Microsoft Thwarts Unprecedented 15.72 Tbps DDoS Attack Orchestrated by AISURU Botnet
In a remarkable display of cybersecurity resilience, Microsoft has successfully mitigated a colossal distributed denial-of-service (DDoS) attack that peaked at 15.72 terabits per second (Tbps) and nearly 3.64 billion packets per second (pps). This unprecedented assault targeted a single endpoint in Australia and stands as the largest DDoS attack ever recorded in the cloud domain.
The Attack Dynamics
The attack was characterized by high-rate User Datagram Protocol (UDP) floods aimed at a specific public IP address. It originated from over 500,000 source IPs spanning various regions. Notably, these UDP bursts exhibited minimal source spoofing and utilized random source ports, simplifying traceback efforts and facilitating provider enforcement.
The AISURU Botnet
At the heart of this massive attack was the AISURU botnet, a formidable network of compromised Internet of Things (IoT) devices. According to data from QiAnXin XLab, AISURU comprises nearly 300,000 infected devices, predominantly routers, security cameras, and DVR systems. This botnet has been linked to some of the most significant DDoS attacks in recent history.
Operational Characteristics of AISURU
AISURU operates with a restricted clientele, implementing preventive measures to avoid targeting governmental, law enforcement, military, and other national security entities. Most observed AISURU attacks have been associated with the online gaming sector. Beyond DDoS attacks exceeding 20 Tbps, AISURU facilitates other illicit activities, including credential stuffing, AI-driven web scraping, spamming, and phishing. Additionally, it incorporates a residential proxy service, further enhancing its capabilities.
The Evolving Threat Landscape
The scale of this attack underscores the evolving nature of cyber threats. As internet infrastructure advances, with higher fiber-to-the-home speeds and more powerful IoT devices, the baseline for attack sizes continues to escalate. Microsoft’s successful mitigation of this attack highlights the critical importance of robust cybersecurity measures in the face of increasingly sophisticated threats.
Broader Implications
The disclosure of this attack coincides with reports from NETSCOUT detailing another TurboMirai botnet known as Eleven11 (also referred to as RapperBot). This botnet is estimated to have launched approximately 3,600 DDoS attacks powered by hijacked IoT devices between late February and August 2025. Some command-and-control servers associated with Eleven11 are registered with the .libre top-level domain, part of OpenNIC, an alternative DNS root operated independently of ICANN. This TLD has been utilized by other DDoS botnets, including CatDDoS and Fodcha.
The Ongoing Challenge
Although the Eleven11 botnet has likely been rendered inoperable, compromised devices remain vulnerable. It is only a matter of time before these hosts are hijacked again and conscripted into new botnets. This ongoing cycle emphasizes the need for continuous vigilance and proactive cybersecurity measures to protect against the ever-evolving threat landscape.
Conclusion
Microsoft’s successful mitigation of the 15.72 Tbps DDoS attack orchestrated by the AISURU botnet marks a significant milestone in cybersecurity defense. However, it also serves as a stark reminder of the escalating scale and sophistication of cyber threats. Organizations must remain vigilant, continuously updating and strengthening their security protocols to safeguard against such formidable attacks.
