“Aisuru” Botnet Record-Breaking 29.7 Tbps DDoS Attacks, Signaling a New Era of Hyper-Volumetric Cyber Threats

In late 2025, Cloudflare’s threat intelligence team identified and analyzed a rapidly evolving and record-setting botnet campaign known as Aisuru. The threat intelligence brief, Aisuru botnet: Early October attacks escalate into record-setting DDoS activity, outlines how this botnet grew, the novel attack vectors it employed, and how modern defenses must adapt.

What Is Aisuru?

Aisuru is a large-scale botnet primarily composed of compromised Internet of Things (IoT) devices — including consumer routers, network cameras, DVRs, firewalls, and even public cloud virtual machines. Initially, Cloudflare estimated around half a million infected hosts, with the botnet doubling its size in just a few weeks during late 2025.

Unlike many legacy botnets, Aisuru’s operators use multi-vector infection strategies, such as worm propagation, exploitation of open network services, and likely firmware supply-chain compromises, to rapidly expand their network footprint.

Aisuru’s Hyper-Volumetric DDoS Attacks

The most visible capability of Aisuru is its ability to launch hyper-volumetric Distributed Denial of Service (DDoS) attacks — floods of malicious traffic at scales previously thought theoretical.

Record-Breaking Traffic

On 31 October 2025, Cloudflare’s network observed one of the largest DDoS attacks ever recorded:

Peak volume: 29.7 Terabits per second (Tbps)
Peak packet rate: ~14.1 billion packets per second (Bpps)
Attack duration: ~30–70 seconds of sustained peak traffic

This attack utilized a technique Cloudflare referred to as UDP “carpet-bombing”, where the botnet simultaneously floods thousands of destination ports with connectionless UDP packets. Combined with randomized packet attributes (like TTL values, source ports, and checksums), this method makes simple signature-based defenses far less effective.

Attack Dynamics and Techniques

Aisuru’s DDoS assaults are notable not only for sheer volume but also for the sophistication of their tactics:

Multiple flood types: Beyond UDP floods, attackers combine SYN, ACK, and other TCP flood variants in parallel streams.
High churn and distributed sources: Attacks originated from tens of thousands of unique autonomous systems (ASNs) and countries, complicating network-based whitelisting or IP block strategies.
Rapid escalation: Attack traffic spikes from zero to peak within seconds — a pattern designed to overwhelm defenses before rate limits or heuristics adapt.

Botnet Infrastructure and Resilience

Aisuru’s underlying command and control (C2) structure is engineered for resilience against takedowns and analysis:

DNS-based C2: Rather than hard-coded IPs, C2 servers are resolved via DNS TXT records. This allows operators to shift entire botnet fleets by updating DNS entries alone, evading IP blocklists.
Obfuscated control: C2 records are encoded before inclusion in DNS to bypass simple network filtering.
Encrypted sessions: All C2 communication uses ChaCha20 encryption with per-session keys, preventing straightforward decryption or replay by defenders.
Stealth and anti-analysis: On infected hosts, the malware masquerades as legitimate system processes and performs environment checks to thwart sandbox or forensic analysis.

These design choices make the botnet difficult to map completely and slow down defensive efforts to decapitate the network.

Targets and Observed Victimology

Cloudflare’s telemetry highlighted that a large share of the attacks — particularly in early observations — were directed at telecommunications infrastructures, which absorbed the majority of malicious traffic. Smaller proportions targeted IT services, gaming platforms, and internet infrastructure services.

The geographic focus of attacks was broad, including major activity against targets in the United States and parts of Asia.

Mitigation and Defense

Adaptive DDoS protection: Systems that adjust filtering sensitivity based on real-time traffic patterns.
Firewall rule tuning: Applying both positive (allow-list) and negative (deny-list) models to isolate expected traffic from anomalous floods.
Behavioral analysis: Detecting short-lived IP patterns and highly randomized traffic signatures that static blocklists miss.

What This Means for the Future

Aisuru’s emergence represents a new phase in DDoS warfare:

Hyper-volumetric attacks (>1 Tbps) are now routine, with dozens of such events weekly.
Botnets are commercialized as “DDoS-for-hire” services, lowering the barrier to launching infrastructure-crippling attacks.
Traditional perimeter defenses struggle against short, high-entropy traffic bursts that evade static filters.

For enterprises and network operators, the Aisuru case underscores the need for automated, scalable, and behavior-driven defenses, continuous threat intelligence sharing, and stronger IoT device security posture — before these botnets evolve further.