Tuesday, March 17, 2026
A possible theory for the Brazilian SYN attacks
I've received several emails about the SYN packets I've been seeing. One person that emailed me today, a cybersecurity researcher from Brazil (their words), wrote about a theory they came across:
While I do think it can be something beyond DDoS (thus why I've been looking into it), I can't really discard the possibility that it is just DDoS either. If it is, then each spoofed source network is a separate DDoS victim. It's not one attack with many forged sources, but many attacks, each against a different Brazilian ISP, and your server being used as a reflector for all of them.
This wouldn't be absurd given the context.
…
One thing I notice is that the purported source IPs seem to always be from small ISPs, the ones which could realistically have their operations crippled by DDoS. Brazil does have some very large ISPs: V.tal (AS7738, AS52320), Claro (AS4230, AS28573, AS28351, AS27652), TIM (AS26615), among others (e.g. see the Top #10 here: “https://bgp.tools/rankings/BR?sort=eyeballs“), but these never seem to come up in these attacks. If this were a reputational attack on Brazilian IP space as a whole, I wonder if it would really make sense to avoid the largest networks?
And the context provided was this post by Thiago Ayub, a Brazilian telecom engineer:
I can clarify what's happening because I’m on the other side of the counter in this bar, the Brazilian IP addresses that are being mentioned here.
There is no vulnerability at all. What we’re seeing is simply a trend, a strong wave in the DDoS scene targeting Brazilian ISPs: HTTPS Reflection attacks.
…
These DDoS attacks have no connection whatsoever to any nation-state or sovereignty issues. Although China is a major supplier of routers and switches in Brazil, Chinese companies have zero involvement in the operation of data centers or telcos here.
Brazil is the country with the largest number of ISPs in the world, more than 21,000 different companies. Yes, over 21,000 independent companies, each with their own backbones, IP ranges, routing tables, and PoPs.
In Brazil, an ISP is typically not a large corporation, but a classic mom-and-pop shop. Small operations with fewer than 10,000 subscribers hold the biggest slice of the market share. The giant telcos together account for only 47% of the total market.
Since 92% of Brazilians already have Internet access, these companies have nowhere left to grow. They’ve entered a cutthroat zero-sum commercial war — a real “Stealing Bundles” game, where one steals customers from the other with no net gain for the industry as a whole. In this fight, the less ethical ISPs launch DDoS attacks to cause slowdowns and outages on their rivals, triggering customer cancellations.
Neighboring countries that are also reaching broadband maturity are now starting to face similar DDoS epidemics against ISPs.
I can clarify what's happening …
(Note: the post may have since been deleted? The Service Formerly Known As Twitter has indicated as much at the top of the post, but I could still read it anyway, perhaps because I'm signed in to The Service Formerly Known As Twitter)
So this may be a form of intercompany warfare in Brazil.
And it also says something about the Internet infrastructure in Brazil that customers have a choice of ISP. Whether that's because they're still using dial-up or DSL or a fantastic fibre build out that companies can access or what, but it's certainly much different than in the US where we often don't have an choice of ISP.
The Brazilian cybersecurity researcher also said (in a different email):
For the March 16th incident, the targeted ASN's latency and responsiveness looked fine at first. Then a friend pointed out they were using UPX, a Brazilian DDoS mitigation company, as their sole upstream. Apparently it's common practice for these providers to have the customer withdraw routes from all other upstreams so that all traffic funnels through the scrubbing service during an attack. I checked BGPlay, and sure enough, the relevant blocks were being announced through other upstreams right up until almost the exact time I started observing the attack, then everything shifted to UPX, and then to Sage Networks, another DDoS scrubbing provider. <
https://stat.ripe.net/bgplay/45.233.176.0%2F24#starttime=1773680400&endtime=1773698380&instant=0,1773691420> So the target clearly noticed a significant volume of malicious traffic and responded immediately.
I could see this as yet another form of intercompany warfare were allegedly the “DDoS scrubbing providers” are attacking the smaller ISPs along the lines of “We wouldn't want anything ta happen ta da network, now would we?” Practically speaking, seeing the number of attacks, and the amount of time I've been seeing them, the former, where Brazilian ISPs are fighting each other, seems more plausible to me.
![[Self-portrait with a Christmas Tree] Oh Chrismtas Tree! My Christmas Tree! Rise up and hear the bells!](https://www.conman.org/people/spc/about/2025/1203.t.jpg "Oh Chrismtas Tree! My Christmas Tree! Rise up and hear the bells!")