Imagine a cyberattack so massive it could bring down entire online services and networks. Well, that's exactly what Microsoft had to deal with recently, and it was no ordinary attack. Brace yourself for the details of this unprecedented DDoS assault!
On Monday, Microsoft revealed that it had successfully mitigated a record-breaking distributed denial-of-service (DDoS) attack, one of the largest ever seen in the cloud. The attack, reaching an astonishing 15.72 terabits per second (Tbps) and nearly 3.64 billion packets per second (pps), targeted a single endpoint in Australia. But here's where it gets controversial... the source of this attack was a powerful IoT botnet known as AISURU.
AISURU, a TurboMirai-class botnet, is a force to be reckoned with. Powered by almost 300,000 infected devices, including routers, security cameras, and DVR systems, it has been linked to some of the most significant DDoS attacks in history. And this is the part most people miss: these botnets are not just about DDoS attacks. They can be used for a whole host of illicit activities, from credential stuffing and AI-driven web scraping to spamming and phishing. AISURU even incorporates a residential proxy service, making it a versatile and dangerous tool in the wrong hands.
Microsoft's Sean Whalen described the attack as involving "extremely high-rate UDP floods targeting a specific public IP address, launched from over 500,000 source IPs across various regions." The minimal source spoofing and random source ports made it easier to trace back and enforce provider measures.
But who was the target of this massive attack? That remains a mystery. While NETSCOUT, in a recent report, classified AISURU as operating with a restricted clientele, mostly targeting online gaming, the potential impact of such an attack is immense.
"Attackers are scaling with the internet itself," Microsoft warned. "As internet speeds and IoT device capabilities increase, the potential size of attacks continues to grow."
This disclosure comes at a time when another TurboMirai botnet, Eleven11 (or RapperBot), has been in the spotlight. NETSCOUT detailed how this botnet, estimated to have launched over 3,600 DDoS attacks between February and August 2025, was powered by hijacked IoT devices. The command-and-control servers associated with this botnet are registered with the ".libre" TLD, part of OpenNIC, an alternative DNS root, which has been used by other DDoS botnets as well.
While authorities have reportedly dismantled the Eleven11 botnet, the threat remains. Compromised devices are vulnerable, and it's only a matter of time before they are hijacked again for the next botnet.
So, what are your thoughts on this evolving threat landscape? Are we doing enough to protect ourselves from these massive DDoS attacks and the multi-use functions of botnets like AISURU? Share your insights and concerns in the comments below!
