Security for Internet Service Providers and Telecoms

ISPs and carriers control the connectivity and data of thousands of subscribers. Decripte builds edge defense, 24x7 monitoring, and incident response to contain DDoS, CPE botnets, and portability fraud before they take down your network.

Direct answer

To protect an internet service provider or carrier, combine four fronts: edge security with volumetric and application-layer anti-DDoS mitigation; hardening and firmware management of the CPEs/routers delivered to subscribers (unique passwords, disabling exposed remote management, centralized updates); continuous monitoring of NetFlow/sFlow and network logs in a SOC 24x7 capable of detecting botnet patterns and exfiltration; and an incident response plan with a containment SLA, plus anti-fraud controls in the portability and SIM activation flow. Decripte operates these four fronts in an integrated way, with a free exposure-surface assessment at decripte.com.br/intelligence-center.

24/7

SOC monitoring network and edge

<=1h

Incident containment SLA

LGPD

Subscriber data protected

Web3

Coverage includes crypto/blockchain infrastructure

In summary

  • Providers are a double target: the network infrastructure (DDoS, core routers) and the installed base of CPEs in subscribers' homes, which becomes ammunition for botnets.
  • CPEs with outdated firmware, default credentials, and exposed remote management (TR-069, Telnet, SSH) are the most exploited mass-hijacking vector against ISPs.
  • Subscriber data (CPF, address, traffic data) is personal data under the LGPD; a leak triggers the duty to notify the ANPD and the data subjects.
  • Volumetric DDoS requires mitigation at the edge and upstream; mitigating only in the datacenter does not prevent saturation of the transit link.
  • SIM swap and portability fraud require process and authentication controls, not just technology — Decripte audits the flow end to end.
  • Effective response depends on prior visibility: NetFlow, BNG/CGNAT logs, and CPE telemetry must be centralized before the incident.
Telecom e Provedores

Cibersegurança para Internet Service Providers and Telecoms

ISPs and carriers control the connectivity and data of thousands of subscribers. Decripte builds edge defense, 24x7 monitoring, and incident response to contain DDoS, CPE botnets, and portability fraud before they take down your network.

Why providers and carriers are a priority target

Internet service providers and telecom carriers occupy a unique position in the attack chain: they control not only their own systems, but the connectivity infrastructure and the equipment sitting inside every subscriber's home. This turns the ISP into two targets at once. The first is the network infrastructure itself — edge routers, BNGs, DNS servers, CGNAT, and transit links — whose unavailability affects thousands of customers simultaneously. The second is the installed base of CPEs (modems, ONUs, Wi-Fi routers) which, when compromised at scale, becomes a powerful botnet operating from within the provider's own network.

This dual exposure changes the economics of the attack. For an adversary, compromising a single CPE model with vulnerable firmware can mean hijacking tens of thousands of devices at once. For the provider, the cost is not only technical: it is reputational (a customer with no internet calls to complain), contractual (SLA with a corporate customer), and regulatory (subscriber data is personal data under the LGPD).

The CPE is the most overlooked surface

ISP IT teams tend to shield the core and the datacenter, but treat the CPE fleet as a support problem, not a security one. Outdated firmware, factory default passwords, and management interfaces (TR-069, Telnet, SSH, web panel) exposed to the internet are the perfect invitation for mass hijacking and botnet formation.

Mobile carriers and providers with voice/portability offerings also carry an additional vector: SIM swap fraud. By convincing (through social engineering) or bribing an agent, the fraudster transfers the victim's line to a SIM under their control, intercepting authentication SMS messages and taking over banking and digital accounts. Here the weak point is not a server, it is the customer service and activation process.

An ISP's threat map

The five fronts that generate the most incidents

Recurring vectors against providers

  • High-volume DDoS saturating transit links and taking down the provider's DNS/services
  • Compromise of routers and subscriber CPEs via vulnerable firmware, default credentials, and exposed remote management
  • SIM swap and portability fraud exploiting the customer service and activation process
  • Leak of subscriber data (CPF, address, traffic and billing data)
  • Direct attacks on the network infrastructure: BGP hijacking, DNS poisoning, CGNAT abuse

Each of these fronts requires a distinct control, but all share a common requirement: visibility. Without collection and correlation of NetFlow/sFlow, BNG logs, CPE telemetry, and edge events, the incident is only noticed when the customer is already without service or when the data has already leaked. Decripte treats visibility as a precondition, not as an optional deliverable.

