The Curious Case of a DDoS Protector Turned Attacker: Q&A on the Brazilian ISP Attacks

In a startling revelation, a Brazilian company that claims to protect networks from distributed denial-of-service (DDoS) attacks was itself used to launch devastating attacks against other internet service providers in Brazil. The firm, Huge Networks, had its infrastructure compromised, leading to a botnet that targeted Brazilian ISPs for years. Here we answer key questions about the incident, based on findings from security researchers and the company's own statements.

What is Huge Networks and what is its business?

Founded in Miami, Florida in 2014 but operating primarily in Brazil, Huge Networks started by protecting game servers from DDoS attacks before evolving into a DDoS mitigation provider for internet service providers (ISPs). The company maintains a clean record with no known abuse complaints or involvement in DDoS-for-hire schemes. Despite its legitimate focus, a recent security incident turned the tables, making it an unwitting tool for the very attacks it aims to prevent.

How did researchers uncover the botnet activity linked to Huge Networks?

For years, security experts tracked a series of massive DDoS attacks originating from Brazil and targeting only Brazilian ISPs, but the source remained mysterious. The breakthrough came when a confidential source shared a file archive that was accidentally left exposed in an open online directory. Within this archive, researchers found malicious Python scripts in Portuguese, as well as private SSH authentication keys belonging to the CEO of Huge Networks. This evidence pointed directly to the company's infrastructure being used as a launchpad for the attacks.

What did the exposed archive reveal about the attackers' methods?

The archive demonstrated that a threat actor based in Brazil had maintained root-level access to Huge Networks' systems for an extended period. Using this access, the attacker built a powerful botnet by routinely scanning the internet for poorly secured routers and misconfigured domain name system (DNS) servers. These compromised devices were then enlisted to participate in DDoS attacks. The archive included private keys and tools, showing a sophisticated and persistent operation aimed at maximizing damage.

What specific technique did the attackers use to amplify their DDoS attacks?

The attackers leveraged a method known as DNS reflection and amplification. Normally, DNS servers resolve domain names to IP addresses. However, if a DNS server is configured to accept queries from anywhere—a security flaw—attackers can send spoofed requests that appear to come from the target's IP. The server then responds to that spoofed address, flooding it with traffic. By using an extension to the DNS protocol that allows large responses, attackers can craft a small query of under 100 bytes and trigger a response 60 to 70 times larger. Combined with thousands of compromised devices, this creates devastatingly powerful attacks.

What did the CEO of Huge Networks say about the incident?

The company's chief executive acknowledged the security breach, stating that the malicious activity was likely the work of a competitor trying to damage Huge Networks' reputation. He emphasized that the firm itself was a victim, not an aggressor. The CEO's claim is supported by the presence of his private SSH keys in the exposed archive, suggesting an intrusion rather than intentional wrongdoing. However, the incident raises questions about the security practices of DDoS mitigation firms.

Who is believed to be behind the attacks and why?

While a specific individual or group has not been publicly identified, the evidence points to a Brazil-based threat actor. The motive, according to the CEO, involves a competitor attempting to tarnish Huge Networks' public image. The fact that only Brazilian ISPs were targeted further suggests a local conflict. The attacker used Portuguese-language scripts and had deep knowledge of the local networking landscape, reinforcing the theory of a domestic rivalry in the competitive Brazilian ISP market.

What are the broader implications for internet security in Brazil?

This case highlights a dangerous paradox: a company designed to stop DDoS attacks can become an unwitting accomplice. It underscores the need for robust internal security at mitigation firms, as their infrastructure is a high-value target. For Brazilian ISPs, the attacks demonstrate that even with growing DDoS protection services, threats can come from unexpected sources. It also shows how vulnerable devices—like unsecured routers and DNS servers—are continuously exploited. The incident serves as a reminder that security is only as strong as the weakest link in the chain.