In a surprising twist, a Brazilian company that specializes in defending against distributed denial-of-service (DDoS) attacks has been linked to a botnet that launched prolonged attacks on other internet service providers (ISPs) in Brazil. Security researchers discovered evidence that the firm's infrastructure was compromised and used to build a powerful botnet, raising questions about responsibility and competition in the cybersecurity space.
What led to the discovery of the botnet linked to Huge Networks?
The breakthrough came when a trusted anonymous source shared an exposed file archive found in an open directory online. This archive contained Portuguese-language malicious Python scripts and the private SSH authentication keys belonging to the CEO of Huge Networks, a Brazilian ISP and DDoS protection provider. The files revealed that a threat actor had maintained root access to Huge Networks' infrastructure for years, using it to scan the internet for vulnerable routers and misconfigured DNS servers to build a botnet. This botnet was then used in massive DDoS attacks targeting other Brazilian ISPs. Until this discovery, the source of these attacks was unclear, though security experts had tracked them for years.
How did the botnet leverage DNS amplification and reflection techniques?
DNS amplification and reflection attacks exploit misconfigured DNS servers that respond to queries from any source. Attackers send spoofed DNS queries that appear to come from the target's IP address, causing the servers to send large responses to the victim. By using an extension to the DNS protocol (EDNS0) that allows oversized messages, attackers can amplify the attack volume dramatically—a 100-byte query can yield a 6,000-byte response, a 60x amplification. The botnet used by Huge Networks' attacker combined thousands of compromised routers and insecure DNS servers to generate enormous traffic, overwhelming the targeted ISPs' networks. This technique is particularly effective because it hides the true source of the attack and maximizes bandwidth consumption.
What was the CEO's response to the allegation that his company was involved?
The CEO of Huge Networks, speaking on condition of anonymity due to security concerns, stated that the malicious activity was the result of a security breach. He claimed that a competitor likely orchestrated the intrusion to damage his company's reputation. He emphasized that Huge Networks itself was a victim, not a perpetrator, and that the firm had no knowledge of the botnet until it was brought to their attention. The CEO noted that the company had since implemented additional security measures to prevent future breaches. However, the exposed files included the CEO's own SSH keys, indicating that the breach was severe and had compromised his personal credentials, which raises questions about the company's internal security practices.
Why were Brazilian ISPs the primary targets of these attacks?
The botnet exclusively targeted Brazilian ISPs, suggesting a focused regional motive. Security experts speculate that the attacks may have been intended to discredit Huge Networks' competitors or to test the firm's own DDoS mitigation services. Since Huge Networks offers DDoS protection to other Brazilian network operators, the attacks could have been a way to demonstrate the need for their services, though this is speculative. Another theory is that the attacker had a personal grudge against specific ISPs. The consistent targeting of Brazilian ISPs over several years indicates a well-planned campaign, likely by someone with local knowledge and ties to the Brazilian internet infrastructure. The attacks caused significant disruption to internet services in the region.
What does the term 'DNS reflection' mean in the context of this botnet?
DNS reflection is a type of DDoS attack where an attacker sends a DNS query with a spoofed source IP address—the intended victim's address—to a vulnerable DNS server. The server, thinking the query is legitimate, sends its response to the victim. This technique 'reflects' traffic from the server to the target. To amplify the attack, the botnet uses queries that generate large responses, often through EDNS0. In the Huge Networks botnet, the attacker directed thousands of such queries from compromised devices to open DNS servers, flooding the target ISPs with traffic. This method is dangerous because it can overwhelm networks with relatively little effort from the attacker, as the DNS servers do the heavy lifting. The reflection aspect makes it hard to trace the origin because the traffic appears to come from the DNS servers, not the attacker's machines.
How did the botnet maintain root access to Huge Networks' infrastructure?
The attacker gained root access by exploiting the exposed SSH private keys belonging to the CEO of Huge Networks. These keys were found in the leaked archive, allowing the attacker to authenticate as a trusted user and execute commands on the company's servers. Once inside, the attacker likely installed backdoors and maintained persistence through scheduled tasks or malicious scripts. The archive also contained tools for mass-scanning the internet, suggesting the attacker continuously looked for new vulnerable devices to add to the botnet. The CEO's keys were particularly damning because they provided unrestricted access to the core infrastructure. Huge Networks, despite being a security firm, failed to protect its own credentials, enabling the long-term compromise.
What lessons can other ISPs learn from this incident?
This incident underscores several critical lessons for ISPs and security companies. First, strict key management is essential; private SSH keys should never be exposed, and access should be regularly audited. Second, even firms specializing in security can become victims—no one is immune. Third, monitoring for unusual outbound scans or unexpected DNS traffic can help detect botnet activity early. ISPs should implement network segmentation, use access control lists, and regularly update firmware on routers. Additionally, collaboration with security researchers and sharing threat intelligence can help identify emerging threats. Finally, companies should have a breach response plan that includes immediate revocation of compromised credentials and forensic investigation. The Huge Networks case shows that attackers can turn a security company's own tools against it.