Unprecedented 31.4 Tbps DDoS Attack by Aisuru Botnet Sets New Record
In a significant escalation of cyber threats, the Aisuru/Kimwolf botnet launched the largest publicly disclosed distributed denial-of-service (DDoS) attack to date, peaking at an unprecedented 31.4 terabits per second (Tbps). This massive assault, termed the Night Before Christmas campaign, commenced on December 19, 2025, targeting Cloudflare’s infrastructure and its clientele with hyper-volumetric attacks. The campaign combined Layer 4 DDoS attacks at record bandwidths with application-layer HTTP floods exceeding 200 million requests per second (rps).
Escalation in DDoS Threat Landscape
The Night Before Christmas attack signifies a substantial escalation in the DDoS threat landscape, surpassing the previous record of 29.7 Tbps achieved by the same Aisuru botnet in September 2025. This campaign exploited compromised Android TV devices, with threat actors leveraging millions of unofficial Android streaming boxes to generate unprecedented traffic volumes.
The 31.4 Tbps peak represents a scale that would have overwhelmed most DDoS mitigation providers. Competitor services like Akamai Prolexic (20 Tbps capacity), Netscout Arbor Cloud (15 Tbps), and Imperva (13 Tbps) would have faced theoretical bandwidth utilization rates exceeding 150-240%.
Attack Distribution and Characteristics
The hyper-volumetric assault comprised thousands of individual attacks, each exhibiting distinct patterns indicative of sophisticated coordination by the botnet operators.
– Attack Intensity: Analysis revealed that 90.3% of attacks peaked at 1-5 Tbps, 5.5% at 5-10 Tbps, and 0.1% exceeded 30 Tbps.
– Packet Rate: From a packet rate perspective, 94.5% of attacks generated between 1-5 billion packets per second (Bpps), 4% peaked between 5-10 Bpps, and 1.5% reached 10-15 Bpps.
– Duration: Attack duration patterns showed a preference for short, intense bursts designed to overwhelm defenses before triggering mitigation responses. Only 9.7% of attacks lasted under 30 seconds, 27.1% sustained for 30-60 seconds, and a majority of 57.2% persisted between 60-120 seconds. Merely 6% of attacks exceeded two minutes, suggesting the botnet operators optimized for rapid-fire volleys rather than sustained campaigns.
Targeted Industries and Geographic Distribution
The campaign demonstrated strategic targeting of critical infrastructure and high-value sectors:
– Gaming Companies: Bore the brunt of the attacks, accounting for 42.5% of hyper-volumetric attacks.
– Information Technology and Services Organizations: Represented 15.3% of targets.
– Telecommunications Providers: Accounted for 2.2% of targets.
– Other Sectors: Internet service providers, gambling operations, and computer software firms comprised the remaining top-tier targets.
Geographically, the United States absorbed 30.8% of all hyper-volumetric network-layer attacks, making it the primary target. China faced 7.7%, and Hong Kong received 3.2%. Other affected countries included Brazil (1.9%), the United Kingdom (1.8%), Germany (1.7%), Canada (0.7%), India (0.6%), Switzerland (0.6%), and Taiwan (0.2%).
Aisuru/Kimwolf Botnet Evolution
The Aisuru botnet has evolved into one of the most formidable DDoS threats in modern internet history. Its Android-focused variant, Kimwolf, emerged in August 2025. Security researchers at Synthient documented that Kimwolf infected over 2 million unofficial Android TV devices, exploiting residential proxy networks to establish a distributed command-and-control infrastructure.
The botnet gained widespread attention in October 2025 when it temporarily claimed the top position in Cloudflare’s global domain rankings through massive traffic generation. Lumen Technologies’ Black Lotus Labs has been closely monitoring the botnet’s activities, noting its rapid expansion and increasing sophistication.
Attack Infrastructure Sources
The global attack source distribution revealed significant shifts in the geographic origins of malicious traffic during Q4 2025:
– Bangladesh: Emerged as the largest source of DDoS attacks, dethroning Indonesia, which dropped to third place.
– Ecuador: Ranked second.
– Argentina: Rose 20 places to become the fourth-largest source.
Other significant attack sources included Hong Kong (5th), Ukraine (6th), Vietnam (7th), Taiwan (8th), Singapore (9th), and Peru (10th). Russia experienced a notable decline, dropping five ranks to tenth place, while the United States fell four positions to sixth.
Analysis of attack source networks revealed that threat actors primarily exploited cloud computing platforms and telecommunications infrastructure.
– Cloud Providers: Including DigitalOcean (AS 14061), Microsoft (AS 8075), Tencent, Oracle, and Hetzner, dominated as attack sources, representing half of the top 10 source networks. This demonstrates the exploitation of easily-provisioned virtual machines for high-volume attacks.
– Telecommunications Providers: From the Asia-Pacific region, particularly Vietnam, China, Malaysia, and Taiwan, comprised the remaining top-tier sources.
Mitigation and Resilience
Despite the unprecedented scale of the Night Before Christmas campaign, Cloudflare’s infrastructure demonstrated resilience with its 449 Tbps total mitigation capacity across 330 points of presence (PoPs).
The 31.4 Tbps attack consumed only 7% of Cloudflare’s available bandwidth, leaving 93% remaining capacity. The automated detection and mitigation systems successfully neutralized the hyper-volumetric attacks without triggering internal alerts or requiring human intervention, highlighting the effectiveness of machine-learning-based defense mechanisms.
The campaign underscores the critical importance of massive-scale DDoS mitigation infrastructure as attack volumes continue their exponential growth trajectory. Organizations relying on providers with limited capacity face existential risks, as the attack would have theoretically exceeded the total mitigation capacity of multiple competing services simultaneously.
Conclusion
The 31.4 Tbps DDoS attack orchestrated by the Aisuru/Kimwolf botnet marks a new milestone in the scale and sophistication of cyber threats. It highlights the evolving tactics of threat actors and the necessity for robust, scalable defense mechanisms to protect critical infrastructure and services. As DDoS attacks continue to grow in magnitude, organizations must prioritize advanced mitigation strategies to safeguard against these increasingly potent threats.
