top of page

HACKNET identifies network for DDoS attacks with more than 40,000 servers

Updated: Apr 24

During a major hacker movement that took place on 02/12, which reached a new record in the number of IPs carrying out recent hacking activity, HACKNET identified the existence of a large network being used for reflected/amplified DNS attacks.

In this network, an impressive amount of 40,216 servers was identified, spread across 181 countries, which represents an enormous "firepower" for DDoS attacks.

At the top of the list of countries of these origins is Indonesia, with Brazil occupying the 2nd position in the ranking.

Our cybersecurity specialist, André Barreto, points out that these devices belong to at least 10,289 different companies and that, most of them, have no connection with crime but that, due to unnecessary exposure and non-restrictive configurations, ended up becoming instruments in the "artillery" of malicious hackers.

"A large portion of these addresses are from legitimate equipment and servers, but are unnecessarily exposing the DNS service or are unnecessarily configured to respond as recursive DNS to the world."

Analyzing the context of the IPs allocated to Brazil, we identified that the addresses are associated with 1,065 different companies, most of which are small companies, including 214 of them identified as "ME" companies.

Another piece of data that caught the analyst's attention was the large number of internet providers, totaling 798 companies in the telecommunications and networking area, which could indirectly jeopardize the stability and even the security of thousands, perhaps millions of its customers. .

How did the increase in hacker activity occur?

The first point that drew attention was the vertiginous increase in the number of IPs in the HACKNET knowledge base, which broke a new record, reaching a volume of 83,631 IPs.


The identification of the network of DNS servers being exploited was due to the large number of IP addresses seen sending DNS responses to queries that had not been made by the neural network.

From this, it was concluded that these IPs were being used for reflected/amplified DNS attacks. The information was analyzed by the NETSENSOR security team and the emergence of thousands of new IP addresses was identified that, until then, had not been detected with hacker activity.

Blocks of IP addresses belonging to organizations that were not seen.

The large movement of hacking activities originated from blocks of IP addresses belonging to several companies that were previously unseen.

This information brings strong evidence of exploitation of legitimate equipment and servers, belonging to companies that until then were not seen performing any type of malicious activity. Companies that are probably not linked to the attackers, but whose structures are being exploited by criminals.

Where did the detection take place?

Increased hacker activity has been detected on the worldwide HACKNET network, with the vast majority seen in the structure located in Moscow, Russia.

In addition, some of the IPs detected on this network were also seen generating some type of malicious traffic against corporate customer networks that use NETSENSOR technologies as part of their line of defense against cyber attacks.

How was the detection done?

HACKNET technology was used for detection, which is an artificial neural network focused on cybersecurity. It collects, analyzes and catalogs information about recently detected hacking activities in different parts of the planet.

From this, security analysts can make adjustments and take greater care with new targets that are being searched on the internet.

In addition, a summary of hacking activities is available daily on the website, including the services most searched for by hackers, the countries that generated the most hacking activities, the points where these activities were detected and the organizations with which these malicious sources are linked.

In the networks of corporate customers, the detection was carried out using technology based on machine learning.

What were the detected IPs? Will the list be made available for consultation?

We believe that the IPs that make up the list are formed, almost entirely, by addresses belonging to legitimate companies, whose structures are being exploited by criminals to generate DDoS attacks against other victims. For this reason, we will make the complete list of IPs available for download, however, for ethical reasons, we will not make available the list of companies to which the structures are linked.

If any addresses in your structure are on this list, look for a specialized cybersecurity consultancy as soon as possible. If you want to know more or need help, contact us at

See the list of IPs exploited for DNS reflected/amplified attacks at:

Or download the complete list:

Download TXT • 575KB

Do you want to increase cybersecurity and stay up to date on hacking activities? Then follow the informations from HACKNET.

Read too:

76 views0 comments


Post: Blog2_Post
bottom of page