Brazilian DDoS Mitigation Company Linked to Attack Campaign

A Brazilian DDoS mitigation firm, Huge Networks, has been implicated in a years-long campaign of massive DDoS attacks against Brazilian ISPs. Security researchers discovered an exposed online archive containing malicious Python scripts and private SSH keys belonging to the company's CEO. The archive revealed that a threat actor had root access to Huge Networks' infrastructure, using it to scan the internet for insecure routers and misconfigured DNS servers to build a powerful botnet. The CEO claims the activity resulted from a security breach and may be an attempt by a competitor to damage the company's reputation. Below are key questions and answers about the incident.

What is Huge Networks and what is its role in Brazil's ISP landscape?

Huge Networks, founded in Miami in 2014, is a DDoS protection provider that primarily serves Brazilian network operators. Starting as a game server protection service, it evolved into an ISP-focused mitigation company. Despite its controversial involvement, Huge Networks has no public record of abuse complaints or ties to DDoS-for-hire services. The company's operations are centered in Brazil, and it provides critical security services to ISPs. However, the exposed archive indicates that its infrastructure was compromised and used to launch attacks against the very type of clients it claims to protect. The CEO emphasized that the company itself was a victim, not a perpetrator.

How did researchers discover the botnet and link it to Huge Networks?

A trusted source shared a file archive that was publicly accessible via an open directory online. The archive contained Portuguese-language malicious Python programs and the private SSH authentication keys of Huge Networks' CEO. This allowed researchers to trace the malicious activities directly to the company's infrastructure. The files included scripts for scanning the internet for vulnerable routers and DNS servers, as well as tools to conduct DNS reflection attacks. The discovery confirmed that a Brazil-based threat actor maintained root access to Huge Networks' systems and had been using them to coordinate attacks against Brazilian ISPs for several years.

What methods were used to build the botnet?

The botnet was built by mass-scanning the internet for insecure devices. Two main categories were targeted:

• Unattended routers: Many consumer and small-business routers lack proper security configurations or have default credentials. The threat actor exploited these to gain control and add them to the botnet.
• Open DNS servers: Also known as open resolvers, these servers respond to queries from any source. The attacker used them for amplification attacks.

By compromising tens of thousands of such devices, the botmaster could launch coordinated, high-volume DDoS attacks. The exposed archives contained scripts that automated the scanning and exploitation process, making it efficient and sustained.

How does a DNS reflection and amplification attack work?

DNS reflection attacks exploit misconfigured DNS servers that answer queries from anyone. The attacker sends a spoofed DNS request with the target's IP address as the source. The server's response goes to the target instead of the attacker. Amplification occurs when the request is crafted to produce a large response—for example, a 100-byte request can yield a response 60–70 times larger. By using many open DNS servers and thousands of compromised devices, the attacker can generate massive traffic. This technique was central to the attacks on Brazilian ISPs, allowing a relatively small botnet to deliver devastating bandwidth floods.

What explanation did Huge Networks' CEO give for the malicious activity?

The CEO stated that the malicious activity was not deliberate corporate policy but the result of a security breach in Huge Networks' infrastructure. He suspects a competitor was responsible for infiltrating the company's systems and using them to launch attacks, thereby tarnishing Huge Networks' reputation. The CEO emphasized that the company is a victim, not an attacker, and that they are cooperating with authorities. However, critics point out that the breach—if true—reveals severe security lapses in a company that sells protection against such threats.

What does this case reveal about the cybersecurity of DDoS mitigation firms?

This incident underscores that even companies specializing in DDoS defense can have vulnerable infrastructure. It highlights the risks of relying on third-party mitigation providers without rigorous security audits. The case also demonstrates how threat actors can weaponize open directories, exposed SSH keys, and poorly secured network devices. For ISPs and other clients, it reinforces the need to vet their DDoS protection partners and demand transparency about internal security practices. Furthermore, it shows that botnets can be built from a mix of compromised routers and misconfigured DNS servers, emphasizing the ongoing importance of securing internet-connected devices at all levels.