Brazilian DDoS Protection Firm Accused of Running Massive Botnet Against ISPs

A Brazilian cybersecurity firm that provides DDoS protection services has been implicated in operating a botnet responsible for extensive distributed denial-of-service (DDoS) attacks against Brazilian internet service providers (ISPs), according to KrebsOnSecurity.

The firm, Huge Networks, denies involvement, stating that the malicious activity stemmed from a security breach and may have been orchestrated by a competitor seeking to tarnish its reputation.

Exposed Archive Reveals Botnet Operations

For years, security researchers observed a series of large-scale DDoS attacks originating from Brazil and targeting only Brazilian ISPs. The source of these attacks remained unclear until an anonymous tipster shared a file archive exposed in an open directory online.

The archive contained Portuguese-language malicious Python scripts and private SSH authentication keys belonging to the CEO of Huge Networks, a Miami-based ISP founded in 2014 with operations primarily in Brazil. Originally focused on protecting game servers from DDoS attacks, Huge Networks expanded into providing DDoS mitigation services to Brazilian network operators.

How the Botnet Was Built

The exposed files revealed that a Brazil-based threat actor gained root access to Huge Networks’ infrastructure and constructed a powerful DDoS botnet. The botnet was assembled by scanning the internet for insecure devices, including TP-Link Archer AX21 routers vulnerable to CVE-2023-1389.

Attackers exploited misconfigured DNS servers to amplify attack traffic. In DNS reflection attacks, threat actors send spoofed DNS queries to servers configured to accept requests from any source. These servers then respond to the targeted victim’s address, significantly increasing the attack’s volume. The amplification effect is further enhanced by the DNS protocol’s extension for large messages, allowing attackers to turn small queries (under 100 bytes) into responses 60-70 times larger.

By coordinating tens of thousands of compromised devices, the botnet could launch devastating attacks, overwhelming targeted ISPs with massive traffic volumes.

Huge Networks’ Response

Huge Networks’ CEO acknowledged the breach but attributed the botnet activity to a competitor’s attempt to frame the company. The firm stated that it does not appear in public abuse complaints and has no known ties to DDoS-for-hire services.

The incident highlights the risks of insider threats and the importance of securing network infrastructure against unauthorized access.