DDoS saturates the link, not just the server

In volumetric attacks (UDP flood, DNS/NTP/memcached amplification), the bottleneck is the provider's transit link. Mitigating only inside the datacenter does not solve it: by the time the traffic arrives, the uplink is already saturated. That is why mitigation must act at the edge and, ideally, in upstream coordination with transit/IX.

Gestão de Ameaças · Grátis

Is internet service providers and telecoms data already exposed or up for sale? Find out now — for free.

Sem cartão, sem compromisso. Descubra em minutos o que já vazou da sua empresa e qual é o seu risco real.

Anatomy of a botnet hijacking CPEs

The following anonymized real-world example is the most characteristic of the sector and guides the case study on this page. An adversary identifies a CPE model widely distributed by a provider whose firmware has a known vulnerability and whose management interface (often TR-069 on port 7547, or a web panel) is reachable over the WAN. From there, an automated worm scans the provider's ASN IP ranges, exploits the flaw, injects a malicious payload, and recruits the device into a botnet.

The initial symptom is rarely obvious. The subscriber notices slowness. The NOC sees an increase in outbound traffic at unusual hours. What is happening is that the hijacked CPEs begin participating in DDoS attacks against third parties, mining, malicious traffic proxying, or exfiltration — all originating from within the provider's network, which can land the ASN on reputation lists and blocklists.

The traffic pattern gives the botnet away

CPE botnets leave a signature: many residential devices making synchronized outbound connections to the same destinations (C2), anomalous upload volumes, and coordinated spikes. Correlating NetFlow per subscriber reveals the compromised cluster before the attack escalates — this is exactly what Decripte's SOC 24x7 looks for.

Containment carries a delicate tension: blocking the compromised CPEs may leave legitimate subscribers without internet. The correct response combines selective quarantine (isolating the malicious traffic without cutting off the customer when possible), forced firmware update via a TR-069/ACS server, and closing the exposed management ports — all coordinated so that remediation does not become a second unavailability incident.

Edge security: the first line against DDoS

The edge layer is where the provider wins or loses the battle against DDoS. Decripte builds volumetric and application-layer mitigation, with WAF rules for the exposed services (subscriber portals, customer area, provisioning APIs) and filtering of anomalous traffic before it consumes the transit link. The goal is to absorb and drop attack traffic as early as possible along the path.

Edge controls we build

  • Detection and mitigation of volumetric DDoS (floods, amplification) and layer 7
  • WAF for portals, subscriber area, and provisioning/billing APIs
  • Protection of recursive and authoritative DNS against amplification and poisoning
  • BGP hardening (prefix filters, RPKI) to reduce hijack risk
  • Rate limiting and blocking of scanners against the ASN IP ranges

Well-executed edge security also protects the ASN's reputation. Filtering malicious outbound traffic (botnet egress, spoofing) prevents the provider's IP blocks from landing on blacklists, which would create a hard-to-reverse secondary problem: legitimate customers being blocked by third-party services because of the block's poor reputation.

SOC 24x7: continuous detection on the provider's network

A provider's network never sleeps, and the security operation cannot sleep either. Decripte's SOC 24x7 ingests and correlates network telemetry — NetFlow/sFlow, BNG/CGNAT logs, edge events, CPE telemetry, and application logs — looking for the patterns that precede an incident: clusters of CPEs with synchronized behavior, anomalous egress spikes, internal scans, and exploitation attempts against the infrastructure.

CGNAT complicates attribution

With CGNAT, dozens of subscribers share a single public IP. To investigate abuse and respond to legal requests, the provider needs NAT translation logging (port/time/subscriber mapping). Decripte validates whether this logging exists, is intact, and has adequate retention — without it, attributing an incident to a specific subscriber is impossible.

The value of the SOC lies not only in detecting, but in shortening the time between the first signal and the action. The sooner a cluster of compromised CPEs is identified, the fewer devices are recruited, the smaller the impact on the ASN's reputation, and the shorter the window in which subscriber data is exposed.

