Microsoft says the Aisuru botnet launched a 15.7 Tbps DDoS on Azure from 500k IPs, using massive UDP floods peaking at 3.6 B pps.
On October 24, 2025, Azure DDoS Protection detected and mitigated a massive multi-vector attack peaking at 15.72 Tbps and 3.64 billion pps, the largest cloud DDoS ever recorded, aimed at a single Australian endpoint.
Azure’s global protection network filtered the traffic, keeping services online. The attack came from the Aisuru botnet, a Turbo Mirai-class IoT botnet using compromised home routers and cameras.
“On October 24, 2025, Azure DDOS Protection automatically detected and mitigated a multi-vector DDoS attack measuring 15.72 Tbps and nearly 3.64 billion packets per second (pps). This was the largest DDoS attack ever observed in the cloud and it targeted a single endpoint in Australia.” reads the report published by Microsoft. “The attack originated from Aisuru botnet.”
The attack used massive UDP floods from more than 500,000 IPs hitting a single public address, with little spoofing and random source ports that made traceback easier. It highlights how attackers are scaling with the internet: faster home fiber and increasingly powerful IoT devices keep pushing DDoS attack sizes higher.
“Attackers are scaling with the internet itself. As fiber-to-the-home speeds rise and IoT devices get more powerful, the baseline for attack size keeps climbing.” concludes the post. “As we approach the upcoming holiday season, it is essential to confirm that all internet-facing applications and workloads are adequately protected against DDOS attacks.”In October 2025, the Aisuru Mirai-based IoT botnet launched another massive DDoS attacks of over 20Tb/sec, mainly targeting online gaming, cybersecurity firm Netscout reported.
The botnet uses residential proxies to reflect HTTPS DDoS attacks. Its nodes are mainly consumer routers, CCTV/DVRs, and other vulnerable CPE devices, with operators continuously seeking new exploits to expand the botnet.
Acting as a DDoS-for-hire service, Aisuru avoids government and military targets, but broadband providers faced serious disruptions from attacks exceeding 1.5Tb/sec from infected customer devices.
Like other TurboMirai botnets, Aisuru incorporates additional dedicated DDoS attack capabilities and multi-use functions, enabling operators to carry out other illicit activities, including credential stuffing, artificial intelligence (AI)-driven web scraping, spamming, and phishing.
Attacks use UDP, TCP, and GRE floods with medium-sized packets and randomized ports/flags. Over 1Tb/sec traffic from compromised CPEs disrupts broadband, and 4gpps+ floods have caused router line card failures.
Netscout highlighted that Aisuru and TurboMirai-class IoT botnets mainly launch single-vector, direct-path DDoS attacks, occasionally joining multivector attacks with other DDoS-for-hire services. Attacks include UDP floods with medium-to-large or smaller packets, TCP floods with small or large packets, and up to 119 TCP flag combinations. Some traffic mimics legitimate HTTP packets, while HTTPS attacks use onboard residential proxies. The researchers pointed out that the botnet traffic is not spoofed due to lack of privileged access and source-address validation on most networks.
Cloudflare linked the Aisuru botnet to a record-breaking DDoS attack of 22.2 Tbps that the cybersecurity firm mitigated in September 2025.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, DDoS)
