Azure Withstands 15.72 Tbps DDoS Attack From Half-Million Compromised Devices
Microsoft's Azure cloud platform absorbed a massive distributed denial-of-service attack from the Aisuru botnet, peaking at 15.72 terabits per second with traffic originating simultaneously from 500,000 IP addresses.
The Attack
The assault targeted a specific Azure public IP address in Australia using UDP flooding techniques. Attack intensity reached 3.64 billion packets per second—each compromised device in the botnet contributing to the torrent of malicious traffic.
The attack exhibited unusual characteristics: UDP traffic used minimal source IP spoofing and employed random destination ports. These patterns simplified tracking and allowed infrastructure providers to implement mitigation measures more effectively than typical sophisticated DDoS campaigns.
"The attack originated from the Aisuru botnet—a Turbo Mirai-class IoT botnet that regularly carries out record-breaking DDoS attacks by exploiting compromised home routers and cameras, primarily within ISP networks in the US and other countries," Microsoft researchers explained.
Aisuru's Growing Threat
This attack represents the latest escalation in Aisuru's capabilities:
September 2025 - Cloudflare - The botnet launched a record 22.2 Tbps attack that peaked at 10.6 billion packets per second but lasted only 40 seconds. Cloudflare researchers noted this traffic volume equaled every person on Earth refreshing a webpage 1.3 times per second.
August 2025 - Qianxin Xlab - Chinese security researchers recorded an 11.5 Tbps Aisuru attack. The botnet controlled over 300,000 devices worldwide at that time.
April 2025 - Botnet Expansion - Aisuru experienced dramatic growth after compromising a Totolink router update server, allowing the botnet to push malicious firmware to legitimate devices during routine updates.
Vulnerable Devices
Aisuru exploits security flaws in common consumer and small business devices:
- IP cameras
- DVRs and NVRs (network video recorders)
- Devices with Realtek chips
- T-Mobile routers
- Zyxel routers
- D-Link routers
- Linksys routers
- Totolink routers (via compromised update infrastructure)
The botnet's foundation comes from Mirai variants—malware that targets IoT devices with default credentials, unpatched vulnerabilities, and weak security configurations. Once compromised, devices become attack infrastructure without owner knowledge.
Beyond DDoS: Gaming Cloudflare's Rankings
Aisuru operators expanded beyond traditional DDoS attacks to manipulate internet infrastructure metrics. As cybersecurity journalist Brian Krebs reported, Cloudflare removed several Aisuru-controlled domains from its public Top Domains ranking—a list showing the most popular sites by DNS query volume.
The botnet flooded Cloudflare's 1.1.1.1 DNS resolver with malicious queries, artificially inflating domain popularity metrics. Aisuru domains began ranking above Amazon, Microsoft, and Google—undermining trust in the ranking system.
Cloudflare CEO Matthew Prince confirmed the botnet's behavior significantly impacted ranking algorithms. The company now edits or removes suspicious domains to prevent future manipulation.
This tactic demonstrates sophisticated understanding of internet infrastructure: DNS query volume serves as a proxy for website legitimacy and popularity. By gaming these metrics, botnet operators could make malicious domains appear trustworthy, potentially supporting phishing campaigns, malware distribution, or command-and-control infrastructure.
The IoT Security Problem
Aisuru's scale—500,000 compromised devices for a single attack—highlights the persistent failure of IoT security:
Manufacturer Problems:
- Default credentials remain common (username: admin, password: admin)
- Firmware updates delivered without cryptographic verification
- No automatic security updates for consumer devices
- Support lifecycle ends while devices remain deployed for years
User Problems:
- Devices configured once and never updated
- Default passwords unchanged
- Devices exposed directly to internet without firewall protection
- No visibility into device compromise
ISP Problems:
- Limited filtering of malicious traffic originating from customer networks
- Minimal detection of compromised customer equipment
- Economic disincentives to implement network-level protections
The Totolink update server compromise exemplifies the systemic failure: attackers compromised legitimate update infrastructure, turning routine security maintenance into a malware distribution channel. Users doing the "right thing" by keeping firmware updated became victims.
Mitigation and Defense
For enterprises facing Aisuru-scale attacks, traditional mitigation strategies provide limited protection:
15.72 Tbps exceeds the total capacity of most corporate internet connections by orders of magnitude. Defense requires upstream filtering through:
- Cloud-based DDoS protection services
- ISP-level traffic scrubbing
- Anycast network distribution
- Rate limiting at provider edge
Microsoft's Azure platform absorbed this attack through massive infrastructure scale and distributed mitigation—resources unavailable to smaller organizations.
For device owners unwittingly contributing to botnets:
- Change default credentials immediately on all IoT devices
- Disable remote management unless absolutely required
- Update firmware from manufacturer websites, not automatic updates
- Place IoT devices behind firewalls on isolated network segments
- Monitor for unusual traffic patterns from home networks
For manufacturers, solutions require architectural changes: cryptographically signed firmware updates, mandatory password changes on first use, automatic security updates, and end-of-life device decommissioning that prevents future compromise.
The Escalation Continues
Aisuru's progression from 11.5 Tbps (August) to 22.2 Tbps (September) to 15.72 Tbps (November) demonstrates consistent capability to launch attacks that exceed most organizations' ability to defend independently.
The botnet's expansion shows no signs of slowing—each new vulnerable device model discovered provides additional attack infrastructure. The Totolink update server compromise provides a template for scaling: compromise legitimate update channels to mass-infect devices.
Until IoT security improves fundamentally—through regulation, manufacturer accountability, or ISP enforcement—botnets like Aisuru will continue growing, launching progressively larger attacks that test the resilience of internet infrastructure itself.
Azure survived this attack. Smaller targets might not.