Gestão de Ameaças · Grátis

What would an incident in internet service providers and telecoms cost? See your real risk before it happens.

Sem cartão, sem compromisso. Descubra em minutos o que já vazou da sua empresa e qual é o seu risco real.

Incident response and subscriber data protection

When the incident happens — and in a provider with a large installed base, it is a matter of when, not if — what makes the difference in the outcome is the speed and structure of the response. Decripte operates with a containment SLA of up to one hour, mobilizing containment, eradication, and recovery in a coordinated way, with evidence preservation for forensic analysis and eventual response to authorities.

A subscriber data leak is an LGPD matter

Name, CPF, address, traffic and billing data are personal data. A leak that generates relevant risk to the data subjects triggers the duty to notify the ANPD and the affected data subjects within a reasonable timeframe, in accordance with the LGPD. Decripte conducts the technical response and supports the provider in the impact assessment and the notification trail — no improvising during the crisis.

For carriers with a mobile offering, response to SIM swap and portability fraud is in scope. Here Decripte acts both on the technical side (correlation of suspicious SIM change events, anomalous portability alerts) and on the process (review of the customer service and activation flows, reinforced authentication controls before a SIM change).

What we validate in data protection

  • Where subscriber data resides (CRM, billing, provisioning) and who accesses it
  • Encryption in transit and at rest of sensitive data
  • Intact CGNAT translation logging with adequate retention
  • Notification plan for the ANPD and data subjects ready before the incident
  • Segregation between production environments and billing/registration data

Pentest: find the hole before the attacker

You cannot defend what you do not know. Decripte's Pentest for providers combines assessment of the external surface (ASN IP ranges, exposed services, portals, and APIs) with sector-specific tests: firmware and management interfaces of the CPE models in the field, provisioning flows (TR-069/ACS), subscriber portals, and the portability and SIM activation processes.

The goal is not just to list vulnerabilities, but to prioritize by real impact: a flaw in a CPE distributed to 50,000 subscribers is incomparably more serious than the same flaw in a low-reach internal system. The report delivers a demonstrated exploitation path, blast radius, and an executable remediation plan — not a generic scanner PDF.

Testing following recognized methodology

Web application tests (portals, subscriber area, provisioning APIs) follow OWASP references, ensuring coverage of the flaw classes that generate the most incidents — injection, broken authentication, sensitive data exposure, and insecure configuration.

Start with the free assessment

The lowest-friction entry point is the free Threat Management plan at decripte.com.br/intelligence-center, which gives initial visibility into the provider's exposure surface — what is open to the internet, which services and ranges are exposed, and where the obvious risks are. From that snapshot, contracting SOC 24x7, Edge Security, Incident Response, and Pentest is done at decripte.io/start, and any questions can be handled through the contact form.

The adoption logic we recommend is incremental: the free assessment reveals the current state; Edge Security and SOC 24x7 establish continuous defense; Incident Response ensures speed when something slips through; and periodic Pentest keeps the posture honest, validating that the controls really hold off a real attacker. None of these layers replaces another — they reinforce each other.

Next step

Start with the free assessment at decripte.com.br/intelligence-center. To build complete defense for your provider, contract at decripte.io/start or talk to Decripte through /contato.

Anatomy of a botnet hijacking subscriber CPEs (anonymized real-world example)

Real, de-identified example

This is an anonymized real-world example, without identifying the client, built from typical incidents in the sector. A regional provider with around 60,000 subscribers distributes predominantly a single CPE model. That model's firmware has a known vulnerability and the TR-069 management interface (port 7547) is reachable over the WAN. The NOC operates focused on network availability, with no dedicated security monitoring. An automated worm begins scanning the provider's ASN IP ranges exploiting the flaw.

  1. Initial signal

    Subscribers report intermittent slowness to support and the NOC observes an increase in outbound traffic at unusual hours. Without per-subscriber correlation, the events are treated as isolated performance complaints, not as a security incident.

  2. Detection

    Decripte's SOC 24x7, ingesting the provider's NetFlow, identifies a cluster of hundreds of residential CPEs making synchronized outbound connections to the same destinations (command-and-control servers) and generating anomalous uploads. The pattern is classified as an active botnet of compromised CPEs.

