Full Report
Microsoft said today that the Aisuru botnet hit its Azure network with a 15.72 terabits per second (Tbps) DDoS attack, launched from over 500,000 IP addresses. [...]
Analysis Summary
# Incident Report: Massive Aisuru Botnet DDoS Attack on Azure
## Executive Summary
Microsoft Azure was subjected to a massive Distributed Denial of Service (DDoS) attack orchestrated by the Aisuru botnet, peaking at 15.72 Tbps, sourced from over 500,000 compromised IoT devices. The attack primarily utilized high-rate UDP floods targeting a specific IP address in Australia. Microsoft successfully neutralized the attack, mitigating significant service disruption.
## Incident Details
- Discovery Date: November 17, 2025 (Date of Microsoft's announcement)
- Incident Date: Prior to November 17, 2025
- Affected Organization: Microsoft Azure
- Sector: Cloud Computing / Technology
- Geography: Target IP located in Australia
## Timeline of Events
### Initial Access
- Date/Time: Attack occurred prior to Nov 17, 2025
- Vector: Exploitation of IoT devices (routers, IP cameras, DVRs/NVRs) infected with the Aisuru botnet (a Turbo Mirai-class variant).
- Details: The source was over 500,000 compromised devices, including hardware from T-Mobile, Zyxel, D-Link, and Linksys. The botnet size significantly increased around April 2025 after compromising a TotoLink firmware update server.
### Lateral Movement
- N/A: This was a volumetric DDoS attack, not a traditional network intrusion requiring lateral movement within Azure infrastructure.
### Data Exfiltration/Impact
- Impact: Massive service degradation and potential outages due to resource exhaustion from the 15.72 Tbps volumetric flood.
- Details: The attack reached nearly 3.64 billion packets per second (Bpps).
### Detection & Response
- Detection: The attack was detected based on incoming traffic patterns.
- Response Actions: Microsoft Azure security systems analyzed the sudden UDP bursts, noted minimal source spoofing and random source ports, which aided in traceback and mitigated the impact using built-in protections.
## Attack Methodology
- Initial Access: Exploiting default/known vulnerabilities in IoT devices (IP cameras, routers, DVRs/NVRs).
- Persistence: Not applicable to the attacker's control over the botnet endpoints.
- Privilege Escalation: Not applicable to the DDoS methodology.
- Defense Evasion: Minimal source spoofing and use of random source ports were noted, though the UDP flood nature made it distinct from stealthy intrusion techniques.
- Credential Access: Not applicable.
- Discovery: Reconnaissance was likely conducted on the botnet endpoints to ensure they were viable attack vectors.
- Lateral Movement: Not applicable.
- Collection: Not applicable.
- Exfiltration: Not applicable.
- Impact: Volumetric attack using extremely high-rate UDP floods aimed at exhausting network capacity.
## Impact Assessment
- Financial: Not disclosed, but significant operational costs associated with mitigating a record-breaking volumetric attack on cloud infrastructure.
- Data Breach: None indicated; this was a performance/availability assault.
- Operational: Significant load placed on Azure network edge infrastructure, though the primary target was successfully defended, minimizing service disruption.
- Reputational: Public exposure of a record-breaking attack on a major cloud provider.
## Indicators of Compromise
- Network Indicators (Defanged): Traffic floods characterized by extremely high volume (15.72 Tbps / 3.64 Bpps) using UDP protocol targeted at a specific IP in Australia.
- File Indicators: N/A (Botnet malware hashes not provided in summary).
- Behavioral Indicators: Unusually high volumes of UDP traffic originating from devices identified as compromised IoT endpoints (Turbo Mirai-class).
## Response Actions
- Containment measures: Azure's DDoS protection systems absorbed and filtered the massive UDP flood traffic.
- Eradication steps: Provider enforcement was facilitated due to the clean characteristics (minimal spoofing/random ports), likely leading to upstream blocking by ISPs.
- Recovery actions: Full restoration of service capacity following traffic mitigation.
## Lessons Learned
- Botnets like Aisuru continue to leverage vulnerable IoT devices to generate unprecedented volumetric attacks (15+ Tbps).
- The characteristics of the attack (minimal spoofing, random source ports) can sometimes aid defenders in tracing and enforcing compliance with upstream providers.
- Organizations relying on cloud services must ensure their providers have robust, scalable DDoS mitigation capabilities.
- The Aisuru operators are actively modifying their tactics, demonstrated by attempts to poison Cloudflare's DNS ranking metrics.
## Recommendations
- Cloud Providers: Continue investing heavily in layered, capacity-based DDoS mitigation systems capable of absorbing multi-Tbps floods instantly.
- Customers: Ensure applications have proper rate-limiting and resilience planning even when utilizing cloud protection, focusing on application layer resiliency where possible.
- IoT Security: Pressure manufacturers to enforce strong default credentials and timely patching for firmware vulnerabilities that fuel botnets like Aisuru.