In a shocking twist, a Brazilian company specializing in DDoS protection was found to be the source of massive attacks against other Brazilian ISPs. Security researchers discovered evidence that a botnet was built using compromised infrastructure from Huge Networks, a firm that markets itself as a guardian against such threats. The CEO claims a security breach and competitor sabotage, but the incident raises serious questions about trust in the cybersecurity industry. Below, we explore the key findings and implications.
What did the investigation reveal about Huge Networks?
An anonymous source shared an exposed archive containing malicious Python scripts in Portuguese, along with the private SSH authentication keys belonging to the CEO of Huge Networks. This archive was found in an open directory online. The scripts indicated that a threat actor had maintained root access to Huge Networks' infrastructure, using it to build a powerful DDoS botnet. The botnet routinely scanned the internet for insecure routers and misconfigured DNS servers, which were then enlisted in attacks targeting Brazilian ISPs. The revelation contradicts Huge Networks' reputation as a DDoS mitigation provider.
How did the botnet operate and what methods were used?
The botnet employed a two-pronged approach. First, it mass-scanned the internet for insecure routers and unmanaged DNS servers. Once compromised, these devices were used in DNS reflection and amplification attacks. In a DNS reflection attack, the attacker spoofs a target's IP address in queries sent to open DNS servers. These servers then send responses to the target, overwhelming it with traffic. Amplification occurs when a small query (e.g., 100 bytes) prompts a large response (e.g., 60-70 times larger), especially by leveraging DNS protocol extensions. By coordinating thousands of compromised devices, the botnet could generate massive DDoS floods.
Why were Brazilian ISPs specifically targeted?
The attacks exclusively targeted Brazilian network operators for several years. While the motive is not fully confirmed, the botnet's infrastructure was Brazil-based, and the malicious scripts were written in Portuguese. This suggests a domestic threat actor with knowledge of the local ISP landscape. The CEO of Huge Networks speculated that a competitor might have orchestrated the breach to tarnish the company's image, implying a possible rivalry within Brazil's cybersecurity market. However, the exact reasons for targeting only Brazilian ISPs remain under investigation.
What was the CEO's response to the allegations?
The CEO of Huge Networks stated that the malicious activity resulted from a security breach and was likely the work of a competitor trying to damage his company's public image. He emphasized that Huge Networks itself was a victim of the breach. The company, which originated from protecting game servers and later focused on ISP DDoS mitigation, had no history of abuse complaints or association with DDoS-for-hire services. However, the presence of the CEO's private SSH keys in the exposed archive raises questions about internal security practices and the plausibility of the breach scenario.
What is the background of Huge Networks?
Founded in Miami, Florida in 2014, Huge Networks operates primarily in Brazil. The company started by protecting game servers from DDoS attacks and later pivoted to providing DDoS mitigation services for ISPs. Despite its specialized role, it had not appeared in any public abuse complaints or been linked to known DDoS-for-hire services before this incident. Its infrastructure was apparently well-regarded until the discovery of the exposed archive. The company's CEO expressed shock at the findings, reiterating that Huge Networks' mission is to defend networks, not attack them.
What lessons can be learned from this incident?
This case highlights the critical importance of securing internal infrastructure, especially for companies that market security services. The use of private SSH keys in an open directory underscores the risk of credential mismanagement. Additionally, it shows how even defenders can become unwitting sources of attacks if their systems are compromised. For the broader cybersecurity community, it reinforces the need for continuous monitoring and the principle of least privilege. The incident also serves as a reminder that DDoS protection firms must be held to the highest security standards to maintain trust.
What are the technical implications of DNS amplification attacks?
DNS amplification attacks are a powerful DDoS technique because they exploit the inherent asymmetry of DNS queries. Attackers send spoofed queries with a target's IP address to open DNS servers that support large responses. For example, a 60-byte query can trigger a 4,000-byte response, creating an amplification factor of over 60x. When multiplied by thousands of requests from a botnet, this quickly overwhelms the target's bandwidth. The attack does not require sophisticated skills, only access to unmanaged DNS servers or compromised devices. Mitigation requires proper DNS server configuration (e.g., disabling recursion) and network filtering.