Microsoft Azure 15 Tbps DDoS Attack (Aisuru Botnet)
-
Attack overview
- Date: 17 Nov 2025
- Target: Azure public IP in Australia (Microsoft cloud services)
- Size: 15.72 Tbps (≈3.64 billion packets / sec)
- Source: >500,000 IP addresses belonging to the Aisuru IoT botnet
-
Aisuru botnet details
- Classified as a Turbo‑Mirai‑class botnet that compromises home routers, IP cameras, DVR/NVRs, and other IoT devices.
- Primary infection vectors: vulnerable Realtek chips, routers from T‑Mobile, Zyxel, D‑Link, Linksys, and a compromised TotoLink firmware‑update server (≈100 k devices added in Apr 2025).
- Operates high‑rate UDP floods with minimal source spoofing and random source ports, making traceback easier for providers.
-
Related incidents
- September 2025: Cloudflare mitigated a record‑breaking 22.2 Tbps DDoS attack (10.6 bpps) also linked to Aisuru.
- Early 2025: XLab (Qi’anxin) reported an 11.5 Tbps Aisuru‑driven attack, noting ~300 k bots at the time.
- The botnet has been used to flood Cloudflare’s DNS resolver (1.1.1.1) to inflate malicious domain popularity, prompting Cloudflare to remove those domains from its “Top Domains” list.
-
Impact & mitigation
- Azure’s mitigation systems absorbed the traffic; services remained operational after the attack subsided.
- Cloudflare’s 2025 Q1 DDoS report highlighted a 198 % QoQ and 358 % YoY increase in attack volume, with 21.3 M attacks on customers and 6.6 M on its own infrastructure in 2024.
-
Key takeaways
- IoT botnets continue to scale dramatically, exploiting poorly secured consumer devices.
- Large‑scale UDP‑based DDoS attacks can reach multi‑terabit per second magnitudes, stressing even major cloud providers.
- Continuous monitoring, rapid mitigation, and coordinated takedown of vulnerable IoT firmware are essential to curb future attacks.