Introduction
A Brazilian technology company specialising in distributed denial-of-service (DDoS) protection found itself at the centre of a cyber controversy when security researchers uncovered evidence that its own systems were used to orchestrate a prolonged assault on other network operators in the country. The firm’s chief executive officer attributed the incident to a security breach, suggesting a rival may have engineered the attack to damage the company’s reputation.
For several years, experts tracked a sustained wave of massive DDoS attacks originating from Brazil and targeting only Brazilian internet service providers (ISPs). The identity of the culprits remained unclear until a confidential source provided KrebsOnSecurity with a suspicious file archive discovered in an open directory online.
The Exposed Archive and Its Secrets
Within the archive were multiple malicious programs written in Python, all in Portuguese, alongside private SSH authentication keys belonging to the CEO of Huge Networks, a Brazilian ISP that markets DDoS mitigation services predominantly to other Brazilian network operators. Founded in 2014 and headquartered in Miami, Florida, Huge Networks originally focused on protecting gaming servers and later transitioned to providing DDoS protection for ISPs. Notably, the company had no public history of abuse complaints or known ties to DDoS-for-hire services.
SSH Keys and CEO Credentials
The exposed SSH keys granted root-level access to Huge Networks’ infrastructure. The threat actor behind the archive exploited this access to construct a formidable botnet by systematically scanning the internet for poorly secured routers and unmanaged domain name system (DNS) servers that could be co-opted for attacks.
The Botnet’s Building Blocks
The Python-based malware in the archive functioned as a command-and-control tool for the botnet. By compromising thousands of devices—including home routers and vulnerable DNS resolvers—the attacker could launch powerful DNS reflection and amplification attacks against Brazilian ISPs.
How DNS Amplification Works
DNS (Domain Name System) is the internet’s phonebook, translating human-friendly domain names into machine-readable IP addresses. Ideally, DNS servers only respond to queries from within their trusted domain. However, misconfigured servers that accept queries from anywhere on the internet become weapons when attackers send spoofed requests that appear to originate from the victim’s network. The server then directs its large response to the spoofed target.
Attackers amplify this effect using the DNS protocol’s extension mechanism, which allows oversized responses. A query of less than 100 bytes can trigger a reply 60 to 70 times larger. When combined with thousands of compromised devices all sending simultaneous spoofed queries to many open resolvers, the resulting flood can overwhelm any target.
The Company’s Response and Implications
Huge Networks’ CEO claimed the malicious activity arose from a security breach orchestrated by a competitor seeking to tarnish the company’s image. While investigations continue, the incident underscores the paradox of a DDoS mitigation firm inadvertently becoming a source of attacks. The case highlights the importance of securing internal infrastructure even for companies that specialize in defending others against digital threats, and the potential for compromised credentials to undermine trust.