A Startling Discovery
A Brazilian company specializing in distributed denial-of-service (DDoS) protection has been unwittingly powering a botnet that waged a prolonged campaign of massive DDoS attacks against other network operators in Brazil. This revelation came from KrebsOnSecurity, which learned that the firm’s CEO blames a security breach and suspects a competitor is trying to damage his company’s reputation.
The Long-Running Mystery
For years, security researchers observed a series of powerful DDoS attacks originating from Brazil and targeting only Brazilian Internet service providers (ISPs). The identity of the perpetrators remained elusive until recently, when an anonymous source shared a curious file archive discovered in an open directory online.
What the Archive Revealed
The exposed archive contained multiple malicious programs written in Python, all in Portuguese. More alarmingly, it included the private SSH authentication keys belonging to the CEO of Huge Networks, a Brazilian ISP that primarily offers DDoS mitigation services to other Brazilian networks.
Profile of Huge Networks
Founded in Miami, Florida in 2014, Huge Networks operates mainly from Brazil. It began by protecting game servers from DDoS attacks and later evolved into an ISP-focused DDoS mitigation provider. Interestingly, the company has no public abuse complaints and is not linked to any known DDoS-for-hire services.
How the Botnet Was Built
The archive demonstrated that a Brazil-based attacker maintained root access to Huge Networks’ infrastructure. The threat actor built a powerful botnet by routinely scanning the Internet for insecure routers and misconfigured DNS servers that could be enlisted in attacks.
DNS Reflection Amplification
DNS (Domain Name System) translates human-friendly domain names into IP addresses. Ideally, DNS servers respond only to queries from their own network. However, DNS reflection attacks exploit servers configured to accept queries from anywhere. Attackers send spoofed queries that appear to come from the target, so the server’s response floods the target’s network.
Amplifying the Attack
By using a DNS extension that allows large messages, attackers can greatly magnify the attack volume. For instance, a 100-byte query can trigger a response 60–70 times larger. When combined with thousands of compromised devices querying many open DNS servers simultaneously, the amplification becomes devastating.
- Mass scanning for vulnerable routers and DNS servers
- Maintaining persistent root access to Huge Networks
- Using Portuguese-language Python malware
- Launching attacks solely against Brazilian ISPs
Fallout and Blame
Huge Networks’ CEO asserts that the malicious activity stemmed from a security breach, likely orchestrated by a competitor seeking to tarnish the company’s public image. Regardless of the motive, the incident exposes the risk even specialized security firms face and underscores the need for vigilant defenses.
Lessons Learned
This case highlights several critical points:
- No organization is immune to advanced persistent threats.
- Private keys and credentials must be carefully managed.
- The same infrastructure meant to protect can be turned into a weapon.
- Cooperation between ISPs and security researchers is essential to dismantle such botnets.
As the investigation continues, the Brazilian cybersecurity community is working to mitigate the ongoing threat and prevent future hijackings of DDoS mitigation services.