The Pulse Campaign: What Brazil’s ISPs Tell us About the Next Phase of DDoS Automation
A pattern hiding inside the noise of 498,163 attacks, captured from March 14, 2026-March 20, 2026, and what it means for every regional ISP on the planet
Roughly 79 percent of these attacks are CLDAP. Nearly all are targeting Brazilian ISPs but filter out the noise and look at what is happening at the ISP level. Something immediately stands out.
The same small cluster of telecom organizations as mentioned in the prior A10 blog and several other smaller regional operators — is being hit across dozens of /24 subnet blocks simultaneously, with attack durations clustering in a remarkably tight band: 29 to 60 seconds, repeating in waves seconds apart.
This is not random. An attack lasting 29 seconds, followed by another at 39 seconds, followed by another at 59 seconds across six different subnet ranges from the same ISP, all within a 90-second window is not a human pressing buttons. It is a script with a timer. The data is showing that the operational signature of automated pulse-fire DDoS infrastructure is likely a DDoS-for-hire service or a botnet module running a configured attack loop.
The 29-60-second duration cluster is particularly telling: short enough to evade some per-connection duration thresholds and long enough to saturate upstream links for every customer on those /24 blocks. And it’s repeated with mechanical precision across subnets, suggesting the attacker isn’t targeting a single IP — it’s targeting the ISP’s access infrastructure in aggregate.
This is the carpet-bombing pattern that the prior A10 blog identified in February. The March data reveals that it hasn’t stopped. It has intensified.
CLDAP is the Weapon of Choice — And That’s No Coincidence
In Q1 2025, Cloudflare recorded a 3,488 percent quarter-over-quarter increase in CLDAP reflection and amplification attacks — a staggering number that most defenders didn’t act on quickly enough. CLDAP’s amplification factor of 56 to 70 times the original request means attackers no longer need to maintain large botnet infrastructures; they can leverage open CLDAP servers on the internet to generate a massive influx of data at the victim’s IP.
A CLDAP DDoS reflection attack has an amplification factor of up to 70x, making it one of the most effective UDP protocols for abuse. For a threat actor running a DDoS-as-a-service platform, these are ideal economics: a small investment in spoofed query traffic, an enormous return in volumetric payload, no botnet up-keep.
Critically, Brazil has historically had a large number of exposed CLDAP services with over 5,400 distinct IP addresses running CLDAP openly accessible on the internet via port 389. This creates a grim feedback loop: Brazilian infrastructure is both a primary victim and a potential reflector pool, making the country’s ISPs doubly exposed.
The Parallel Campaign Targeting Europe
While the Brazilian CLDAP wave rolls on, the same reporting window shows high-severity NTP attacks targeting European telecom operators with complexity ratings of “high” and durations running up to 563 seconds.
This is not a coincidence of timing. Two things are happening in parallel: a low-complexity, high-volume, automated pulse campaign against underprepared regional ISPs in Brazil and a targeted high-severity amplification campaign against European carriers. Different tools, different geographies, different severity levels — but the same reporting window.
This multi-geography, multi-vector structure is consistent with what we would expect from a mature threat actor or a DDoS platform serving multiple customers simultaneously. It is also consistent with what Cloudflare described in their record-breaking attack analysis: in April 2025, a hyper-volumetric, multi-vector attack occurred at 6.5 Tbps and used more than 30,000 unique IP addresses from 147 countries and multiple attack vectors, including CLDAP and SSDP reflection and amplification alongside Mirai botnet traffic. Multi-vector, multi-geography coordination is now the baseline for sophisticated DDoS campaigns — not the exception.
Why Regional ISPs are the Soft Underbelly
The same ISP names appeared dozens of times within minutes. This is not because those organizations are uniquely important strategic targets. It is because they are the easiest targets on the map.
Small regional fiber ISPs in Brazil and everywhere else operate on thin margins with commodity routing hardware and no dedicated scrubbing infrastructure. They rely on upstream transit providers who may not offer proactive DDoS mitigation. They don’t have 24/7 NOC teams watching for carpet-bombing patterns across /24 blocks. And critically, when their access links get saturated, the impact is not contained to one customer. It takes down an entire local network — businesses, schools, health services, emergency infrastructure.
A10 research has confirmed that CLDAP, while representing only 0.2 percent of global amplifiers, carries an amplification factor that makes each exposed server disproportionately dangerous. Attackers can send small, spoofed requests to exposed CLDAP servers, which generate responses to the victim of up to 70 times the size of the initial request.
The attacker doesn’t need many weapons. It just needs to find the targets without defenses. Brazil’s regional ISPs are providing exactly that.
The 29-60-Second Signature: What Defenders Need to Watch for
The pulse-fire duration signature in this dataset is actionable threat intelligence. If your network monitoring is configured to alert on sustained attacks exceeding five minutes, this campaign will fly below your radar entirely. The attacker is deliberately staying in the sub-minute range.
Effective detection requires:
- Aggregate /24 subnet monitoring, not per-IP monitoring: The attacker is distributing load across an entire subnet to avoid per-IP detection thresholds. If you’re only alarming on individual IP traffic volumes, you will miss the access-link saturation that is already occurring.
- Duration-independent volume alerting: A 35-second burst that saturates your upstream link is just as damaging as a 10-minute sustained attack. Alerting logic must be sensitive to short, repeated bursts across multiple source IPs in the same subnet window.
- Pre-negotiated upstream RTBH agreements: Remote Triggered Black Hole routing with community tagging must be established with your transit providers before an attack, not during one. During a 35-second pulse, there is no time to make a phone call.
- Peer intelligence sharing: The organizations being hit in this dataset are neighbors — same country, same tier, same exposure profile. An attack wave that hit INNOVANET’s subnets at 17:29 will hit the next ISP’s subnets minutes later. Formalized threat intelligence sharing between regional ISPs in the same geography can provide the early warning that individual monitoring
cannot.
The Bottom Line
A mature, automated pulse-fire campaign is running against Brazil’s regional ISP layer with mechanical precision, using CLDAP amplification and a sub-60-second attack rhythm designed to evade standard detection thresholds. This is running in parallel with high-severity NTP attacks against European carriers in the same window.
The attackers have done their reconnaissance. They know which organizations have mitigation and which ones don’t. The pulse campaign targeting Brazilian regional ISPs exists precisely because those organizations remain undefended and unmonitored at the aggregate subnet level.
Data source: A10 Defend Threat Control, March 14-20, 2026. External validation: Cloudflare Q1 2025 DDoS Threat Report, Akamai CLDAP Reflection DDoS analysis, A10 Networks 2025 DDoS Weapons Report.
