The Aisuru botnet has set a new benchmark for distributed denial-of-service (DDoS) attacks, delivering peak traffic of 29.7 Tbps in a single campaign, according to a recent Cloudflare report. Over just three months, Aisuru was linked to more than 1,300 DDoS attacks, confirming its status as one of the most powerful known IoT botnets currently in operation.
Cloudflare analysts estimate that Aisuru consists of approximately 1–4 million compromised devices, primarily consumer and enterprise routers, as well as internet-of-things (IoT) equipment such as cameras and smart appliances. These devices are typically hijacked via known firmware vulnerabilities and brute-force attacks on weak or default passwords.
Hyper‑Volumetric DDoS Attacks: Scale, Record and Impact
Since the start of the year, Cloudflare has identified 2,867 Aisuru-related attacks, with almost 45% classified as hyper‑volumetric. In this context, “hyper‑volumetric” refers to attacks that exceed 1 Tbps of bandwidth or 1 billion packets per second (pps), overwhelming not only application endpoints but also backbone network capacity.
The record‑setting 29.7 Tbps event occurred in the third quarter of 2025. Although the attack was successfully mitigated by Cloudflare’s DDoS protection infrastructure, its magnitude places it among the largest DDoS incidents ever recorded. Earlier, Aisuru had already reached a peak of 22.2 Tbps, likewise intercepted before causing large‑scale outages.
Microsoft has also reported a major DDoS campaign against its Azure cloud platform attributed to Aisuru, with traffic levels of up to 15.72 Tbps observed simultaneously from around 500,000 distinct IP addresses. The record‑breaking wave lasted only 69 seconds, yet it sustained an intense UDP flood, generating junk traffic directed at an average of 15,000 ports per second—enough to saturate links and exhaust network devices in seconds if unprotected.
Inside the Aisuru IoT Botnet: How Everyday Devices Become Attack Weapons
Aisuru is a typical yet highly scaled example of an IoT botnet. Attackers systematically scan the internet for exposed routers and “smart” devices, exploiting unpatched vulnerabilities and factory‑set credentials. Many IoT deployments are rarely updated, are reachable directly from the public internet, and ship with well‑known default usernames and passwords, making them easy targets.
Botnet‑as‑a‑Service: DDoS Capability for Rent
Cloudflare researchers describe Aisuru as a botnet‑as‑a‑service (BaaS) platform. Instead of launching all campaigns themselves, the operators rent out the botnet’s firepower to other threat actors, including criminal groups, extortionists, and even competitors seeking to disrupt rival services. This model significantly lowers the barrier to entry for high‑impact DDoS activity.
The victim profile is diverse, with targets spanning online gaming platforms, hosting providers, telecommunications companies, and financial institutions. Even when a single application, website, or API is the primary target, the collateral traffic load can spill over to shared links and upstream carriers, triggering cascading failures across broader parts of the internet ecosystem.
Global DDoS Trends: Growing Frequency and Intensity
In Q3 2025, Cloudflare registered 1,304 hyper‑volumetric DDoS attacks globally. Compared to the previous quarter, attacks exceeding 100 million pps increased by 189%, while incidents over 1 Tbps more than doubled—up by 227%. Most attacks lasted less than ten minutes, yet their destructive potential remained significant.
On average, Cloudflare mitigated roughly 3,780 DDoS attacks per hour during the quarter. The largest volumes of malicious traffic originated from Indonesia, Thailand, Bangladesh, and Ecuador, while the most frequently attacked countries were China, Turkey, Germany, Brazil, and the United States. Due to its sheer size, Aisuru has the potential to overload backbone links, causing disruptions even for internet service providers (ISPs) that are not the direct target of a given campaign.
Why Seconds‑Long DDoS Attacks Can Still Be Critical
The short duration of many hyper‑volumetric attacks can be misleading. Even a burst lasting a few seconds can crash routers, firewalls, load balancers, and critical applications. The subsequent recovery process often takes far longer than the attack itself: engineering teams must sequentially restore services, validate the integrity of distributed data, verify that no secondary faults remain, and only then return systems to normal operation.
Key Measures to Defend Against Hyper‑Volumetric DDoS Attacks
Given the growth of botnets like Aisuru, organizations should reassess their DDoS resilience and move beyond traditional perimeter‑only defenses. Recommended measures include:
- Adopting specialized DDoS protection services that scrub traffic in the provider’s cloud before it reaches the organization’s network (e.g., Cloudflare or comparable solutions).
- Establishing a clear incident response plan with defined escalation paths, technical and business contacts, failover and traffic‑rerouting procedures, and service degradation strategies.
- Hardening IoT and network infrastructure by disabling remote access by default, changing all default passwords, applying firmware updates regularly, and limiting direct internet exposure of devices.
- Performing stress‑testing and DDoS simulations to identify bottlenecks, tune rate‑limiting and filtering policies, and verify that monitoring and alerting systems provide actionable signals under load.
The rise of the Aisuru IoT botnet and its 29.7 Tbps hyper‑volumetric DDoS attack demonstrates that infrastructures designed only for “normal” traffic conditions are no longer adequate. Organizations that depend on online services—whether commercial platforms, cloud providers, or critical infrastructure operators—should proactively invest in DDoS mitigation, network resilience, and basic IoT security hygiene. Those that prepare now will be far better positioned to withstand the next record‑breaking attack when, not if, it arrives.
