This case highlights the dual-use nature of DDoS mitigation companies. While they provide essential protection against attacks, their infrastructure can be weaponized if compromised. The fact that Huge Networks was not previously linked to abuse shows how stealthy such breaches can be. The incident also emphasizes the importance of securing internal systems with strong access controls, two-factor authentication, and regular audits. Additionally, the widespread availability of open DNS servers and insecure routers remains a key enabler for botnets. ISPs and device manufacturers must work together to reduce these vulnerabilities. Finally, the CEO’s claim of a competitor’s involvement suggests that the DDoS protection market may have internal rivalries that could lead to unethical tactics.