Close Menu
    NEWS

    Aisuru Botnet DDoS: Inside the Record-Breaking 15.72 Tbps Attack on Azure

    How a TurboMirai IoT army weaponised home routers and cameras to unleash the largest cloud DDoS ever recorded
    By 7 Mins Read

    Aisuru botnet DDoS: why this one matters

    The Aisuru botnet DDoS campaign that hit Microsoft Azure in October 2025 wasn’t just “another big attack”. It was the largest DDoS event ever recorded in the cloud, peaking at 15.72 Tbps and nearly 3.64 billion packets per second, all aimed at a single endpoint in Australia.

    Behind it was Aisuru, a so-called TurboMirai-class IoT botnet built from compromised home routers, CCTV cameras and DVRs. It’s part of a new generation of DDoS-for-hire botnets that can push 20+ Tbps and multi-billion packet-per-second floods – enough to knock over major gaming platforms, network operators and, if defences slip, cloud workloads.

    This piece breaks down what Aisuru is, how it achieved record-breaking scale, and what organisations should be doing now to harden themselves against Aisuru-class attacks.

    What is the Aisuru botnet?

    Aisuru is a Mirai-derived IoT botnet that researchers group under the “TurboMirai” label – Mirai variants tuned for multi-terabit, high-pps, direct-path DDoS attacks.

    Key characteristics:

    • Botnet composition:
      • Consumer broadband routers
      • Internet-connected CCTV and DVR systems
      • Other customer-premises equipment (CPE) running similar OEM firmware
    • Access method: exploits unpatched firmware, weak/default credentials and exposed management interfaces to enrol devices as bots.
      netscout.com
    • Business model: operates as a DDoS-for-hire service with a restricted clientele; most observed attacks target online gaming organisations rather than government or military networks.

    Crucially, the Aisuru malware does not run in a privileged context on the infected devices, which means it can’t generate spoofed source IP addresses. That limitation sounds like a weakness, but it has an upside for defenders: attack traffic can be traced back to actual subscriber lines, enabling ISPs to identify and remediate compromised hardware.

    A timeline of Aisuru’s record-breaking attacks

    Aisuru didn’t come out of nowhere in the Azure incident – it had already been quietly setting records:

    • September 2025 – 22.2 Tbps attack
      Cloudflare reported the largest publicly documented DDoS attack to date: 22.2 Tbps and 10.6 billion pps against a European network infrastructure provider. The attack was later attributed to Aisuru.
    • Early October 2025 – 20–29 Tbps gaming outages
      Netscout and other researchers observed multiple “demonstration” attacks exceeding 20 Tbps and 4 gpps, primarily hitting online gaming platforms. Separate analysis suggested an unconfirmed 29.69 Tbps incident affecting services such as Steam, Riot Games and PlayStation Network, with Aisuru suspected as the source.
    • October 24, 2025 – 15.72 Tbps attack on Azure
      On 24 October, Microsoft’s Azure DDoS Protection automatically detected and mitigated a multi-vector attack peaking at 15.72 Tbps / 3.64 bpps, targeting a single public IP address in Australia. Microsoft and other researchers confirmed that Aisuru was behind it.

    Despite its scale, Azure’s globally distributed DDoS protection infrastructure absorbed and filtered the traffic, so customer workloads stayed online with no visible downtime.

    In parallel, Cloudflare experienced its largest outage since 2019 – initially suspected to be a mega-DDoS – but later confirmed it was caused by a permissions change misconfiguration, not Aisuru. The fact that operators immediately feared “hyper-scale DDoS” says a lot about the current threat climate.

    How the Aisuru botnet DDoS attacks actually work

    Aisuru specialises in direct-path flood attacks – raw packets fired straight at the victim, as opposed to reflection/amplification attacks via third-party servers.

    Typical traits, drawn from Microsoft, Netscout and other analyses:

    1. Multi-Tbps, multi-gpps firehose

    • Attacks routinely exceed 20 Tbps and 4 gpps.
    • Azure saw 500,000+ unique source IPs participating, mostly residential connections from the US and other countries.

    That level of traffic doesn’t just threaten targets – it can stress upstream ISPs, saturating links and even crashing line cards in chassis-based routers.

    2. Direct UDP, TCP and GRE floods

    Aisuru retains and extends classic Mirai capabilities:

    • UDP floods: often medium-sized packets (roughly 540–750 bytes) with pseudo-random source and destination ports, balancing bandwidth and packet rate.
    • TCP floods: variable packet sizes and an enormous range of TCP flag combinations – one attack reportedly used more than 100 distinct flag combinations to confuse classifiers.
    • GRE and DNS floods: supported when attackers want to hit specific protocol paths.

