Record-Breaking 29.7 Tbps DDoS Attack Orchestrated by AISURU Botnet
Cloudflare successfully detected and mitigated the largest distributed denial-of-service (DDoS) attack on record, which peaked at 29.7 terabits per second and was attributed to the AISURU botnet. The attack, which lasted 69 seconds, utilized UDP carpet-bombing techniques targeting an average of 15,000 destination ports per second, and originated from a botnet-for-hire service leveraging between one and four million compromised routers and IoT devices worldwide. While the specific target of the attack was not disclosed, Cloudflare noted that the AISURU botnet has been responsible for a surge in hyper-volumetric DDoS attacks, particularly against telecommunications, gaming, hosting, and financial services sectors.
AISURU's operations have resulted in over 2,800 attacks mitigated by Cloudflare since the start of the year, with nearly half classified as hyper-volumetric, exceeding 1 Tbps or 1 billion packets per second. The botnet's activity has not only set new records for DDoS attack volume but has also demonstrated the potential to disrupt internet service providers even when they are not the direct targets. The majority of attack sources have been traced to locations in Asia, and the overall frequency and scale of DDoS attacks have seen significant increases compared to previous quarters and years.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Technical reporting details Aisuru's malware and exploitation methods
Subsequent technical analysis published in early December 2025 described Aisuru's use of compromised routers, cameras, DVRs, and gateways, along with persistence, obfuscation, anti-analysis, and multi-layer command-and-control features. The reporting also said the botnet exploited known and zero-day vulnerabilities across multiple vendors and supported capabilities beyond DDoS, including proxying and remote command execution.
Cloudflare's Q3 2025 report links record DDoS activity to Aisuru
In early December 2025, Cloudflare's Q3 2025 threat reporting publicly attributed the record 29.7 Tbps attack and broader surge in terabit-scale DDoS activity to the Aisuru botnet. The report described Aisuru as operating at massive scale, with estimates ranging up to 4 million infected devices and frequent hyper-volumetric attacks.
Cloudflare mitigates thousands of Aisuru-linked attacks in Q3 2025
Cloudflare reported mitigating 2,867 DDoS attacks linked to Aisuru during Q3 2025 as the botnet became a major driver of hyper-volumetric network-layer attacks. The company also said these attacks were often very short-lived, underscoring the need for automated defenses.
Aisuru launches record 29.7 Tbps DDoS attack in Q3 2025
During Q3 2025, the Aisuru botnet launched a record-breaking distributed denial-of-service attack that peaked at 29.7 Tbps and 14.1 billion packets per second. Reports say the attack caused collateral disruption beyond the direct target, including impacts seen by major ISPs.
Aisuru botnet is first identified
The Aisuru botnet was first identified in 2024 as an emerging IoT-based botnet threat. Later reporting describes it as rapidly growing in scale and sophistication after its initial discovery.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Aisuru botnet turns Q3 into a terabit-scale stress test for the entire internet
go.theregister.com
Open sourceCloudflare mitigates record 29.7 Tbps DDoS attack by the AISURU botnet
securityaffairs.com
Open sourceRecord 29.7 Tbps DDoS Attack Linked to AISURU Botnet with up to 4 Million Infected Hosts
thehackernews.com
Open sourceAISURU Botnet: Inside the 29.7 Tbps Mega-Scale DDoS Weapon
secpod.com
Open sourceCloudflare Blocks Aisuru Botnet Powered Largest Ever 29.7 Tbps DDoS Attack
hackread.com
Open sourceWhy the Record-Breaking 30 Tbps DDoS Attack Should Concern Every Business
fortra.com
Open sourceAisuru botnet behind new record-breaking 29.7 Tbps DDoS attack
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Aisuru Botnet Drove Record-Breaking Multi-Terabit DDoS Attacks
Researchers and network defenders linked the **Aisuru** botnet to a wave of hyper-volumetric distributed denial-of-service attacks that pushed internet-scale flooding to new highs. Reports described attacks reaching **11.5 Tbps** and later **22.2 Tbps** with **10.6 billion packets per second**, with one major incident lasting about 40 seconds and being automatically mitigated by Cloudflare. Coverage from Cloudflare, The Register, Cybersecurity Dive, and QiAnXin XLab said the botnet helped fuel a broader rise in DDoS activity and turned parts of the internet into what one report characterized as a terabit-scale stress test. Government and industry tracking indicated the botnet was not an isolated spike but an active threat affecting organizations across regions, including the UK. Germany's **BSI** published an Aisuru botnet profile as defenders continued cataloging its infrastructure and behavior, while media reports said British businesses were hit by record botnet-driven barrages. Across the referenced reporting, Aisuru emerged as a large-scale botnet associated with compromised devices and capable of launching short, extremely intense floods that set new benchmarks for DDoS volume and forced providers to rely on automated mitigation at massive scale.