  3. Containment

    With the containment SLA of up to 1 hour triggered, Decripte coordinates with the provider the selective quarantine of the malicious traffic (isolating the connections to the C2 without cutting off subscribers' legitimate internet when possible) and the immediate blocking of WAN access to the TR-069 management port at the edge, halting new recruitments.

  4. Eradication

    With new hijackings blocked, the team forces a firmware update via the ACS/TR-069 server on the affected devices, removes the payload, resets credentials, and closes the exposed management interfaces. In parallel, the integrity of the remaining fleet is validated to map the total blast radius of the compromise.

  5. Recovery

    The CPEs are gradually reintegrated after confirmation of clean firmware. Decripte checks the reputation of the ASN IP blocks, requests delisting where necessary, and confirms the normalization of traffic patterns in the SOC's monitoring.

  6. Structuring and lessons

    Once the crisis is over, prevention is built: centralized firmware management, a unique-password-per-device policy, permanent blocking of management interfaces on the WAN, edge anti-DDoS mitigation, and continuous per-subscriber NetFlow monitoring to detect anomalous clusters in the future.

Outcome with Decripte

The incident is contained in hours rather than dragging on for days, the subscriber base keeps connectivity during most of the remediation, and the ASN is preserved from reputation lists. The provider comes out of the crisis with SOC 24x7, edge security, and CPE hardening in place — turning a reactive survival mode into a permanent security posture led by Decripte.

Resposta a Incidentes · 24/7

Don’t wait for the incident. Start hardening internet service providers and telecoms today.

Comece pelo diagnóstico gratuito agora e veja em minutos o que já vazou. SOC 24x7 e contenção em até 1h nos planos pagos.

How Decripte responds to incidents at providers and carriers

The response follows a structured cycle, with a containment SLA of up to one hour and evidence preservation, calibrated for the at-scale impact that ISP incidents generate on thousands of subscribers.

  1. Triage and classification: the SOC 24x7 confirms the incident, determines the type (DDoS, CPE botnet, leak, SIM fraud), and estimates the blast radius on the subscriber base.
  2. Immediate containment: within the SLA of up to 1h, it isolates the vector — selective quarantine of CPEs, DDoS mitigation at the edge, blocking of exposed management ports, or suspension of fraudulent portability flows.
  3. Evidence preservation: it collects BNG/CGNAT logs, NetFlow, CPE telemetry, and application records in a forensic manner, ensuring a trail for root-cause analysis and eventual legal response.
  4. Eradication: it removes the payload, forces a firmware update via ACS/TR-069, resets compromised credentials, and closes the exposures that allowed the breach.
  5. Controlled recovery: it reintegrates devices and services after validation, monitors the ASN's reputation, and confirms the normalization of traffic patterns.
  6. Regulatory assessment: when subscriber data is involved, it supports the impact analysis and the notification trail to the ANPD and the data subjects in accordance with the LGPD.
  7. Report and lessons learned: it delivers root cause, timeline, blast radius, and a prioritized remediation plan.
  8. Post-incident hardening: it builds the permanent controls (firmware management, anti-DDoS edge, continuous monitoring) to prevent recurrence.

How Decripte builds a provider's security

The build is organized into pillars covering the network infrastructure, the CPE fleet in subscribers' homes, personal data, and the critical customer service processes.

Edge security and anti-DDoS

Volumetric and layer 7 mitigation, WAF for portals and APIs, DNS protection, and BGP hardening to defend the provider's transit links and exposed infrastructure.

CPE fleet hardening

Centralized firmware management, unique passwords per device, blocking of management interfaces (TR-069/Telnet/SSH/web) on the WAN, and detection of compromised devices to prevent botnet formation.

Continuous monitoring in the SOC 24x7

Collection and correlation of NetFlow/sFlow, BNG/CGNAT logs, and network telemetry to detect anomalous clusters, exfiltration, and attacks on the infrastructure before at-scale impact.

Subscriber data protection (LGPD)

Inventory of where data resides, encryption in transit and at rest, intact CGNAT translation logging, environment segregation, and a notification plan for the ANPD ready before the incident.

