Unmasking the Botnet: How a Brazilian DDoS Protection Firm Became the Attacker

For years, Brazilian ISPs have been hit by relentless DDoS attacks originating from within the country. A recent investigation has revealed that the infrastructure of a Miami-based DDoS protection company, Huge Networks, was secretly used to fuel these attacks. The CEO claims a security breach caused by a rival. Below, we answer key questions about this shocking turn of events.

What exactly did the investigation uncover about the source of the DDoS attacks?

Security researchers had long observed massive DDoS attacks targeting Brazilian ISPs, but the origin remained unclear. Earlier this month, a trusted source shared an exposed archive found in an open online directory. That archive contained Portuguese-language malicious Python scripts and, critically, the private SSH authentication keys belonging to the CEO of Huge Networks. Further analysis showed that a threat actor had maintained root access to Huge Networks’ infrastructure for an extended period. Using this access, the attacker built a powerful botnet by scanning the internet for insecure routers and misconfigured DNS servers, then recruited them into the attack campaign.

Who is Huge Networks and why were they a target?

Huge Networks was founded in Miami in 2014, but its operations center on Brazil. Originally started to protect game servers from DDoS attacks, the company evolved into a dedicated DDoS mitigation provider for Brazilian ISPs. Before this incident, Huge Networks had no public abuse complaints and was not linked to any DDoS-for-hire services. Its clean reputation made the discovery especially alarming. The CEO suspects that a competitor orchestrated the breach specifically to tarnish the company’s public image and undermine its business. This would explain why the botnet was used to attack other ISPs while routing through Huge Networks’ own equipment.

How did the attacker gain root access to Huge Networks' systems?

The exposed archive provided clear evidence: the attacker obtained the CEO’s private SSH keys. How the keys were stolen remains under investigation, but once acquired, the attacker could log into Huge Networks’ servers with full administrative privileges. From there, they deployed Python-based malware that automated the scanning of vulnerable devices across the internet. The attacker specifically looked for unmanaged routers and open DNS resolvers – devices that are easily compromised due to default passwords, outdated firmware, or misconfiguration. By combining root access to a DDoS protection firm with a network of hijacked devices, the attacker created a botnet capable of launching devastating attacks.

What role did insecure routers and DNS servers play in the botnet?

The botnet relied on two key types of insecure devices. First, consumer and small-business routers with weak security – often using default admin credentials or unpatched vulnerabilities – were remotely compromised and turned into bots. Second, the attacker abused open DNS resolvers: servers configured to accept queries from any internet user. These are normally meant for internal networks, but when left open, they can be exploited for reflection attacks. The malware scanned for both types of devices, added them to the botnet, and used them as amplification nodes. As explained in the next question, this combination allowed the attacker to multiply attack traffic dramatically.

Can you explain how a DNS amplification attack works and why it’s so dangerous?

A DNS amplification attack is a type of reflection attack that exploits misconfigured DNS servers. The attacker sends a small query (e.g., 100 bytes) to an open resolver, spoofing the source IP address to make it appear as if the target network sent the request. The server then sends a much larger response (up to 70 times bigger) to the spoofed address. By using many compromised routers and servers simultaneously, an attacker can multiply the traffic volume enormously. In this campaign, the botmaster used thousands of such devices, generating floods that overwhelmed Brazilian ISPs. The amplification effect is especially powerful when combined with the DNS extension that allows responses up to 4KB – turning a tiny query into a massive weapon.

What was the CEO’s response, and what does he believe happened?

In a statement, the CEO of Huge Networks acknowledged the breach and insisted that his company was a victim, not a perpetrator. He claimed that a competitor likely orchestrated the attack to ruin Huge Networks’ reputation. The CEO stated that the malicious activity stopped as soon as the company detected the unauthorized access, and that they have since implemented stronger security measures. However, critics note that the breach went undetected for years, raising questions about internal oversight. Regardless of intent, the incident demonstrates that even a DDoS protection firm can be turned into a source of attacks if its defenses are compromised.

What lessons should network operators take away from this case?

This case highlights several critical lessons. First, protecting privileged credentials is paramount – SSH keys and administrative passwords must be rotated regularly and stored securely. Second, organizations should assume they will be breached and implement monitoring to detect anomalies early. Third, the widespread existence of insecure routers and open DNS resolvers remains a major threat. ISPs and home users should change default passwords, apply firmware updates, and restrict DNS services to internal use. Finally, even trusted vendors can be compromised; the DDoS protection industry itself must hold its members to the highest security standards. The full investigation serves as a reminder that the line between defender and attacker can blur when security fundamentals are neglected.