Microsoft said today that the Aisuru botnet hit its Azure network with a 15.72 terabits per second (Tbps) DDoS attack, launched from over 500,000 IP addresses.
The attack used extremely high-rate UDP floods that targeted a specific public IP address in Australia, reaching nearly 3.64 billion packets per second (bpps).
“The attack originated from Aisuru botnet. Aisuru is a Turbo Mirai-class IoT botnet that frequently causes record-breaking DDoS attacks by exploiting compromised home routers and cameras, mainly in residential ISPs in the United States and other countries,” said Azure Security senior product marketing manager Sean Whalen.
“These sudden UDP bursts had minimal source spoofing and used random source ports, which helped simplify traceback and facilitated provider enforcement.”
Cloudflare linked the same botnet to a record-breaking 22.2 terabits per second (Tbps) DDoS attack that reached 10.6 billion packets per second (Bpps) and was mitigated in September 2025. This attack lasted only 40 seconds but was roughly equivalent to streaming one million 4K videos simultaneously.
One week earlier, the XLab research division of Chinese cybersecurity company Qi’anxin attributed another 11.5 Tbps DDoS attack to the Aisuru botnet, saying that it was controlling around 300,000 bots at the time.
The botnet targets security vulnerabilities in IP cameras, DVRs/NVRs, Realtek chips, and routers from T-Mobile, Zyxel, D-Link, and Linksys. As XLab researchers said, it suddenly ballooned in size in April 2025 after its operators breached a TotoLink router firmware update server and infected approximately 100,000 devices.
Infosec journalist Brian Krebs reported earlier this month that Cloudflare removed multiple domains linked to the Aisuru botnet from its public “Top Domains” rankings of the most frequently requested websites (based on DNS query volume) after they began overtaking legitimate sites, such as Amazon, Microsoft, and Google.
The company stated that Aisuru’s operators were deliberately flooding Cloudflare’s DNS service (1.1.1.1) with malicious query traffic to boost their domain’s popularity while undermining trust in the rankings. Cloudflare CEO Matthew Prince also confirmed that the botnet’s behavior was severely distorting the ranking system and added that Cloudflare now redacts or completely hides suspected malicious domains to avoid similar incidents in the future.
As Cloudflare revealed in its 2025 Q1 DDoS Report in April, it mitigated a record number of DDoS attacks last year, with a 198% quarter-over-quarter jump and a massive 358% year-over-year increase.
In total, it blocked 21.3 million DDoS attacks targeting its customers throughout 2024, as well as another 6.6 million attacks targeting its own infrastructure during an 18-day multi-vector campaign.
As MCP (Model Context Protocol) becomes the standard for connecting LLMs to tools and data, security teams are moving fast to keep these new services safe.
This free cheat sheet outlines 7 best practices you can start using today.