On October 24, 2025, Microsoft’s Azure DDoS Protection automatically detected and mitigated a massive distributed-denial-of-service campaign that peaked at 15.72 terabits per second (Tbps) and nearly 3.64 billion packets per second (pps). The attack — which Microsoft says targeted a single public IP address in Australia — was launched by the Aisuru botnet and originated from more than 500,000 unique source IP addresses.
What happened: scale, vector and immediate outcome
According to Microsoft, Azure’s global scrubbing and filtering network intercepted a multi‑vector assault dominated by high-rate UDP floods. Despite the volume — which Microsoft described as “the largest DDoS attack ever observed in the cloud” — the company says customer workloads experienced no visible downtime because its protection systems engaged automatically.
Key technical details reported by Microsoft and independent researchers:
- Peak bandwidth: 15.72 Tbps
- Peak packet rate: ~3.64 billion pps
- Sources: more than 500,000 unique IP addresses
- Primary vectors: high-rate UDP floods, with multi-vector capabilities available to the attackers
- Source behavior: little source‑address spoofing and randomized source ports, which both complicated signature‑based detection and, paradoxically, made tracing infected devices easier
- Rapid recruitment via exploits and supply‑chain techniques — one incident tied to a compromised firmware‑update server for a router vendor reportedly added roughly 100,000 devices in a single campaign.
- Multipurpose tooling: beyond DDoS, variants include proxy capabilities (residential proxy services), credential stuffing, scraping, and persistent remote access.
- Attack methods that emphasize direct‑path traffic (real source IPs rather than reflected/spoofed addresses), UDP/TCP/GRE floods, randomized ports and packet sizes, and encrypted botnet command channels.
- Some stress that because many Aisuru attacks use real source IPs, ISPs can and should act quickly to identify and remediate infected customers.
- Others warn that the botnet’s growing proxy services and distributed command networks make containment harder and call for coordinated sinkholing and cross‑provider intelligence sharing.
- Observers also caution that the botnet’s reported self‑imposed limits (avoiding government/military targets) are a pragmatic business decision by criminals rather than a guarantee of benign behavior.
- Review and enable DDoS protection and rate‑limiting for internet‑facing endpoints; consider large‑scale scrubbing and multi‑layer defences.
- Coordinate with ISPs and peer providers on filtering and traceback procedures; share indicators of compromise where possible.
- Monitor outbound traffic for abnormal volumetrics and be prepared to throttle or filter infected customer devices to prevent collateral damage.
- Engage in customer notification and automated remediation where feasible.
- Update router and camera firmware; replace unsupported equipment.
- Change default credentials, disable unnecessary remote features (WAN admin, UPnP) and apply basic network hygiene.
Microsoft’s public write‑up emphasized the automatic nature of mitigation and the role of Azure’s global protection fabric in preserving service availability. For more on Azure’s defenses, see the Azure blog.
Who is Aisuru and how is it evolving?
Aisuru is a Turbo Mirai–class Internet‑of‑Things (IoT) botnet that emerged in mid‑2024 and has rapidly scaled through 2025. Security firms tracking the group report that its inventory is largely consumer‑grade: home routers, IP cameras, DVR/NVR systems and other customer premises equipment (CPE).
Researchers and reporting cited several distinguishing traits:
Security vendors have linked Aisuru to several large events in 2025: earlier spikes attributed to Aisuru include attacks in the double‑digit Tbps range, and industry telemetry has shown even larger, unattributed floods (Cloudflare reported mitigating a 22.2 Tbps event in September 2025). Netscout and others warn that the group can field attacks exceeding 20 Tbps and multiple billions of pps.
Wider effects: ISPs, infrastructure and the business model
The sheer scale of Aisuru’s activity is not just a cloud problem. Internet service providers hosting infected devices have reported outbound surges that can degrade local networks — in some cases overwhelming router line cards and causing hardware failures. That hardware stress turns volumetric attacks into a threat to network resiliency, compounding the risk beyond targeted service disruption.
Analysts also point to an evolution in the botnet’s monetization: operators appear to offer both DDoS‑for‑hire and residential‑proxy services. Residential proxies let paying clients route traffic through compromised consumer devices, a less conspicuous and potentially more lucrative model than one‑off DDoS rentals.
Perspectives: defenders, researchers and the attackers’ playbook
Microsoft framed the episode as evidence that cloud defenses must continue to scale: "Attackers are scaling with the internet itself," Microsoft wrote, noting that rising home fiber speeds and more capable IoT devices raise the baseline for attack sizes.
Security researchers echo that urgency while offering different emphases:
What organizations and consumers should do now
For cloud operators and enterprises
For ISPs and network operators
For home users and device owners
Why this matters
The Azure incident is a landmark in the ongoing escalation of volumetric attacks: it demonstrates both how powerful modern IoT‑based botnets have become and how effective coordinated cloud mitigation can be when it scales. But it also highlights the systemic nature of the problem — the defensive perimeter now runs into homes, small offices and ISP networks.
Experts say a meaningful reduction in such threats will require a mix of better device security from manufacturers, active mitigation and remediation by ISPs, stronger laws or standards for IoT security, and continued investment in large‑scale scrubbing and cross‑provider cooperation. Without that, record‑setting DDoS events may become a recurring part of the internet landscape.