May 31, 2026
AISURU/Kimwolf Botnet’s Record 31.4 Tbps Hyper-Volumetric DDoS Attack Mitigated by Cloudflare
Cloudflare reported mitigating a **record-setting hyper-volumetric DDoS attack** attributed to the **AISURU/Kimwolf** botnet that peaked at **31.4 Tbps** and lasted **35 seconds** in **November 2025**. The activity was described as part of a broader late-2025 surge in hyper-volumetric HTTP DDoS events that Cloudflare said were automatically detected and blocked, with **Q4 2025** hyper-volumetric attacks increasing **40%** quarter-over-quarter and the largest attacks growing **700%** compared to late 2024. Reporting tied AISURU/Kimwolf to DDoS-for-hire style operations and additional campaigns such as **“The Night Before Christmas”** (starting **December 19, 2025**), with Cloudflare citing campaign averages around **3 Bpps**, **4 Tbps**, and **54 Mrps**, and peaks up to **9 Bpps**, **24 Tbps**, and **205 Mrps**. The botnet’s capabilities and impact extend beyond web-layer floods: it has been associated with UDP/TCP/GRE flooding techniques and disruption of broadband providers via traffic sourced from compromised customer devices/CPE, and it has been described as enabling other illicit activity (e.g., credential stuffing, scraping, spam, phishing); separate reporting also stated the botnet has leveraged a large pool of compromised devices, including **millions of Android-based endpoints** such as off-brand Android TVs.
Mar 21, 2026
Aisuru Botnet Launches Record-Breaking DDoS Attacks Against US ISPs and Enterprises
The Aisuru botnet, now recognized as the world’s largest and most disruptive DDoS botnet, has escalated its operations by leveraging a vast network of compromised Internet-of-Things (IoT) devices, particularly those hosted on major US Internet providers such as AT&T, Comcast, and Verizon. Security experts have observed that the concentration of infected devices within these US-based ISPs is complicating mitigation efforts and increasing the risk of collateral damage during attacks. In recent months, Aisuru has demonstrated its dominance over other IoT-based botnets, with its arsenal estimated at 300,000 compromised hosts globally, including consumer-grade routers, security cameras, and digital video recorders running outdated firmware or default settings. The botnet’s operators continuously scan for vulnerable devices, conscripting them into their network to launch distributed denial-of-service (DDoS) attacks of unprecedented scale. Aisuru’s attack capabilities have grown rapidly, with a notable incident in May 2025 where KrebsOnSecurity was targeted with a 6.35 Tbps DDoS attack, then the largest ever mitigated by Google’s Project Shield. This record was quickly surpassed days later when Aisuru unleashed an 11 Tbps assault. By late September, the botnet was observed flexing its power with attacks exceeding 22 Tbps, culminating in a staggering 29.6 Tbps traffic flood on October 6, 2025. This latest demonstration, though brief and directed at a server designed to measure such events, shattered previous DDoS records and highlighted the botnet’s potential for catastrophic disruption. The technical sophistication of these attacks is not limited to sheer bandwidth. Recent case studies reveal that Aisuru and similar botnets are employing complex, multi-vector strategies. For example, a major US technology company was recently hit by two massive network-layer DDoS attacks in a single day, with the first peaking at 1.2 Tbps and 563 million packets per second (PPS), and the second reaching nearly 1.5 Tbps and sustaining over 1 billion PPS for 20 minutes. These attacks targeted Layers 3 and 4 of the OSI model, using high PPS rates to overwhelm not just bandwidth but also the routing and switching infrastructure of the victim. The attackers utilized UDP-driven floods and, in subsequent waves, introduced TCP components to increase complexity and resource exhaustion. Amplification techniques, exploiting misconfigured services, were also employed to magnify the impact. The globally distributed nature of the botnet, with compromised devices spanning multiple regions, has made it difficult for defenders to block malicious traffic without affecting legitimate users. The attacks have underscored the limitations of relying solely on raw network capacity for DDoS defense. Instead, effective mitigation now requires distributed defense architectures, rapid time-to-mitigation, high-quality traffic scrubbing, and resilience against both volumetric and packet-intensive floods. The evolving tactics of the Aisuru botnet demonstrate a deliberate escalation in both scale and sophistication, posing a significant threat to ISPs, enterprises, and the broader Internet infrastructure. Security teams are urged to reassess their DDoS defense strategies in light of these developments, as traditional approaches may no longer suffice against the scale and complexity of modern botnet-driven attacks.
Mar 21, 2026