Microsoft on Monday disclosed that it automatically detected and neutralized a distributed denial-of-service (DDoS) attack targeting a single endpoint in Australia. The event reached 15.72 terabits per second (Tbps) and nearly 3.64 billion packets per second (pps), and Microsoft emphasized the unprecedented scale as it announced the incident.
Next, the tech giant explained that it observed the largest cloud-based DDoS attack ever recorded, and it traced the activity to a TurboMirai-class Internet of Things (IoT) botnet known as AISURU. However, Microsoft still does not know who the attackers targeted.
“The attack involved extremely high-rate UDP floods targeting a specific public IP address, launched from over 500,000 source IPs across various regions,” Microsoft’s Sean Whalen said.
“These sudden UDP bursts had minimal source spoofing and used random source ports, which helped simplify traceback and facilitated provider enforcement.”
Afterward, Microsoft referenced data from QiAnXin XLab, noting that nearly 300,000 infected devices — primarily routers, security cameras, and DVR systems — power the AISURU botnet. The botnet drove some of the largest DDoS attacks ever documented. In a report published last month, NETSCOUT classified the DDoS-for-hire service as operating with a restricted clientele.
“Operators have reportedly implemented preventive measures to avoid attacking governmental, law enforcement, military, and other national security properties,” the company said. “Most observed Aisuru attacks to date appear to be related to online gaming.”
Furthermore, botnets like AISURU support multi-use functions, extending far beyond DDoS attacks that exceed 20Tbps. They also facilitate credential stuffing, artificial intelligence (AI)-driven web scraping, spamming, and phishing. Additionally, AISURU incorporates a residential proxy service.
“Attackers are scaling with the internet itself. As fiber-to-the-home speeds rise and IoT devices get more powerful, the baseline for attack size keeps climbing,” Microsoft said.
Meanwhile, the disclosure aligns with NETSCOUT’s analysis of another TurboMirai botnet called Eleven11 (aka RapperBot). NETSCOUT estimated that this botnet launched roughly 3,600 DDoS attacks using hijacked IoT devices between late February and August 2025, during the same period authorities reported an arrest and the dismantling of the botnet.
Finally, NETSCOUT noted that some of the command-and-control (C2) servers linked to the operation use the “.libre” top-level domain (TLD), part of OpenNIC — an alternative DNS root independent of ICANN and previously adopted by other DDoS botnets such as CatDDoS and Fodcha.
“Although the botnet has likely been rendered inoperable, compromised devices remain vulnerable,” it said. “It is likely a matter of time until hosts are hijacked again and conscripted as a compromised node for the next botnet.”
Source: TheHackerNews
Read more at Impreza News
