Attackers Hit Brazil’s Regional ISPs; Telcos the #1 DDoS Target Globally
17,527 DDoS attacks in six days. Five small ISPs. A pattern that signals a fundamental shift in how attackers choose their targets.
Something significant happened on Brazil’s internet between February 9 and February 15, 2026. Threat telemetry captured 17,527 DDoS attacks targeting the country in a single week – placing Brazil second globally in attack volume. But the headline number is not the most alarming part. It is where those attacks landed.
Not Claro. Not Vivo. Not any of Brazil’s major national carriers. Instead, nearly 99 percent of all recorded attacks were concentrated on five small regional fiber ISPs – local operators that most people outside their coverage area have never heard of. This tells us something important about how the DDoS threat landscape is evolving.
The Targets: Small, Exposed, and Underprepared
The five ISPs that absorbed the brunt of this wave share a common profile. They are small, regionally focused fiber operators, not household names. They operate on thin margins, rely on commodity routing hardware, and critically, have little to no dedicated DDoS mitigation infrastructure.
Number of attacks by target profile (February 9–15, 2026)
| Target Profile | Attacks |
|---|---|
| Regional fiber ISP – Southeast Brazil | 7,630 |
| Local broadband operator – coastal region | 5,322 |
| Small independent ISP – interior state | 1,736 |
| Privately held last-mile provider | 1,686 |
| Community fiber operator – suburban area | 872 |
These are exactly the kind of organizations that attackers increasingly favor: high-damage, low-resistance targets. When a small regional ISP goes down, it does not just disconnect a few users. It disrupts an entire local ecosystem of businesses, schools, and emergency services.
The Technique: Carpet-bombing at Scale
The port patterns observed in this attack wave are telling. Rather than targeting the standard DNS port (53), attackers swept across multiple ports simultaneously: ports 7, 9, 10, and 11, plus a sequential ladder from 2048 to 2816.
This is the signature of automated scripts carpet-bombing entire /24 subnet blocks. The strategy is calculated: by distributing traffic below per-IP cleaning thresholds, attackers evade detection on any single address while still saturating the upstream access links in aggregate. It is not opportunistic scanning. It is systematic infrastructure disruption.
“The attack surface has shifted downstream – from tier-1 carriers to regional providers that are far more exposed, and far less defended.”
The Bigger Picture: Telcos Now the Number One DDoS Target Globally
This activity does not exist in isolation. Cloudflare’s Q4 2025 DDoS Threat Report, published the same week as this data was captured, named telecommunications and carriers as the most-attacked industry globally for the first time ever. Hyper-volumetric attacks against telcos made up 42 percent of the largest recorded events during that period.
Brazil’s position on the global threat map has also been climbing. As recently as Q2 2025, the country jumped four spots to become the second most-attacked location worldwide. The February 2026 data confirms that trajectory has not reversed.
What Defenders Need to Do Now
If you operate or peer with regional ISPs – particularly in Latin America – the data from this week should be treated as a direct warning. The multi-port carpet-bombing pattern is automated and persistent. Reactive defenses are not sufficient.
- Upstream scrubbing agreements are no longer optional – they are baseline infrastructure for any ISP.
- Remote Triggered Black Hole (RTBH) routing with community tagging should be pre-negotiated with upstream providers before an attack occurs, not during one.
- Traffic baselines for /24 subnet blocks should be monitored in aggregate, not just per-IP, to detect carpet-bombing patterns before links saturate.
- Threat intelligence sharing between regional ISPs in the same geography should be formalized. Attackers clearly view them as a connected surface.
The convergence of two independent data sources: A10 Defend Threat Control telemetry and Cloudflare’s quarterly report – pointing to the same conclusion at the same moment is not coincidence. It is confirmation. The battleground has shifted, and small regional operators are now on the front line whether they are prepared for it or not.
Sources: A10 Defend Threat Control (Feb 9–15, 2026), Cloudflare Q4 2025 DDoS Threat Report, Cloudflare Q2 2025 DDoS Threat Report