    In the Azure case, the standout vector was an extremely high-rate UDP flood against a single public IP, with minimal source spoofing and random source ports. That design makes attacks easier to trace but still brutally effective at overwhelming defences that aren’t sized correctly.

    3. Application-layer and proxy abuse

    Aisuru also includes:

    • Organic HTTP/HTTPS application-layer attack capability
    • An onboard residential proxy service, allowing external attack tools to route their HTTPS floods through infected devices and appear as “real users” coming from residential IP space.

    Some TCP floods are crafted to resemble legitimate HTTP request/response patterns at layer 4, making it harder to separate real traffic from attack flows without deeper inspection.

    Why Aisuru is a warning for everyone

    You might be tempted to file Aisuru under “problems for Microsoft and big gaming companies”. That would be a mistake.

    Aisuru highlights several uncomfortable realities:

    • Attackers scale with the internet itself
      As Microsoft bluntly put it, “attackers are scaling with the internet.” As fibre-to-the-home speeds increase and IoT devices get more powerful, the baseline for “big” attacks keeps rising.
    • Your home router is now critical DDoS infrastructure
      Most Aisuru bots are cheap CPE devices with weak defaults and poor patching. At scale, they become a multi-terabit weapon that criminals can rent out by the hour.
    • Outbound and cross-network DDoS matters as much as inbound
      Multiple ISPs have seen outbound Aisuru traffic above 1 Tbps from their own customers, disrupting their backbone and peers.

    If you run any serious online service, especially gaming, SaaS, media or financial platforms you should assume that Aisuru-class botnets are part of your threat model.

    Defending against Aisuru-class DDoS attacks

    There’s no silver bullet, but there is a set of concrete steps that significantly increase your chances of riding out the next 15+ Tbps storm.

    For enterprises and cloud customers

    1. Turn on proper DDoS protection – and test it

    • Use your cloud provider’s DDoS protection (Azure, AWS, Cloudflare, etc.) and make sure it’s correctly scoped to all internet-facing workloads.
    • Run regular DDoS simulations or game-days to test detection thresholds, runbooks and escalation paths – before the holiday season or major launches.

    2. Architect for failure and absorption

    • Distribute critical services across regions/availability zones.
    • Avoid putting “all the crown jewels” behind a single unprotected public IP.

    3. Harden what you expose

    • Only expose the protocols and ports you actually need.
    • Use WAFs and rate-limiting to reduce the impact of app-layer floods that try to look “legit”.

    For ISPs and network operators

    Netscout’s guidance for dealing with Aisuru-class botnets boils down to: treat outbound/crossbound DDoS with the same urgency as inbound.

    • Instrument all edges (customer aggregation, peering, cloud/CDN edges) for DDoS detection.
    • Deploy intelligent DDoS mitigation systems (IDMS) that can surgically filter outbound attack flows without clobbering legitimate traffic.
    • Enforce network best current practices:
      • Infrastructure ACLs (iACLs) to protect core devices
      • Source address validation (SAV) to block spoofed traffic
    • Proactively identify compromised CPE and either re-image, remediate or replace those devices.

    For end-users and small businesses

    You can’t control Aisuru itself, but you can avoid being part of it:

    • Change default router passwords and disable remote management if you don’t need it.
    • Keep router and camera firmware updated.
    • Avoid exposing management interfaces directly to the internet.
    • Segment IoT devices onto separate VLANs or guest networks where possible.

    The bottom line

    Aisuru is a preview of where DDoS is heading: IoT-powered, for-hire, and operating at tens of terabits per second. The Azure incident proves that well-designed cloud DDoS protection can keep services online even under absurdly high loads, but it also shows how thin the margin for error is becoming.

    If your organisation has public-facing internet properties, now is the time to:

    • Confirm that DDoS protection is enabled and tested
    • Review network architecture for single points of failure
    • Work with your ISP or security provider to ensure both inbound and outbound attacks are covered

    Because as Aisuru and other TurboMirai-class botnets grow, “once-in-a-decade” DDoS events are starting to look a lot more like business as usual.

    Share.

    Mason Clarke covers emerging tech, digital culture, and the fast-moving world of apps and online services. He has a background in general tech support and brings a hands-on, user-focused approach to his writing. Mason’s goal is simple: help readers get the most out of the tech they already use while highlighting what’s worth paying attention to next.

    Related Posts