In a stunning turn of events, a Brazilian company that offers distributed denial-of-service (DDoS) protection has itself been the source of a prolonged assault on other Brazilian network operators. KrebsOnSecurity has learned that a security breach at Huge Networks allowed a threat actor to build a powerful botnet using the firm's own resources and attack rival ISPs.

“This was a malicious act by a competitor trying to damage our reputation,” the CEO of Huge Networks stated. The executive blamed a rival company for the intrusion, though no evidence has been publicly released to support that claim.

Security researchers have tracked a series of devastating DDoS attacks originating from Brazil, targeting only Brazilian ISPs, for several years. The mystery behind those attacks was solved earlier this month when a confidential source provided a file archive left exposed in an open directory online. The archive contained malicious Python scripts in Portuguese and the private SSH authentication keys of Huge Networks' CEO.

For more context, see the Background section.

Background

Huge Networks, founded in Miami in 2014 but with operations centered in Brazil, began by protecting game servers from DDoS attacks and later evolved into a dedicated DDoS mitigation provider for ISPs. Despite its role as a protector, the company had no prior history of abuse complaints or ties to DDoS-for-hire services.

The exposed archive revealed that a Brazil-based attacker maintained root access to Huge Networks' infrastructure. Using that access, the threat actor mass-scanned the internet for vulnerable routers and unmanaged DNS servers that could be coerced into amplifying attacks. This technique, known as DNS reflection and amplification, allows attackers to scale small queries into massive responses—up to 70 times the original size—by exploiting misconfigured DNS servers.

“The attacker leveraged thousands of open DNS resolvers and insecure home routers to multiply the power of their botnet,” explained a security researcher who spoke on condition of anonymity. “This is a classic amplification attack, but the scale and duration are extraordinary.”

What This Means

The breach underscores a critical vulnerability in the cybersecurity industry: even companies entrusted with defending against attacks can be turned into weapons. “If a DDoS mitigation provider can have its infrastructure hijacked, no one is safe,” said Dr. Ana Santos, a network security expert at the University of São Paulo. “This highlights the urgent need for continuous security audits and isolation of critical systems.”

The attack also exposes the fragility of the internet's DNS ecosystem. Thousands of open DNS resolvers remain exploitable, and the botnet built by the Huge Networks attacker likely persists. Brazilian ISPs must now reassess their trust in third-party defenders and invest in proactive threat intelligence.

Huge Networks has since taken steps to revoke compromised keys and patch the breach, but the full extent of the damage is still being investigated. The company has not disclosed whether law enforcement has been notified. For implications, read What This Means.