The exposed archive contained private SSH keys belonging to the CEO of Huge Networks and a suite of Portuguese-language Python scripts designed to scan, compromise, and weaponize internet-connected routers and DNS servers.
Key Takeaways
- Huge Networks, a Miami-founded but Brazil-operated DDoS protection firm, is linked to years of large-scale DDoS attacks against Brazilian ISPs.
- An open directory exposed the company’s CEO’s private SSH keys and malicious tools used to build a botnet from unsecured routers and DNS servers.
- The attacks relied on DNS reflection and amplification, exploiting misconfigured servers to generate traffic up to 70x larger than the initial query.
- The CEO claims the activity resulted from a security breach and suggests a competitor planted the tools to damage the company’s reputation.
- No public abuse complaints have been filed against Huge Networks, and it is not tied to any known DDoS-for-hire services.
Huge Networks’ Shadow Campaign
Huge Networks built its name defending Brazilian network operators from DDoS attacks. Founded in Miami in 2014, the company started by protecting online game servers—common targets for traffic floods—before pivoting to offer DDoS mitigation services for ISPs. For years, its public profile remained clean: no abuse complaints, no association with attack-for-hire marketplaces. That image fractured earlier this month when a trusted source shared an exposed file archive from an open directory online.
Inside were the private SSH authentication keys of the company’s CEO and a collection of Python-based tools. These weren’t defensive scripts. They were offensive. Designed in Portuguese, they enabled mass scanning of the internet for vulnerable routers and misconfigured DNS servers—devices that, once compromised, could be turned into a high-capacity botnet.
From at least 2023 onward, Brazilian ISPs faced a persistent wave of massive DDoS attacks. The scale was unusual. The focus was narrow: only Brazilian targets. Until now, attribution was murky. The exposed archive changed that. The tools match attack patterns observed over the past three years. The access points—routers, DNS resolvers—are consistent. And the infrastructure, according to KrebsOnSecurity’s analysis, traces back to systems under Huge Networks’ control.
DNS Reflection: The Weapon in Plain Sight
The botnet didn’t rely on brute force alone. It exploited a well-known but persistently misconfigured part of the internet’s plumbing: DNS servers. When properly secured, DNS servers respond only to queries from trusted networks. But many remain open to the entire web, a configuration that turns them into weapons when abused.
Here’s how it works: an attacker sends a small DNS query—less than 100 bytes—to an open resolver, but spoofs the source IP address to make it appear as if the request came from the intended victim. The resolver replies not to the attacker, but to the victim. And because of DNS protocol extensions like EDNS0, that reply can be enormous—up to 60–70 times the size of the original request.
When that technique is multiplied across tens of thousands of compromised routers and open DNS servers, the amplification effect is devastating. A modest botnet of a few thousand nodes can generate multi-gigabit floods. At peak, the attacks tied to this campaign have exceeded 300 Gbps, enough to overwhelm mid-sized ISPs, especially those with limited traffic scrubbing capacity.
Mass Scanning at Scale
The exposed tools didn’t just launch attacks. They built the army. One script continuously scanned IPv4 address space across Brazil, hunting for routers with default credentials or unpatched vulnerabilities. Another targeted DNS servers that responded to arbitrary queries from any IP. Once identified, these systems were enlisted into a command-and-control network.
The choice of targets wasn’t random. The routers were mostly consumer-grade devices—ones from brands like TP-Link, including models such as the Archer AX21—that ISPs often deploy at customer premises. These units are rarely updated and commonly left with factory settings. The DNS servers were typically run by smaller providers or universities, their operators unaware their infrastructure was being weaponized.
Each successful compromise expanded the botnet’s reach. And because the attacks were routed through third-party systems, the origin point was obscured. Until now.
- DNS reflection attacks exploit protocol design, not software bugs.
- Amplification ratios of 60x mean 5 Gbps of attacker traffic can generate 300 Gbps of victim impact.
