Full Report
In just three months, the massive Aisuru botnet launched more than 1,300 distributed denial-of-service attacks, one of them setting a new record with a peak at 29.7 terabits per second. [...]
Analysis Summary
# Incident Report: Aisuru Botnet Record-Breaking DDoS Campaign (Q3 2025)
## Executive Summary
The massive, rented Aisuru botnet conducted over 1,300 distributed denial-of-service (DDoS) attacks within a three-month period (Q3 2025). The campaign culminated in a record-breaking hyper-volumetric attack peaking at 29.7 Terabits per second (Tbps). The primary impact was severe operational disruption via traffic saturation, mitigated by Cloudflare, highlighting the increasing scale of infrastructure-level threats.
## Incident Details
- **Discovery Date:** Ongoing throughout Q3 2025 (as observed by mitigation efforts).
- **Incident Date:** Record attack occurred in Q3 2025. Campaign spanned three months.
- **Affected Organization:** Multiple targets across various sectors (not all named, notable exposure to Microsoft Azure).
- **Sector:** Telecommunications, Gaming, Hosting Providers, Financial, and General Internet Infrastructure.
- **Geography:** Attack traffic originated primarily from Indonesia, Thailand, Bangladesh, and Ecuador, targeting beneficiaries globally, including China, Turkey, Germany, Brazil, and the United States.
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing throughout Q3 2025, with 1,304 hyper-volumetric attacks noted in Q3 alone.
- **Vector:** Compromised routers and IoT devices.
- **Details:** The Aisuru botnet leverages devices infected via exposed known vulnerabilities or exploitation of weak/default credentials (brute-forcing). The botnet is estimated to comprise 1 to 4 million infected hosts globally.
### Lateral Movement
* Not explicitly detailed for the botnet's internal operations, but the impact shows broad, coordinated host utilization to generate massive traffic floods against targets.
### Data Exfiltration/Impact
- **Impact:** Denial of Service; high-volume ("garbage") traffic directed at destination ports, causing operational disruption and network saturation. The record attack lasted 69 seconds.
### Detection & Response
- **Detection:** Mitigation activities reported by Cloudflare.
- **Response Actions:** Cloudflare successfully mitigated the record attack and 2,867 other Aisuru attacks since the beginning of the year.
## Attack Methodology (DDoS Specific)
- **Initial Access:** Compromising IoT devices and routers using known vulnerabilities or default credentials.
- **Persistence:** Hosts remain infected and controlled by the botnet controller, available for rental services.
- **Privilege Escalation:** Not applicable in the context of network attack, though initial device compromise implies vulnerability exploitation.
- **Defense Evasion:** N/A (Focus is volumetric saturation, not stealth).
- **Credential Access:** Brute-forcing weak credentials for IoT/router access.
- **Discovery:** Reconnaissance implied to select viable targets for rented attacks.
- **Lateral Movement:** N/A (Botnet coordination across multiple hosts).
- **Collection:** N/A (No data exfiltration via this vector).
- **Exfiltration:** N/A.
- **Impact:** **UDP Carpet-Bombing:** The record attack utilized this technique to direct traffic across an average of 15,000 destination ports per second. Attacks reached hyper-volumetric levels (>1 Tbps).
## Impact Assessment
- **Financial:** Undisclosed, but disruption to critical infrastructure and ISPs implies significant cost due to mitigation efforts and service outage.
- **Data Breach:** None reported; the attack vector was purely volumetric denial of service.
- **Operational:** Severe. Hyper-volumetric traffic (up to 29.7 Tbps) has the potential to disrupt internet service providers (ISPs) even if they are not the direct target. Recovery from short but severe attacks requires complex, multi-step processes.
- **Reputational:** Significant for targeted entities due to high-profile outages.
## Indicators of Compromise
- **Network Indicators (Defanged Examples):** High-volume UDP traffic signatures indicative of carpet-bombing, massive sustained inbound bandwidth exceeding 1 Tbps.
- **File Indicators:** N/A (Botnet malware specifics not detailed).
- **Behavioral Indicators:** Coordinated traffic floods originating from geographically dispersed IP addresses associated with the botnet infrastructure (e.g., traffic sourced from thousands of infected IoT devices/routers). Previously observed attack pattern includes a 15 Tbps attack from 500,000 IPs against Microsoft Azure.
## Response Actions
- **Containment Measures:** Cloudflare employed mitigation techniques to absorb and filter the 29.7 Tbps attack traffic, preventing complete saturation of the target network.
- **Eradication Steps:** Eradication would focus on identifying and cleaning the customer/infrastructure networks that were directly targeted, though the source (the global botnet) remains active.
- **Recovery Actions:** Re-establishing normal service operations following the brief but intense traffic saturation event.
## Lessons Learned
- **Key Takeaways:** The attack surface presented by insecure IoT and router devices remains a critical source for large-scale cyber-weaponry (botnets). DDoS attacks are escalating dramatically in volume, requiring advanced, real-time mitigation capabilities (hyper-volumetric defense).
- **What could have been done better:** Given the short duration (69 seconds for the peak), response time is crucial; defenses must be highly automated to handle attacks peaking above 1 Tbps effectively.
## Recommendations
- **Prevention Measures for Similar Incidents:**
1. Enhancement of network infrastructure capacity and integration with advanced DDoS scrubbing services capable of handling multi-Tbps floods.
2. Aggressive network monitoring for volumetric anomalies, especially UDP flows, focusing on high packet-per-second rates (Bpps).
3. Increased focus on patching and securing edge network devices (routers, IoT devices) to prevent initial inclusion into large botnets like Aisuru.