Exclusive: Huge Networks CEO Blames Breach for Botnet That Hammered Brazilian ISPs

SAO PAULO — A Brazilian cybersecurity firm specializing in DDoS protection was itself the source of a massive botnet that has battered internet service providers across Brazil for years, KrebsOnSecurity has learned. The company's chief executive now says the malicious campaign stemmed from a security breach, likely orchestrated by a rival seeking to destroy its reputation.

Security researchers have tracked a series of record-breaking DDoS attacks targeting Brazilian ISPs since 2020, but the perpetrators remained unknown until this month. A confidential source shared an archive exposed in an open directory that contained Portuguese-language Python malware and the private SSH keys of Huge Networks CEO.

“The attack infrastructure was compromised by an intruder who used it to build a botnet,” Huge Networks CEO told KrebsOnSecurity in an exclusive interview. “We believe a competitor is behind this to damage our brand and steal clients.”

Background: A DDoS Shield Turned Weapon

Founded in Miami in 2014, Huge Networks shifted its focus to protecting Brazilian game servers and ISPs from DDoS attacks. The company had no prior public abuse complaints or known ties to DDoS-for-hire services.

Yet the exposed archive shows a threat actor maintained root access to Huge Networks infrastructure for an extended period. The actor routinely scanned the internet for insecure routers and misconfigured DNS servers to recruit into a powerful botnet.

How the DNS Reflection Attacks Worked

Attackers exploited open DNS resolvers to launch reflection attacks. By sending spoofed queries that appeared to come from the target, they tricked DNS servers into sending massive responses to the victim.

• An attacker crafts a 100-byte DNS query.
• The open resolver replies with a 6,000- to 7,000-byte response — a 60-70x amplification.
• With tens of thousands of compromised devices, the cumulative traffic can overwhelm even large ISPs.

The botnet combined compromised home routers and open DNS servers, making takedowns difficult. Security researchers have long noted the prevalence of such attacks in Brazil, where many smaller ISPs lack robust mitigation.

What This Means

The revelation that an anti-DDoS firm was hijacked to amplify attacks raises troubling questions about trust in the cybersecurity industry. If a company paid to protect networks can become a threat actor’s tool, every ISP must re-examine its supply chain.

“This is a wake-up call,” said Dr. Carla Mendes, a cybersecurity researcher at the University of São Paulo who reviewed the archive. “It shows that even DDoS mitigation providers are not immune to compromise, and that attackers are willing to co-opt their infrastructure for massive retaliation.”

Huge Networks says it has since rotated all SSH keys, closed the open directory, and is cooperating with Brazilian authorities. But the damage may already be done: the botnet’s source code remains in the wild, and the CEO fears copycat attacks.

ISPs that rely on third-party DDoS protection should demand proof of security audits and incident response plans, experts advise. The case also underscores the need for global action against the proliferation of openly recursive DNS servers that enable reflection attacks.