A Brazilian cybersecurity company that offers distributed denial-of-service (DDoS) protection has been linked to a sustained campaign of massive DDoS attacks targeting other network operators within the country. According to a report by KrebsOnSecurity, the firm’s CEO claims the malicious activity stemmed from a security breach, possibly orchestrated by a rival seeking to damage the company’s reputation.

Discovery of the Exposed Archive

For years, security researchers observed powerful DDoS attacks originating from Brazil, aimed exclusively at Brazilian internet service providers (ISPs). The source of these digital assaults remained unclear until an anonymous source shared a file archive found in an open directory online. The archive contained Portuguese-language Python scripts—malicious tools for launching DDoS attacks—as well as the private SSH authentication keys belonging to the CEO of Huge Networks, a Brazilian ISP that specializes in DDoS mitigation.

Huge Networks: From Game Server Protection to ISP Defense

Founded in Miami, Florida in 2014, Huge Networks operates primarily out of Brazil. The company started by protecting online game servers from DDoS attacks and later evolved into a provider of mitigation services for ISPs. Notably, it had no public history of abuse complaints or ties to known DDoS-for-hire services.

How the Botnet Was Built

Analysis of the exposed archive revealed that a threat actor based in Brazil had obtained root access to Huge Networks’ infrastructure. The attacker systematically scanned the internet for insecure routers and unmanaged Domain Name System (DNS) servers that could be used as amplifiers in attacks. By compromising these devices, the threat actor assembled a powerful botnet capable of launching large-scale DDoS campaigns.

The Mechanics of DNS Reflection Attacks

DNS translates human-readable domain names into IP addresses. In a properly configured environment, DNS servers should only respond to queries from within their trusted domain. However, so-called DNS reflection attacks exploit misconfigured servers that accept queries from anywhere. Attackers send spoofed requests that appear to come from the target’s network. When the DNS servers reply, they send responses to the spoofed address—overwhelming the victim with traffic.

Amplification Through DNS Protocol Extension

By leveraging an extension to the DNS protocol that allows for larger message sizes, attackers can dramatically increase the impact of reflection attacks. For instance, a small query of less than 100 bytes can trigger a response up to 60–70 times larger. This amplification effect is compounded when the botnet mobilizes tens of thousands of compromised devices to simultaneously query multiple DNS servers with spoofed requests.

Implications and Ongoing Investigation

The revelation that a DDoS protection firm’s own systems were compromised and used to attack other ISPs raises serious questions about the security of mitigation providers. Huge Networks’ CEO has blamed the incident on a security breach, but the investigation continues. This case underscores the risk of third-party infrastructure being weaponized against the very community it was meant to protect.

Image: An Archer AX21 router from TP-Link, which represents the type of consumer device often abused in DDoS attacks.