Exclusive: Brazilian DDoS Mitigation Firm’s Systems Used to Power Attacks on Rival ISPs – CEO Blames Breach
URGENT — A Brazilian company specializing in distributed denial-of-service (DDoS) protection has been secretly weaponized to launch a sustained wave of massive cyberattacks against other internet service providers (ISPs) across Brazil, according to documents obtained by KrebsOnSecurity. The firm's CEO acknowledged the incident, attributing it to a security breach and suggesting a competitor orchestrated the campaign to damage the company's reputation.
Massive Attacks Traced to Compromised Infrastructure
For years, security researchers have observed a series of unusually powerful DDoS attacks originating from Brazil, exclusively targeting local ISPs. The source of these digital sieges remained a mystery until a trusted source, who asked to remain anonymous, provided KrebsOnSecurity with a file archive exposed in an open directory online.
The archive contained several Portuguese-language malicious scripts written in Python, along with the private SSH authentication keys belonging to the CEO of Huge Networks, a Brazilian ISP that primarily offers DDoS mitigation services to other network operators. “This was not an inside job; our systems were breached,” the CEO stated in an exclusive interview. “A competitor is trying to tarnish our image.”
Botnet Built on Insecure Devices
Evidence shows that the threat actor maintained root access to Huge Networks’ infrastructure for an extended period. Using that access, the attacker mass-scanned the internet for vulnerable routers and unmanaged DNS servers, building a powerful botnet capable of launching amplified reflection attacks.
DNS reflection attacks work by spoofing queries to misconfigured DNS servers that accept requests from anywhere. When those servers respond, the data is sent to the target, not the attacker. By combining reflection with DNS amplification — where a small query triggers a large response — attackers can multiply their bandwidth many times over.
Example of DNS Amplification
A single query of less than 100 bytes can generate a response 60 to 70 times larger. When thousands of compromised devices and open DNS servers are used simultaneously, the resulting attack can overwhelm any unprepared network.
Background: Huge Networks’ Rise and Fall
Founded in Miami in 2014, Huge Networks is primarily operated from Brazil. The company started by protecting game servers from DDoS attacks and later evolved into an ISP-focused mitigation provider. Until this incident, it had no public abuse complaints or known connections to DDoS-for-hire services.
The exposed archive, however, indicates that a Brazilian threat actor retained root privileges on Huge Networks’ equipment. Security experts say the attacker likely used the firm’s own scanning tools to locate and enlist insecure devices, turning the mitigation company into an attack launchpad.
What This Means
This incident undermines trust in companies that claim to defend against DDoS attacks. If a security firm itself can be compromised and used to attack others, customers must demand greater transparency and stronger internal safeguards.
For Brazilian ISPs, the news confirms that the recent wave of attacks was not random but orchestrated through a compromised defense provider. The breach also highlights the persistent danger of misconfigured DNS servers and unsecured routers, which remain easy targets for botnet builders.
The CEO has stated that Huge Networks is cooperating with law enforcement and has patched the vulnerabilities that allowed the breach. However, the full damage — both to the company’s reputation and the targeted networks — is yet to be assessed.
Key Takeaways
- A DDoS mitigation firm’s infrastructure was used to launch attacks on other ISPs
- Private SSH keys of the CEO were found in an exposed archive
- The botnet exploited insecure routers and open DNS servers via amplification techniques
- CEO claims a security breach and competitor sabotage
This story is developing. Check back for updates.