Unmasking a Hidden DDoS Botnet: How Attackers Turned a Security Firm Against Its Own Clients

Introduction

In a disturbing twist of digital warfare, a Brazilian cybersecurity firm that specialized in protecting networks from distributed denial-of-service (DDoS) attacks was itself hijacked to launch massive DDoS campaigns against Brazilian ISPs. Investigators discovered that attackers obtained the private SSH keys of the company’s CEO and used a botnet built from insecure routers and open DNS resolvers to amplify the assaults. This guide breaks down the exact steps the threat actors followed—revealing how a single security lapse can turn a defender into an unwitting weapon. Whether you're a network administrator or a cybersecurity enthusiast, understanding this playbook is critical for prevention.

What You Need

To recreate (or defend against) this attack chain, you would need the following components. Note: This is presented for educational and defensive purposes only.

• Compromised SSH keys – Specifically the private keys of a high-ranking employee (e.g., CEO) that grant root access to critical infrastructure.
• Internet scanning tools – Such as Zmap or Masscan to quickly identify vulnerable devices across wide IP ranges.
• Exploitable devices – Unmanaged domain name system (DNS) servers misconfigured to accept queries from any source, and insecure home/office routers (like TP‑Link Archer AX21) with default credentials or unpatched vulnerabilities.
• Python scripting environment – The attackers used Portuguese-language Python scripts to automate scanning, exploitation, and botnet control.
• A command‑and‑control (C&C) infrastructure – To coordinate the botnet and issue attack commands.
• Network bandwidth – Substantial upstream capacity to launch high‑volume reflection attacks.

Step‑by‑Step Attack Breakdown

Step 1: Acquire Compromised Credentials

The entire operation began when an external archive containing the CEO’s private SSH authentication keys was exposed in an open directory. Although the CEO claimed the leak resulted from a security breach—possibly orchestrated by a competitor to tarnish the firm’s image—the keys were valid and immediately usable. Attackers now had root access to the company’s internal servers, including those providing DDoS protection services to Brazilian network operators.

Step 2: Mass‑Scan the Internet for Vulnerable Devices

With privileged access to the defender’s own infrastructure, the attackers deployed automated scanning tools to systematically probe the internet. They specifically looked for two types of devices:

• Insecure home/office routers – Devices like the TP‑Link Archer AX21 with default passwords or unpatched firmware that could be easily hijacked.
• Open DNS resolvers – DNS servers that are (mis)configured to respond to queries from any IP address, not just those within a trusted domain.

This scanning was continuous and routine, building a steady pipeline of new recruits for the botnet.

Step 3: Enlist Devices into the Botnet

Once vulnerable devices were identified, the attackers used the Python scripts found in the exposed archive to gain control. Routers were compromised via remote command injection exploits or brute‑forced credentials. Open DNS resolvers were simply added to a list of potential reflectors. Each compromised device became a “bot” that could be commanded to send malicious traffic on demand. The botnet grew to include tens of thousands of these machines, all under the control of a single threat actor operating from within Brazil.

Step 4: Exploit DNS Reflection and Amplification

The key to the attacks’ power lay in DNS amplification. The attackers crafted spoofed DNS queries—making it appear the requests originated from the victim’s IP address. They sent these spoofed queries to the pool of open DNS resolvers they had collected. Because DNS responses can be much larger than the queries, an attacker could send a 100‑byte request and receive a 6,000‑byte response (a 60‑70x amplification). When thousands of resolvers responded simultaneously, the target’s network was flooded with traffic far exceeding its capacity.

Step 5: Target Brazilian ISPs with Sustained Campaigns

For several years, a string of massive DDoS attacks originating from Brazil had been battering local ISPs. Security experts had struggled to attribute them. With the botnet built from compromised routers and the defender’s own infrastructure, the attackers launched wave after wave of amplified DNS attacks exclusively against Brazilian network operators. The firm’s CEO later stated the malicious activity was the work of a competitor trying to ruin his company’s reputation, but the forensic evidence clearly showed the attacks were orchestrated using the firm’s own systems.

Tips for Defenders

This case offers several critical lessons for network security teams:

• Protect your credentials. Store private SSH keys in hardware security modules (HSMs) or vaults, and rotate them regularly. Never leave them exposed in public directories.
• Monitor for unauthorized scanning. Use intrusion detection systems (IDS) to watch for mass‑scanning activity from internal hosts. Unusual outbound scans may indicate a breached administrator account.
• Harden your DNS infrastructure. Open DNS resolvers are a favorite tool for amplification attacks. Configure resolvers to only answer queries from trusted IP ranges. Use DNS response rate limiting (RRL) to mitigate abuse.
• Segment and audit access. Even if an attacker obtains root keys, segmentation can limit lateral movement. Regularly audit who has access to critical systems and revoke unused credentials.
• Review the attack chain from Step 1 for a full understanding of how a single leak can cascade. Apply the principle of least privilege across your entire network.
• Foster a culture of security. The CEO’s claim of a “competitor” may be a red herring, but internal threats and supply‑chain risks are real. Train employees to recognize phishing and safeguard secrets.

By learning from this incident, organizations can better defend against DDoS attacks that weaponize the very tools meant to stop them. Remember: robust security starts with protecting the keys to the kingdom.