A massive distributed denial‑of‑service (DDoS) campaign in December 2025, attributed to the Aisuru (also known as Kimwolf) botnet, has set a new benchmark for attack scale and sophistication. The botnet reportedly generated peak traffic of 31.4 Tbps and up to 200 million HTTP requests per second (RPS), targeting major telecommunications providers as well as Cloudflare’s own protection infrastructure.
Escalating DDoS capacity: From 29.7 Tbps to 31.4 Tbps
Aisuru was already known in the DDoS landscape for an earlier public record of a 29.7 Tbps DDoS attack. Microsoft analysts had previously associated the same botnet family with an incident peaking at 15.72 Tbps and involving approximately 500,000 unique IP addresses. The latest wave shows that operators behind Aisuru have not only maintained control over a large botnet but have significantly upgraded their attacking infrastructure.
An increase from 29.7 to 31.4 Tbps may seem incremental, but at these magnitudes it indicates continuous enrollment of new compromised devices and better optimization of their traffic‑generation techniques. For comparison, public reports from the early 2020s placed record volumetric attacks in the low single‑digit terabit range; a 31.4 Tbps event is an order of magnitude above those historical baselines.
“Night Before Christmas” campaign: Tightly coordinated, short‑burst DDoS
Cloudflare described the incident as a large‑scale, coordinated DDoS campaign primarily focused on telecom operators and technology companies. Because the attacks began during the night of 18–19 December 2025, internal teams reportedly dubbed the operation the “Night Before Christmas” campaign.
Unusually, the attackers did not limit themselves to customer targets. Cloudflare’s own management plane and core infrastructure were also hit, suggesting an attempt to overload both the protection service and its downstream clients at the same time. This multi‑layer targeting aims to collapse several lines of defense simultaneously.
A distinctive feature of the campaign was the prevalence of very short, extremely intense bursts. More than half of the observed attacks lasted only one to two minutes; only about 6% continued significantly longer. At the same time, roughly 90% of the attacks reached 1–5 Tbps of throughput, and nearly 94% generated between 1 and 5 billion packets per second. Such “hit‑and‑run” tactics exploit the reaction lag in manual processes and legacy defenses that are not fully automated.
Technical breakdown: HTTP DDoS and Layer 4 (L4) network floods
The campaign combined hyper‑volumetric HTTP DDoS attacks (Layer 7) with Layer 4 (L4) floods against network infrastructure. Understanding this dual‑layer strategy is critical for effective DDoS protection.
HTTP DDoS attacks target the application layer, saturating web servers and APIs with huge volumes of seemingly legitimate requests. Each individual HTTP request may look valid, but in aggregate they exhaust CPU, memory, and backend resources, leading to service unavailability for real users.
Layer 4 attacks operate at the transport layer (TCP/UDP). At peaks of 31.4 Tbps, these floods primarily stress bandwidth and network hardware—routers, switches, and firewalls. In severe cases, they can disrupt not only the victim service but also upstream carriers and backbone segments, causing regional or cross‑provider instability.
By combining L4 volumetric floods with L7 HTTP request storms, attackers force defenders to cope with congestion at multiple layers of the stack. Mitigation at this scale typically requires cooperation between ISPs for upstream filtering, large‑capacity scrubbing centers, and intelligent application‑layer defenses capable of distinguishing humans from automated bots in real time.
From IoT routers to Android TV: Changing composition of the Aisuru botnet
Earlier waves of Aisuru activity were primarily linked to compromised IoT devices and home routers. In the “Night Before Christmas” campaign, analysts observed a notable shift: a substantial portion of attack traffic originated from Android TV–based devices, including smart TVs and media set‑top boxes.
This evolution is consistent with broader threat trends. Smart TV and Android TV devices typically:
- remain always online and reachable from the internet;
- receive infrequent security updates or firmware patches from end users;
- ship with default or weak credentials and predictable configurations;
- offer relatively powerful CPUs and stable broadband connectivity.
As a result, they are attractive targets for mass malware campaigns and botnet operators. Once infected, such devices can emit significant DDoS traffic while remaining unnoticed by owners, who may experience only minor performance degradation or no visible symptoms.
DDoS protection strategy for 30+ Tbps attacks
Events at the scale attributed to Aisuru demonstrate that traditional firewalls and standalone on‑premise appliances are no longer sufficient for organizations with internet‑facing critical services, particularly in telecom, finance, e‑commerce, and online platforms.
Key measures to strengthen DDoS resilience
To withstand modern DDoS threats, organizations should consider a multi‑layer approach that includes:
- Tight integration with network operators: Establish upstream filtering and blackholing procedures with ISPs to stop or rate‑limit attack traffic before it reaches corporate networks.
- Specialized DDoS mitigation services: Use cloud‑based scrubbing centers and anycast networks that provide automated protection at Layers 3/4 and Layer 7, with rapid traffic rerouting based on anomaly detection.
- Regular DDoS preparedness testing: Conduct drills and controlled DDoS simulations to verify response times, detection thresholds, and escalation workflows.
- IoT and smart device hardening: Inventory connected devices, change default passwords, enable automatic updates where possible, apply network segmentation, and restrict unnecessary inbound access.
- Business continuity and redundancy planning: Implement geographically distributed deployments, multi‑cloud strategies, and backup connectivity options to reduce single points of failure.
The growth of DDoS attack capacity into the tens of terabits per second—and the inclusion of new device classes such as Android TV in large botnets—indicates that such incidents are evolving from rare outliers into a persistent background risk. Organizations that depend on online availability should treat DDoS defense as an ongoing risk‑management process, not a one‑time technology purchase. Investing early in layered mitigation, ISP cooperation, and security hygiene for consumer‑grade connected devices significantly reduces the likelihood that the next high‑profile DDoS campaign will succeed at the expense of their infrastructure.
