# Compromised Brazilian Anti-DDoS Firm Used as Launch Point for Massive ISP Attacks
A Brazilian DDoS mitigation provider has been compromised by a sophisticated threat actor who exploited the company's infrastructure to orchestrate an extended campaign of devastating attacks against other Brazilian ISPs. The discovery, first reported by KrebsOnSecurity, raises critical questions about the security of firms entrusted with defending the internet from cyberattacks and reveals how a breached security provider can become a weapon against an entire regional internet ecosystem.
## The Incident
Huge Networks, a Miami-founded company that evolved into a specialized DDoS protection provider for Brazilian ISPs, fell victim to a sophisticated intrusion that went undetected for several years. The compromise was discovered when a trusted security researcher located an exposed file archive in an open directory containing Portuguese-language malicious programs, the private SSH authentication keys of Huge Networks' CEO, and detailed evidence of botnet construction and command infrastructure.
The exposed materials revealed that an unknown threat actor had established persistent root-level access to Huge Networks' infrastructure—the very systems designed to protect other Brazilian network operators from the attacks this same intruder was conducting. This represents a particularly troubling breach of trust: while Huge Networks' customers relied on the company to defend them, the company itself was weaponized against them.
"This appears to be a security breach," Huge Networks' CEO stated in response to the findings, suggesting that a competitor may have orchestrated the intrusion to damage the company's reputation. However, the technical evidence contradicts any suggestion of brief or opportunistic access—the exposed artifacts demonstrate systematic, long-term infrastructure exploitation.
## Technical Details: Building a Botnet from Vulnerable IoT Devices
The exposed archive's command-line history provides a technical roadmap of how the attacker built and maintained a powerful botnet by systematically scanning the internet for insecure network devices. The primary targets were TP-Link Archer AX21 routers vulnerable to CVE-2023-1389, an unauthenticated command injection vulnerability that TP-Link patched in April 2023.
### DNS Amplification and Reflection Attacks
The botnet weaponized a well-understood but devastatingly effective attack technique: DNS amplification and reflection. This attack leverages misconfigured DNS servers—those that accept queries from anywhere on the internet rather than restricting responses to trusted sources.
Here's how the attack works:
| Step | Description |
|------|-------------|
| 1. Query Spoofing | Attacker sends DNS queries with spoofed source IP addresses pointing to the target |
| 2. Amplification | DNS servers respond to these queries, but the responses are much larger than the requests (60-70x amplification) |
| 3. Flood | With tens of thousands of compromised devices sending spoofed queries simultaneously, the target receives an overwhelming volume of traffic |
For example, an attacker could craft a DNS request of less than 100 bytes that triggers a response of 6,000-7,000 bytes. Multiplied across thousands of compromised routers, this creates a devastating denial-of-service effect.
### Command and Control Infrastructure
The malicious Python scripts in the exposed archive reference several known command-and-control (C2) domains:
Both domains had been previously flagged by security researchers as control servers for an IoT botnet powered by a Mirai malware variant. Mirai, which emerged in 2016, remains one of the most persistent and destructive botnet families, primarily spreading through vulnerable IoT devices with default or weak credentials.
The attacker coordinated the scanning and attack operations from a Digital Ocean server that had been flagged for abuse hundreds of times over the preceding year—a stark reminder that even major hosting providers struggle to prevent compromised infrastructure from persisting on their networks.
## Background and Context
Huge Networks has an unconventional history in the DDoS mitigation space. Founded in Miami in 2014, the company initially focused on protecting game servers against DDoS attacks—a niche market where such attacks have been endemic for over a decade. The company gradually evolved into a specialized ISP-focused DDoS mitigation provider serving Brazilian network operators.
Unlike disreputable DDoS-for-hire services or firms associated with cybercriminal activity, Huge Networks maintained a relatively clean public reputation. It did not appear in abuse complaint databases and showed no known connections to illicit DDoS services. This reputation made the breach particularly damaging: it destroyed the trust relationship with clients who had contracted specifically to defend themselves against the very attacks the company's compromised infrastructure was now launching.
The discovery of this campaign answers a lingering question in the Brazilian cybersecurity community. For several years, security experts had tracked a series of massive DDoS attacks originating exclusively from Brazil and targeting exclusively Brazilian ISPs, but the origin and motivation remained unclear. Now it appears that attackers with persistent access to a major DDoS mitigation provider had been leveraging that access to launch coordinated campaigns against the provider's customer base—or against competitors.
## Implications for the Cybersecurity Industry
This incident illustrates several critical vulnerabilities in the security infrastructure business:
Supply Chain Compromise: When security firms themselves become attack platforms, the impact cascades across their entire customer base. Every client of Huge Networks faced the possibility that their defender had been weaponized against them.
Trust Erosion: Organizations struggling to choose DDoS mitigation providers now face heightened skepticism. If a firm dedicated to DDoS defense can be comprehensively compromised, what guarantees exist elsewhere in the industry?
Long-Term Persistence: The technical evidence suggests the attacker maintained access for years without detection. This is consistent with advanced persistent threat (APT) tradecraft: the goal was not immediate disruption but sustained infrastructure leverage.
IoT Vulnerability: The attack's reliance on unpatched TP-Link routers (CVE-2023-1389 was patched nearly a year before the attacks) underscores that critical vulnerabilities in consumer-grade networking equipment remain widespread, despite vendor patches.
## Recommendations and Mitigation
For ISPs and Network Operators:
For Device Manufacturers and Network Administrators:
For Cloud Providers:
For Organizations Generally:
## Conclusion
The Huge Networks breach represents a worst-case scenario for the DDoS mitigation industry: a defender compromised and weaponized against its own clients. The incident demonstrates that no organization, regardless of its security focus, is immune to sophisticated intrusion. As organizations increasingly rely on specialized security firms to defend their infrastructure, the security of those firms themselves becomes a critical component of internet resilience. The exposure of the CEO's SSH keys and the years-long undetected presence of the attacker suggest that even paranoia about security may be insufficient—continuous monitoring, aggressive patching, and regular security audits are essential safeguards.