- Open DNS resolvers remain widespread: over 28 million were publicly accessible as of 2025, according to prior measurements.
- Consumer routers are the weakest link—often unmonitored, unpatched, and exposed.
- Attackers don’t need to own the infrastructure—just the ability to hijack it.
The CEO’s Defense: A Breach or a Cover-Up?
When contacted by KrebsOnSecurity, the CEO of Huge Networks denied any involvement in the attacks. He claimed the malicious activity stemmed from a security breach in mid-2025 and insisted that the tools and keys found in the open directory were planted by a competitor aiming to tarnish the company’s reputation.
“We were compromised,” he said. “Someone got in, used our infrastructure, and left behind evidence to make it look like we were responsible.”
“We were compromised. Someone got in, used our infrastructure, and left behind evidence to make it look like we were responsible.” — CEO of Huge Networks, as reported by KrebsOnSecurity
That explanation raises more questions than it answers. How did the attackers gain root access? Why were the CEO’s private SSH keys present in the archive? And if the breach occurred in 2025, why did the attacks continue into 2026 without public disclosure?
More troubling: the tools in the archive weren’t hidden. They were stored in a directory that, while not meant to be public, was accessible without authentication. That suggests either poor operational security or a deliberate staging ground. And the attack logic—scanning for Brazilian routers, targeting Brazilian ISPs—points to intimate regional knowledge. This wasn’t a random hack. It was a sustained campaign.
There’s no public record of Huge Networks reporting the breach to Brazilian CERT or issuing customer advisories. Nor is there evidence of infrastructure hardening following the alleged compromise. If a competitor truly hijacked their systems, it’s odd that the fallout landed almost exclusively on other Brazilian network operators—the very clients Huge Networks claims to protect.
Irony with Teeth
Here’s the bitter irony: Huge Networks sells trust. It promises ISPs protection from the very tactics now tied to its infrastructure. DDoS mitigation is a business built on credibility. Clients outsource their network resilience because they lack the tools or expertise to fend off large-scale floods. They pay for peace of mind.
But peace of mind means nothing if the protector is the threat.
That doesn’t mean the CEO is lying. It’s possible—though unlikely—that a sophisticated adversary breached the company, deployed a custom botnet, and framed Huge Networks without leaving any forensic trace pointing elsewhere. But the absence of public breach reports, the continued use of the CEO’s private keys, and the sustained targeting pattern all tilt the scales away from victimhood and toward plausible deniability.
And let’s be clear: this isn’t about a misconfigured server or a forgotten log. This is about a company specializing in network defense that may have operated an offensive botnet for years—against its own peers. That’s not a lapse. That’s a betrayal of the entire ecosystem.
What This Means For You
If you’re building or managing network infrastructure, this story is a wake-up call. First, never assume that a service labeled “security” is inherently secure. Third-party vendors, especially in DDoS protection, operate with immense power. They sit close to your traffic, your routing, and your resilience. Vetting can’t stop at marketing claims or SLAs. Audit their infrastructure practices. Ask about breach history. Demand transparency.
Second, secure your DNS servers. Disable recursion for external queries. Implement Response Rate Limiting (RRL). Monitor for unusual query volumes. And if you’re running consumer routers in production—stop. Replace them with hardened, centrally managed devices that receive regular updates. A single exposed TP-Link box can become a weapon in a multi-gigabit attack. It’s not theoretical. It’s happening right now.
Finally, assume you’re a target. Not because you’re high-profile, but because the tools to attack are automated, cheap, and often invisible. The botnet behind these attacks didn’t need zero-days. It used defaults, misconfigurations, and neglect. That’s the real vulnerability: complacency.
Who benefits when a DDoS protection firm becomes the attacker? The answer might not be a competitor. It might be the market itself—where fear sells subscriptions, and scale justifies pricing. The line between defense and offense has never been thinner.
Sources: Krebs on Security, original report