SIM and portability anti-fraud

For mobile carriers, review of the customer service and activation flows, reinforced authentication before SIM changes, and correlation of suspicious SIM swap and anomalous portability events.

Continuous offensive validation

Periodic Pentest of the external surface, the CPEs in the field, the subscriber portals, and the provisioning flows, prioritizing findings by real blast radius on the installed base.

Recommended plans for Internet Service Providers and Telecoms

Frequently asked questions

How do I protect my provider against volumetric DDoS?

Mitigation must act at the edge and, ideally, in upstream coordination with transit or IX, because the bottleneck in volumetric attacks is the transit link itself. Decripte builds edge security with volumetric and layer 7 mitigation, plus WAF for the exposed services. Start by assessing your exposure at decripte.com.br/intelligence-center.

Are the CPEs I hand out to subscribers a security risk?

Yes, and they tend to be the most neglected surface. CPEs with outdated firmware, factory default passwords, and management interfaces (TR-069, Telnet, SSH, web panel) exposed to the WAN are the preferred vector for mass hijacking and botnet formation. Decripte builds centralized firmware management, unique passwords, and blocking of these interfaces.

How do I know if my CPEs are already part of a botnet?

CPE botnets leave a signature in the traffic: many residential devices with synchronized outbound connections to the same destinations, anomalous uploads, and coordinated spikes. Decripte's SOC 24x7 correlates NetFlow per subscriber to identify these clusters before the attack escalates.

Does a subscriber data leak need to be reported to the ANPD?

Name, CPF, address, and traffic data are personal data under the LGPD. A leak that generates relevant risk to the data subjects triggers the duty to notify the ANPD and the affected data subjects within a reasonable timeframe. Decripte conducts the technical response and supports the impact assessment and the notification trail.

Does Decripte help with SIM swap and portability fraud?

Yes. For mobile carriers, Decripte acts on the technical side (correlation of suspicious SIM change and anomalous portability events) and on the process (review of the customer service and activation flows, reinforced authentication before a SIM change), because the weak point of SIM swap is usually the process, not just the technology.

What is Decripte's response time in an incident?

Decripte operates with a containment SLA of up to one hour, mobilizing containment, eradication, and recovery in a coordinated way and with evidence preservation — essential at a provider, where a single incident affects thousands of subscribers at the same time.

Does CGNAT get in the way of incident investigation?

With CGNAT, several subscribers share a public IP, so you need intact NAT translation logging (port/time/subscriber mapping) with adequate retention to attribute abuse to a subscriber and respond to legal requests. Decripte validates whether this logging exists and is reliable.

Where should I start?

With the free Threat Management assessment at decripte.com.br/intelligence-center, which shows your exposure surface. From that snapshot, contract SOC 24x7, Edge Security, Incident Response, and Pentest at decripte.io/start, or talk to Decripte through /contato.

Sector terms

CPE (Customer Premises Equipment)
Equipment in the subscriber's home — modem, ONU, or Wi-Fi router — that connects the customer to the provider's network. At scale, compromised CPEs become ammunition for botnets.
TR-069
Remote CPE management protocol (CWMP) used by providers for provisioning and updates via an ACS server. When exposed to the internet without protection (typically on port 7547), it becomes a mass-hijacking vector.
CGNAT (Carrier-Grade NAT)
A technique in which several subscribers share the same public IP. It requires translation logging (port/time/subscriber) to attribute abuse and respond to legal requests.
SIM swap
Fraud in which the attacker transfers the victim's mobile line to a SIM under their control, intercepting authentication SMS messages. It exploits the carrier's customer service and activation process.
Volumetric DDoS
A denial-of-service attack that saturates the transit link with massive traffic (floods, DNS/NTP amplification). Because it hits the uplink, it requires mitigation at the edge and upstream coordination.
BGP hijacking
Route hijacking in the BGP protocol in which an adversary announces IP prefixes that do not belong to it, diverting or intercepting traffic. Mitigated with prefix filters and RPKI.

Decripte protects and responds to incidents in internet service providers and telecoms.

Pentest, 24x7 SOC, incident response with a 1-hour containment SLA and compliance — without building an internal team. Or start free by seeing what has already leaked from your company.