Full Report
Cloudflare data shows 29.7 Tbps record-breaker landed amid 87% surge in network-layer attacks The internet has spent the past three months ducking for cover as the Aisuru botnet hurled record-shattering DDoS barrages from an army of up to 4 million infected machines.…
Analysis Summary
# Incident Report: Aisuru Botnet Terabit-Scale DDoS Campaign
## Executive Summary
The Aisuru botnet, a relatively new Mirai-class threat commanding up to 4 million compromised IoT devices, conducted a massive surge in distributed denial-of-service (DDoS) activity over the past three months (Q3 2025). The overall network-layer attack volume increased by 87% quarter-over-quarter, culminating in a record-breaking 29.7 Tbps attack in Q3. Cloudflare successfully mitigated this activity, demonstrating the growing need for automated, high-capacity defenses against rapidly executed, high-volume network-layer assaults.
## Incident Details
- **Discovery Date:** Throughout Q3 2025 (as reported retrospectively in Cloudflare's Q3 report).
- **Incident Date (Peak):** Q3 2025, with one specific assault peaking in September/October 2025 timeframe implied by quarterly reporting.
- **Affected Organization:** The Internet infrastructure globally, with specific surges observed against the IT/Services, Telecommunications, Gambling/Casinos, and Automotive sectors.
- **Sector:** Global Internet Infrastructure, IT/Services, Telecommunications, Automotive (Heavily Targeted).
- **Geography:** Global scale, with notable attack origins from Asia (Indonesia leading).
## Timeline of Events
### Initial Access
- **Date/Time:** First spotted in 2024, but escalated aggressively throughout Q3 2025.
- **Vector:** Likely compromise of insecure IoT devices (routers, cameras, "bargain-basement IoT gear").
- **Details:** The botnet leverages millions of compromised devices to form its attack army.
### Lateral Movement
*Not explicitly detailed in the source, but implied*: The mechanism suggests command-and-control (C2) structure inherent to Mirai-class botnets, allowing the centralized orchestration of distributed devices.
### Data Exfiltration/Impact
- **Impact:** System disruption and service unavailability due to massive volumetric flooding aimed at overwhelming network capacity (`DDoS barrages`). The primary impact was service degradation/outage for targeted organizations.
### Detection & Response
- **Detection:** Detected by Cloudflare's extensive monitoring infrastructure which logs all mitigated attacks.
- **Response Actions:** Cloudflare's **autonomous defenses** blocked the assaults. The sheer volume suggests reliance on cloud-based, high-capacity scrubbing, as many attacks concluded in under ten minutes, too fast for reactive mitigation services.
## Attack Methodology
- **Initial Access:** Compromise of IoT devices (routers, cameras) often exploiting weak security configurations.
- **Persistence:** Maintenance of device compromise via botnet C2 infrastructure.
- **Privilege Escalation:** (Not detailed, assumed inherent to the IoT compromise mechanism).
- **Defense Evasion:** Use of **randomized packet attributes** to evade legacy defenses.
- **Credential Access:** (Not detailed/Applicable to volumetric DDoS focus).
- **Discovery:** (Not detailed/Applicable to established botnet utilization).
- **Lateral Movement:** (Not detailed/Applicable to established botnet utilization).
- **Collection:** (Not detailed/Applicable to volumetric DDoS focus).
- **Exfiltration:** (Not applicable; this was a destructive DDoS campaign, not data exfiltration).
- **Impact:** Hyper-volumetric flooding targeting network layers.
## Impact Assessment
- **Financial:** Not quantified, but substantial due to targeted attacks against high-value sectors (AI companies spiking 347% MoM in September).
- **Data Breach:** None reported; the attack type was primarily denial of service.
- **Operational:** Significant operational stress globally. Cloudflare mitigated 8.3 million DDoS attacks in Q3 (nearly 3,780 per hour). Key sectors like Automotive jumped 62 spots in attack rankings.
- **Reputational:** Increased scrutiny on the resilience of core internet infrastructure against state-of-the-art botnets.
## Indicators of Compromise
*Note: As this report focuses on the overall threat landscape reported by a service provider, specific attack IPs/URLs are not provided, only attack characteristics.*
- **Network Indicators (Defanged):**
- Peak Volumetric Rate: **29.7 Tbps**
- Packet Rate: Up to **1 Billion packets per second (Bpps)**
- Traffic Type: Predominantly **UDP carpet-bombing floods** targeting ~15,000 destination ports/second.
- **File Indicators:** N/A (Botnet payload identification is not included).
- **Behavioral Indicators:**
- High frequency of **network-layer attacks (71% of total)**, showing an 87% QoQ increase.
- Rapid attack duration, often **ending in under ten minutes**.
## Response Actions
- **Containment Measures:** Cloudflare’s autonomous scrubbing centers absorbed and filtered the traffic volume.
- **Eradication Steps:** Not directly performed by Cloudflare on the source, but the attacker infrastructure (Aisuru botnet) continues to operate globally.
- **Recovery Actions:** Successful mitigation prevented widespread, sustained service failure across Cloudflare's customer base.
## Lessons Learned
- **Shift to Volumetric Threats:** The DDoS threat landscape has fundamentally changed, favoring massive, rapid, network-layer volumetric attacks (UDP, SYN floods) over lower-volume HTTP attacks.
- **Speed of Attack:** Attacks finishing in under ten minutes are too fast for traditional, on-demand mitigation services to handle effectively.
- **Accessibility of Power:** State-level/major crime DDoS power is now affordable and weaponized by cybercriminals ("up for hire").
## Recommendations
- Organizations must rapidly transition to always-on, large-capacity, **cloud-native DDoS mitigation**.
- Review and secure all IoT infrastructure (routers, cameras) to prevent inclusion in bot armies like Aisuru.
- Focus defensive hardening on **Network Layer (Layer 3/4)** defenses, especially UDP flood absorption capabilities.
- Monitor geopolitical and trade friction, as this correlates with targeted DDoS campaigns against specific industries (e.g., Automotive).