The Microsoft Azure cloud platform has become the target of one of the most powerful distributed denial-of-service (DDoS) attacks reported in recent years. According to Microsoft, the peak traffic volume reached 15.72 Tbps, generated simultaneously from around 500,000 unique IP addresses. The campaign was attributed to the Aisuru botnet, a Turbo Mirai–class IoT botnet that recruits compromised internet-connected devices to launch high‑bandwidth attacks.
Record-scale DDoS attack on Microsoft Azure
Microsoft reports that attackers deployed a massive UDP flood against a specific public IP address hosted in Australia. At its peak, Azure’s infrastructure had to process approximately 3.64 billion packets per second (pps). Such volumetric attacks attempt to overwhelm network links and devices by bombarding them with enormous numbers of small packets, effectively exhausting bandwidth and processing capacity.
A notable characteristic of this incident is that source IP spoofing was almost not used. Instead of forging sender addresses, the botnet generated traffic from real, routable IP addresses and sent it to random destination ports. For defenders, this creates a mixed picture: random ports and variable packet patterns complicate simple signature-based filtering, yet the use of genuine IP addresses makes it easier for internet service providers (ISPs) and infrastructure operators to identify attacking networks and apply targeted blocking or rate limiting.
Aisuru: Turbo Mirai–class IoT botnet targeting routers and cameras
Security researchers classify Aisuru as a Turbo Mirai–class IoT botnet. It is an evolution of the original Mirai codebase, which famously powered a ~1.2 Tbps DDoS attack against DNS provider Dyn in 2016, as documented in multiple post-incident analyses. Aisuru focuses on building a large, globally distributed network of compromised home routers, IP cameras, DVR/NVR systems, and other poorly secured IoT devices.
Previous investigations have shown that Aisuru exploits known vulnerabilities in products from vendors such as Totolink, T-Mobile, Zyxel, D-Link, Linksys, as well as in various IP cameras and devices based on Realtek chipsets. Weak or default passwords, outdated firmware, and exposed management interfaces significantly increase the risk of compromise. Researchers highlight that a turning point for Aisuru’s growth was the reported compromise of a Totolink router update server, after which the number of infected devices surged sharply.
IoT insecurity as fuel for next-generation DDoS attacks
The Aisuru case once again illustrates how systemic IoT insecurity amplifies global DDoS risk. Inexpensive consumer devices are deployed in huge numbers, rarely updated, and often shipped with insecure defaults. Once compromised, they offer attackers stable bandwidth, geographic distribution, and the ability to generate both high-volume UDP floods and application‑layer attacks. This trend has been observed across multiple botnets since Mirai, but the sheer scale of recent incidents shows an order‑of‑magnitude increase in destructive potential.
From Azure to Cloudflare: Aisuru’s record DDoS campaigns
The attack on Microsoft Azure is not the first time Aisuru has set new DDoS benchmarks. In September 2025, Cloudflare reported mitigating an Aisuru-driven attack that peaked at 22.2 Tbps with a packet rate of up to 10.6 billion pps. Although the extreme peak lasted for roughly 40 seconds, that window would be sufficient to disable unprotected or weakly protected online services.
Earlier, researchers from Qianxin Xlab documented another Aisuru campaign with an estimated capacity of around 11.5 Tbps. At that time, experts assessed the botnet’s size at more than 300,000 infected IoT devices worldwide, noting that many nodes were located in the networks of major ISPs in the United States and other countries. Compared with historic Mirai attacks, these figures reflect a dramatic escalation in the power of IoT-based botnets.
Beyond DDoS: manipulating Cloudflare’s Top Domains ranking
Aisuru’s operators have not limited themselves to overwhelming networks with traffic. According to public statements and research, they also attempted to use the botnet to manipulate Cloudflare DNS statistics, specifically the Cloudflare Top Domains ranking, which is based on the volume of DNS queries observed by the company’s resolvers.
By generating massive waves of malicious DNS queries to the public resolver 1.1.1.1, the attackers artificially elevated domains under their control. These domains began to appear above legitimate high‑traffic services from Amazon, Microsoft, and Google in the ranking, effectively turning a popularity metric into a reflection of botnet activity.
Cloudflare acknowledged that Aisuru’s behavior significantly distorted ranking results. In response, the company introduced additional filters and heuristics: suspicious domains can now be adjusted or fully removed from the public list to reduce the influence of automated, non-human traffic. This episode demonstrates how large botnets can not only disrupt services, but also undermine trust in internet measurement and reputation systems.
The evolution of Aisuru underscores how mass compromise of IoT devices is transforming into a strategic weapon against cloud platforms, critical network infrastructure, and even trust signals such as DNS-based popularity rankings. To reduce this risk, households and organizations should regularly update router and camera firmware, disable unnecessary remote access, replace factory-default passwords, and segment networks to isolate “smart” devices from critical systems. For ISPs and online service providers, it is essential to deploy multi-layered DDoS protection, real-time anomaly monitoring, and close cooperation with global anti-DDoS platforms and threat-intelligence communities. The fewer vulnerable IoT devices are available to attackers, and the more resilient core infrastructure becomes, the lower the chances that the next terabit‑scale record will be set at the expense of their networks.
