Microsoft on Monday said it automatically detected and neutralized a distributed denial of service (DDoS) attack that targeted a single endpoint in Australia. The scale of the attack was 5.72 terabits per second (Tbps), or approximately 3.64 billion packets per second (pps).
The tech giant said this was the largest DDoS attack ever observed on the cloud, and that it originated from a TurboMirai-class Internet of Things (IoT botnet known as AISURU; it is currently unclear who was targeted in the attack).
“This attack involved a very high-velocity UDP flood targeting specific public IP addresses and was launched from more than 500,000 source IPs across various geographies,” said Microsoft’s Sean Whalen.
“These sudden UDP bursts minimized source spoofing and used random source ports, simplifying tracebacks and making provider enforcement easier.”
According to QiAnXin XLab data, the AISURU botnet has nearly 300,000 infected devices, most of which are routers, security cameras, and DVR systems. This is believed to be some of the largest DDoS attacks ever recorded. In a report published last month, NETSCOUT classified DDoS-for-hire botnets as operating against restricted customers.
“The carriers are reportedly taking precautions to avoid attacks on government, law enforcement, military, and other national security assets,” the company said. “Most of the Aisuru attacks observed to date appear to be related to online gaming.”
Beyond DDoS attacks of over 20Tbps, botnets like AISURU also enable versatile capabilities that facilitate other illegal activities such as credential stuffing, artificial intelligence (AI) web scraping, spamming, and phishing. AISURU also incorporates housing agency services.
“Attackers are scaling to match the internet itself. As fiber-to-the-home speeds increase and IoT devices become more powerful, the baseline for attack size continues to rise,” Microsoft said.
The disclosure came as NETSCOUT detailed another TurboMirai botnet called Eleven 11 (also known as RapperBot) that was estimated to have launched approximately 3,600 DDoS attacks utilizing hijacked IoT devices between late February and August 2025, around the same time authorities revealed the botnet’s arrest and dismantling.
Some of the command and control (C2) servers associated with this botnet are registered in the “.libre” top-level domain (TLD). It is part of OpenNIC, an alternative DNS root that operates independently of ICANN and has been adopted by other DDoS botnets such as CatDDoS and Fodcha.
“Although the botnet is likely no longer operational, compromised devices remain vulnerable,” the report said. “It appears to be only a matter of time before the host is hijacked again and conscripted as a compromised node in the next botnet.”
Source link
