How a DDoS Protection Provider Was Weaponized Against Its Own Clients

Introduction

In a shocking turn of events, a Brazilian technology firm that specializes in defending networks from distributed denial-of-service (DDoS) attacks was itself turned into a DDoS weapon. According to security research, the company—Huge Networks—had its infrastructure compromised, and attackers used it to launch a sustained campaign of massive DDoS attacks against Brazilian internet service providers (ISPs). This step-by-step guide explains how the attackers executed their plan, from initial access to the final assault, based on the findings reported by KrebsOnSecurity. While this guide is for educational purposes only, it highlights critical security lessons for any organization.

What You Need

To understand how this attack unfolded, it helps to know the key components the attackers used:

• Exposed SSH authentication keys belonging to the CEO of Huge Networks.
• A publicly accessible directory containing malicious Python scripts written in Portuguese.
• Internet scanning tools to discover insecure routers and unmanaged DNS servers.
• DNS reflection and amplification techniques to magnify attack traffic.
• A botnet composed of compromised devices.

Step-by-Step Breakdown

Step 1: Obtain CEO's SSH Keys

The attackers gained entry by accessing the private SSH keys of Huge Networks' CEO. A malicious archive containing Portuguese-language Python scripts was discovered in an open directory online. This archive also included the CEO's SSH authentication keys for the company's infrastructure. With these keys, the threat actor effectively had root access to Huge Networks' systems. The CEO later claimed the breach was part of a deliberate attack by a competitor aiming to tarnish the firm's public image.

Step 2: Deploy Malicious Scripts

Once inside the network, the attacker uploaded and executed the Python scripts from the archive. These scripts were crafted to automate the next stages of the operation—scanning the internet for vulnerable devices and controlling them. The scripts also likely established persistence, ensuring continued access even if the SSH keys were revoked.

Step 3: Scan for Insecure Routers and DNS Servers

The attacker used the compromised infrastructure to mass-scan the internet for two types of vulnerable resources:

• Insecure home or small-office routers—typically those with default credentials or unpatched firmware.
• Unmanaged DNS servers configured to accept queries from any source (open resolvers).

Huge Networks' own bandwidth and processing power likely made these scans faster and harder to trace. The scans targeted Brazilian IP ranges to build a localized botnet.

Step 4: Build the Botnet

Using the discovered routers, the attacker created a botnet of tens of thousands of compromised devices. Each router could be instructed to send spoofed DNS queries. Simultaneously, the attacker compiled a list of open DNS servers that would respond to these queries—acting as amplifiers. By combining many low-powered routers with many open resolvers, the attacker multiplied the potential attack volume significantly.

Step 5: Launch DNS Reflection and Amplification Attacks

With the botnet ready, the attacker launched DDoS attacks exclusively against Brazilian ISPs. The attack method used DNS reflection and amplification:

1. The botnet sent spoofed DNS queries to the open resolvers, with the source IP forged to appear as the victim's address.
2. The DNS servers then sent their responses to the victim, flooding the target network.
3. Using the DNS protocol extension (EDNS0), attackers crafted queries that generated responses 60–70 times larger than the request—a classic amplification technique.

For example, a 100-byte request could trigger a 6,000- to 7,000-byte response. When thousands of compromised routers each sent requests to multiple resolvers, the combined traffic overwhelmed the Brazilian ISPs' infrastructure, causing widespread service disruption.

Tips for Prevention

This case offers several important lessons for organizations, especially those in the security industry:

• Protect privileged credentials: Store SSH keys securely using hardware tokens or encrypted vaults. Monitor for unauthorized access.
• Harden your network: Regularly audit exposed directories, disable unnecessary services, and use firewalls to limit access.
• Scan your own systems: Proactively scan for vulnerabilities, including default passwords on routers and open DNS resolvers.
• Monitor for anomalous behavior: Look for unexpected outbound traffic from internal systems, such as mass scanning or unusual DNS queries.
• Implement incident response: Have a plan to quickly revoke compromised keys and isolate affected infrastructure.

Understanding how attackers turned a DDoS mitigation provider into a weapon is crucial for defending against similar threats. For more insights, refer back to Step 1 on credential protection.