Botnet Abusing Compromised Anti-DDoS Firm Targets Brazilian ISPs

A recent security incident has revealed that an anti-DDoS company in Brazil was unknowingly leveraged by attackers to launch sustained, massive DDoS attacks against other internet service providers (ISPs) in the country. The firm's CEO claims the malicious activities stem from a security breach, possibly orchestrated by a competitor aiming to damage his company's reputation. Here are the key questions and answers about this complex cyberattack campaign.

1. What did a security breach reveal about a Brazilian anti-DDoS firm?

A trusted source discovered an exposed online directory containing Portuguese-language malicious Python scripts and the private SSH authentication keys of the CEO of Huge Networks, a Brazilian ISP that specializes in DDoS protection. The archive showed that a Brazil-based threat actor had maintained root access to Huge Networks' infrastructure for an extended period. Using this compromised infrastructure, the attacker built a powerful botnet by scanning the internet for insecure routers and misconfigured DNS servers. The CEO asserts that the breach was likely a deliberate attack by a rival company seeking to tarnish Huge Networks' image, though no concrete evidence has been presented to support this claim.

2. How did the attackers build such a powerful botnet?

The threat actor routinely mass-scanned the internet for two types of vulnerable devices: insecure routers (like the TP-Link Archer AX21) and unmanaged Domain Name System (DNS) servers that accept queries from anywhere. By compromising thousands of these devices, they created a distributed network of bots. The botnet then used these devices to send spoofed queries to open DNS resolvers, making the requests appear to come from the target ISP. This approach allowed the attackers to amplify the attack traffic significantly, as each query could generate a response many times larger than the request itself.

3. What role did DNS reflection and amplification play?

DNS reflection attacks rely on DNS servers configured to respond to queries from any source. Attackers can spoof the IP address of the victim, so the DNS server sends its response to the target instead of the attacker. By using an extension to the DNS protocol that allows large messages, the attacker can craft a tiny query (under 100 bytes) that triggers a response 60–70 times larger. When tens of thousands of compromised devices simultaneously send such spoofed queries to many open DNS resolvers, the combined traffic can overwhelm even robust network infrastructure. This amplification effect was central to the campaign's effectiveness, enabling the botnet to generate massive DDoS floods.

4. Why did the CEO blame a competitor?

The CEO of Huge Networks contended that the breach was the work of a rival company trying to besmirch his firm's public reputation. He argued that the malicious archive was deliberately leaked to cast suspicion on Huge Networks, which otherwise had no history of abuse complaints or involvement in DDoS-for-hire services. However, cybersecurity experts note that the exposed SSH keys and Python scripts point to an actual intrusion, not a staged event. The competitor theory remains unsubstantiated, and investigators are still analyzing the origin of the breach. The incident underscores how even security-focused companies can become unwitting tools in cyberattacks.

5. What makes Huge Networks' involvement surprising?

Founded in Miami in 2014 but operating primarily in Brazil, Huge Networks started by protecting game servers from DDoS attacks before evolving into an ISP-focused mitigation provider. The company had a clean record—no public abuse complaints and no ties to known booter services. Therefore, the discovery that its CEO's SSH credentials were used to build a botnet that attacked other Brazilian ISPs was highly unexpected. The firm's core business is preventing exactly the type of attack it was allegedly facilitating. This irony, combined with the stealth of the intrusion, made the case particularly striking for the security community.

6. How did the exposed archive help investigators?

An anonymous source shared a file archive that had been left in an open directory online. Inside, researchers found Portuguese-language malicious Python scripts along with the private SSH keys. These keys provided root-level access to Huge Networks' infrastructure, which the attacker used to manage the botnet. The archive also contained configuration files and logs that revealed the scale of the scanning and attack operations. By analyzing this data, security analysts could trace the botnet's infrastructure back to the compromised Huge Networks systems. The exposure was a crucial break in understanding who was behind the years-long DDoS campaign targeting Brazilian ISPs.

7. What is the broader impact on Brazilian ISPs?

For several years, Brazilian internet service providers suffered repeated massive DDoS attacks that disrupted service for thousands of customers. The attacks were uniquely targeted at Brazilian networks and appeared to originate from within the country. This incident finally shed light on the source: a botnet built from compromised routers and DNS servers, orchestrated via Huge Networks' breached infrastructure. While the attacks have likely subsided after the exposure, the event highlights the vulnerability of even anti-DDoS companies to cyber intrusions. It also underscores the need for ISPs to harden edge devices and for DNS operators to properly configure resolvers to prevent abuse.