Brazilian DDoS Mitigator's Breached Systems Fueled Attacks on Competing ISPs

Background: A Security Firm Turned Attack Vector

In a surprising twist, a Brazilian technology company that specializes in shielding networks from distributed denial-of-service (DDoS) attacks has inadvertently become a source of such assaults. KrebsOnSecurity has uncovered evidence that a botnet, responsible for a prolonged campaign of massive DDoS attacks against other network operators in Brazil, was operating from the infrastructure of Huge Networks. This firm, founded in Miami in 2014 but with operations centered in Brazil, began by protecting game servers and later evolved into an ISP-focused DDoS mitigation provider. Despite its legitimate business, the company's CEO now claims that the malicious activity resulted from a security breach, possibly orchestrated by a competitor aiming to damage their reputation.

Discovery of the Exposed Archive

For years, security experts tracked a series of devastating DDoS attacks originating from Brazil, solely targeting Brazilian ISPs. The source remained obscure until a trusted, anonymous source shared a curious file archive exposed in an open directory online. This archive contained several Portuguese-language malicious programs written in Python, along with the private SSH authentication keys of Huge Networks' CEO. The evidence showed that a Brazil-based threat actor had maintained root access to Huge Networks' infrastructure, building a powerful DDoS botnet by routinely scanning the internet for vulnerable routers and improperly configured DNS servers.

The DNS Amplification Technique

The botnet leveraged a classic but devastating method: DNS reflection and amplification. DNS (Domain Name System) normally translates domain names into IP addresses. However, many DNS servers are misconfigured to accept queries from anywhere. Attackers send spoofed queries that appear to come from the target's IP address, causing these servers to flood the target with responses. By using the DNS extension EDNS0, which allows large messages, the amplification effect intensifies—a small query of under 100 bytes can trigger a response 60 to 70 times larger. When combined with thousands of compromised devices querying hundreds of open DNS servers simultaneously, the traffic can overwhelm even robust networks.

Implications and Response

The revelation raises serious questions about trust within the cybersecurity industry. Huge Networks, which had no prior abuse complaints or ties to DDoS-for-hire services, now faces scrutiny over its security practices. The CEO insists the malicious activity stemmed from a breach and suspects a competitor is trying to tarnish the company's image. Moving forward, network operators must remain vigilant: securing DNS servers, patching router vulnerabilities, and monitoring for unauthorized access are critical. The incident underscores that even companies built to defend against DDoS attacks can become unwitting participants in them if their own infrastructure is compromised.

For more on DDoS mitigation strategies, see our guide on securing network infrastructure.