DDoS Protection Firm Accused of Fueling Attacks on Brazilian ISPs

The Shocking Revelation Behind Brazilian ISP Attacks

For years, cybersecurity experts have been puzzled by a series of massive distributed denial-of-service (DDoS) attacks targeting Brazilian internet service providers (ISPs). The attacks, originating from within Brazil, seemed to be part of a coordinated campaign. Now, a startling discovery has shed light on the source: a Brazilian tech company that specializes in protecting networks from DDoS attacks may have been unknowingly powering the very botnet behind these assaults. The company’s CEO claims the malicious activity stemmed from a security breach, possibly orchestrated by a rival seeking to damage the firm’s reputation.

The Discovery of the Malicious Archive

The breakthrough came earlier this month when a confidential source shared a curious file archive found exposed in an open directory online. This archive contained Portuguese-language Python scripts designed for malicious purposes, along with a cache of private SSH authentication keys belonging to the CEO of Huge Networks, a Brazilian ISP that primarily offers DDoS protection to other network operators in the country.

Contents of the Exposed Archive

The archive revealed a sophisticated toolkit used by a Brazil-based threat actor. The Python malware was written specifically to exploit vulnerabilities and maintain persistent access. More critically, the SSH keys granted root-level access to Huge Networks’ infrastructure. This access was leveraged to build a powerful botnet by mass-scanning the internet for insecure routers and misconfigured domain name system (DNS) servers. These compromised devices were then used to launch amplified DDoS attacks against other Brazilian ISPs.

Huge Networks: A History of DDoS Protection

Founded in Miami, Florida in 2014, Huge Networks focuses its operations in Brazil. The company originally emerged from the gaming industry, protecting game servers from DDoS attacks, before evolving into an ISP-focused mitigation provider. Despite its involvement in the recent revelations, Huge Networks has no public record of abuse complaints and is not linked to any known DDoS-for-hire services. The CEO maintains that the company is a victim, not a perpetrator.

The Botnet's Modus Operandi

The threat actor behind the attacks built the botnet by exploiting two key weaknesses: insecure internet routers and unmanaged DNS servers. Routers with default credentials or unpatched vulnerabilities were easily compromised and enlisted into the botnet. DNS servers that were misconfigured to accept queries from any source became powerful weapons in what are known as DNS reflection attacks.

Understanding DNS Amplification

DNS reflection attacks take advantage of the protocol's design. When a DNS server is open to the world, an attacker can send a spoofed query that appears to come from the target’s IP address. The server then responds to that target, flooding it with traffic. By using the EDNS0 extension (which allows large DNS messages), attackers can amplify the response size dramatically. A query of less than 100 bytes can trigger a response 60 to 70 times larger. When tens of thousands of compromised devices send such queries simultaneously, the cumulative effect can overwhelm even large networks.

The CEO's Response and Lingering Questions

In response to the findings, Huge Networks' CEO stated that the malicious activity resulted from a security breach and suggested a competitor was likely behind the incident, aiming to tarnish the company's image. While the CEO’s explanation is plausible, it raises several questions. How did the attacker gain root access to the infrastructure? Why were the SSH keys exposed in an open directory? And why did the attacks persist for years without detection? The cybersecurity community remains divided, with some experts pointing to the possibility of insider involvement or negligence.

Conclusion

The case of Huge Networks serves as a stark reminder that even companies built to defend against cyber threats can be compromised. The incident highlights the need for rigorous security practices within the cybersecurity industry itself. As investigations continue, Brazilian ISPs and their customers must remain vigilant. The botnet, though disrupted for now, could resurface under new management. For more on the technical details of DNS amplification attacks, see the discovery section above.