Inside the Botnet Behind the Massive Brazilian ISP DDoS Attacks

Brazilian ISP DDoS attacks expose a rogue anti‑DDoS firm

Security researchers have traced a wave of high‑volume denial‑of‑service assaults that swept across Brazil’s regional internet providers to a Miami‑born mitigation company, Huge Networks. The firm, which markets itself as a shield against DDoS, was found to be the unwitting host of a botnet that weaponised thousands of vulnerable TP‑Link Archer AX21 routers.

The leaked archive, obtained from an open‑directory dump, contained Python scripts, private SSH keys belonging to CEO Erick Nascimento, and references to domains previously linked to Mirai‑derived IoT botnets. Analysis shows the code systematically scanned the global address space for devices vulnerable to CVE‑2023‑1389, then launched DNS‑reflection bursts that amplified traffic to ↓ 1.2 Tbps for brief 10‑60 second windows.

How the amplification chain worked

Attackers sent spoofed DNS queries to misconfigured resolvers, exploiting the EDNS(0) extension to inflate responses up to 70‑fold. By chaining tens of thousands of compromised routers, the botnet flooded target prefixes within Brazil’s 200.0.0.0/8 range, overwhelming small ISPs that lack Tier‑1 upstream capacity.

“We were alerted by Tier‑1 carriers about unprecedented traffic spikes,” Nascimento told KrebsOnSecurity, adding that the breach was first detected in January 2026.

Huge Networks claims the incident stemmed from a single compromised “jump server” on Digital Ocean, which the provider flagged for abusive activity hundreds of times. The company says it wiped the droplet, rotated all keys, and hired an external forensics team.

Independent experts note that the same Mirai variant resurfaced in a Reuters report on a global DDoS surge earlier this year, suggesting a broader ecosystem of opportunistic actors. There is no evidence that Huge Networks orchestrated the attacks for profit.

Words by Nova Stirling (Aerospace & Space Tech Correspondent).