Infolink Anti-DDoS Provider Linked to Brazilian ISP Botnet Attacks

Overview of the Infolink Botnet Allegations

A recent investigation has uncovered a troubling scenario where a security provider, tasked with defending networks, has instead been identified as a source of aggression. According to KrebsOnSecurity, the Brazilian technology firm Infolink, which specializes in distributed denial-of-service (DDoS) protection, has been linked to an extensive campaign of attacks against other network operators in Brazil. This incident highlights a major Supply Chain Attack vector: the abuse of trusted security infrastructure to facilitate malicious activity.

Evidence suggests that Infolink’s network was used to enable a botnet responsible for overwhelming competing Internet Service Providers (ISPs) with massive volumes of traffic. While the firm’s CEO attributes the activity to a security breach orchestrated by a competitor, the impact on the Brazilian networking landscape has been severe, forcing defenders to re-evaluate the Zero Trust requirements for their upstream security partners.

Technical Analysis of Network Abuse

The attacks originating from Infolink’s infrastructure demonstrate a sophisticated understanding of network bottlenecks. By operating as an anti-DDoS provider, Infolink maintains significant bandwidth capacity and high-priority peering relationships, which are essential for absorbing and scrubbing malicious traffic. However, these same assets are devastating when repurposed for offensive TTP sets.

Security researchers tracking the campaign noted that the attack traffic often mirrored the very patterns Infolink was hired to stop. This suggests the attackers—whether internal actors or external entities who gained Privilege Escalation within the provider’s network—utilized the firm’s own traffic-shaping tools to bypass standard rate-limiting. In many cases, the malicious traffic appeared to be C2 commanded, utilizing a decentralized network of compromised devices to amplify the volume directed at specific Brazilian targets.

Brazilian ISP DDoS Mitigation Strategies and Network Abuse

For regional operators, the challenge lies in detecting Infolink botnet traffic without inadvertently blocking legitimate customer data. Traditional mitigation often relies on whitelisting known security providers, a practice that becomes a liability when those providers are compromised. Effective Brazilian ISP DDoS mitigation strategies must now include more granular inspection of GRE tunnels and BGP announcements coming from security-as-a-service partners. If an APT or a rogue competitor gains control over a scrubbing center’s edge routers, they can launch attacks that are difficult to distinguish from genuine transit, effectively bypassing many automated SIEM alerts that do not account for provider-level compromise.

The “Breach” Claim and Attribution

Infolink’s leadership has claimed that the malicious activity was not a deliberate corporate strategy but the result of a compromise. They suggest that a competitor breached their systems to tarnish their reputation. If true, this indicates a failure in internal SOC monitoring and an inability to detect Lateral Movement within their core infrastructure. Whether the intent was sabotage or competitive advantage, the result remains the same: the weaponization of security resources.

From a threat intelligence perspective, this incident serves as a stark reminder that even a CVE with a low CVSS score in a management interface can lead to catastrophic network-wide abuse if it allows an attacker to control a service provider’s outbound traffic policies.

Actionable Recommendations for Defenders

To protect against the risks posed by compromised security vendors, organizations should prioritize the following steps:

• Implement Ingress Filtering: Utilize BCP 38 standards to ensure that traffic entering the network has a source address that matches the expected prefix, preventing simple spoofing attacks.
• Provider Auditing: Review the security posture of any anti-DDoS or CDN provider. Ensure they have independent audits and robust internal monitoring to detect when their own infrastructure is being used to launch attacks.
• Traffic Baselining: Establish clear baselines for traffic coming from security partners. Sudden spikes in UDP or ICMP traffic from a “scrubbing” center should trigger immediate investigation within the EDR and network monitoring layers.
• Diversified Mitigation: Avoid reliance on a single provider for DDoS protection. A multi-vendor strategy can provide redundancy if one provider’s network becomes a source of IoC activity.