Microsoft: Azure Hit by 15 Tbps DDoS Attack Using 500,000 IP Addresses
Summary:
Microsoft disclosed that its Azure infrastructure was recently targeted by a massive 15.72 Tbps DDoS attack attributed to the Aisuru botnet, a Turbo-Mirai–class IoT botnet known for record-setting attack volumes. The assault originated from more than 500,000 IP addresses, leveraging extremely high-rate UDP floods that peaked at 3.64 billion packets per second, primarily targeting an Azure public IP in Australia. Aisuru, which infects consumer-grade routers, cameras, and Realtek-based devices, has rapidly grown in scale, particularly after the operators compromised a TotoLink firmware update server, adding 100,000 new bots in April 2025.
Other security vendors have corroborated the botnet’s activity: Cloudflare mitigated a 22.2 Tbps / 10.6 Bpps attack tied to the same botnet, while Qi’anxin reported an 11.5 Tbps incident days earlier. Aisuru’s operators have also abused Cloudflare’s DNS ranking visibility by flooding its 1.1.1.1 resolver with malicious queries to artificially boost their domains. Cloudflare has since implemented measures to hide or redact malicious domains from public rankings. The surge in Aisuru-related DDoS traffic aligns with Cloudflare’s broader reporting that DDoS attacks surged dramatically in 2024, with a 358% YoY increase.
Security Officer Comments:
Aisuru continues to demonstrate that IoT-heavy botnets remain the most capable drivers of ultra-high–bandwidth DDoS operations, especially as attackers refine their ability to rapidly conscript vulnerable consumer devices at scale. The botnet’s sudden expansion following the TotoLink firmware compromise underscores how supply-chain footholds in IoT ecosystems can instantly amplify global threat capacity. The minimal spoofing used in the Azure attack suggests operators are prioritizing raw packet volume over stealth, likely betting that their sheer scale will outpace mitigation windows. The botnet’s DNS-manipulation activities also highlight a secondary objective, information warfare targeting trust systems, not just volumetric disruption. Artificially inflating domain popularity through DNS query floods could support future phishing, malware distribution, or reputation hijacking schemes.
Suggested Corrections:
Defenders should validate that their internet-exposed workloads have appropriate DDoS controls in place and that detection thresholds account for the rising baseline of high-rate UDP floods and packet-per-second saturation attacks. Regular tabletop exercises and controlled simulations can help identify operational gaps, ensure teams understand escalation paths, and confirm that telemetry sources, such as flow logs, PPS alerts, and global IP diversity monitoring, are tuned for multi-vector events at terabit scale. Maintaining architectural resilience through distributed ingress points, load balancing, and redundant DNS paths reduces the impact of single-endpoint targeting. As IoT botnets like Aisuru continue to grow alongside residential broadband capacity, maintaining visibility into abnormal bursts, cross-region traffic spikes, and unexpected edge-device behavior remains essential to preparing for and responding to large-scale volumetric attacks.
Link(s):
https://www.bleepingcomputer.com/ne...sed-500-000-ips-in-15-tbps-azure-ddos-attack/
https://techcommunity.microsoft.com...a-record-breaking-15-tbps-ddos-attack/4470422
Microsoft disclosed that its Azure infrastructure was recently targeted by a massive 15.72 Tbps DDoS attack attributed to the Aisuru botnet, a Turbo-Mirai–class IoT botnet known for record-setting attack volumes. The assault originated from more than 500,000 IP addresses, leveraging extremely high-rate UDP floods that peaked at 3.64 billion packets per second, primarily targeting an Azure public IP in Australia. Aisuru, which infects consumer-grade routers, cameras, and Realtek-based devices, has rapidly grown in scale, particularly after the operators compromised a TotoLink firmware update server, adding 100,000 new bots in April 2025.
Other security vendors have corroborated the botnet’s activity: Cloudflare mitigated a 22.2 Tbps / 10.6 Bpps attack tied to the same botnet, while Qi’anxin reported an 11.5 Tbps incident days earlier. Aisuru’s operators have also abused Cloudflare’s DNS ranking visibility by flooding its 1.1.1.1 resolver with malicious queries to artificially boost their domains. Cloudflare has since implemented measures to hide or redact malicious domains from public rankings. The surge in Aisuru-related DDoS traffic aligns with Cloudflare’s broader reporting that DDoS attacks surged dramatically in 2024, with a 358% YoY increase.
Security Officer Comments:
Aisuru continues to demonstrate that IoT-heavy botnets remain the most capable drivers of ultra-high–bandwidth DDoS operations, especially as attackers refine their ability to rapidly conscript vulnerable consumer devices at scale. The botnet’s sudden expansion following the TotoLink firmware compromise underscores how supply-chain footholds in IoT ecosystems can instantly amplify global threat capacity. The minimal spoofing used in the Azure attack suggests operators are prioritizing raw packet volume over stealth, likely betting that their sheer scale will outpace mitigation windows. The botnet’s DNS-manipulation activities also highlight a secondary objective, information warfare targeting trust systems, not just volumetric disruption. Artificially inflating domain popularity through DNS query floods could support future phishing, malware distribution, or reputation hijacking schemes.
Suggested Corrections:
Defenders should validate that their internet-exposed workloads have appropriate DDoS controls in place and that detection thresholds account for the rising baseline of high-rate UDP floods and packet-per-second saturation attacks. Regular tabletop exercises and controlled simulations can help identify operational gaps, ensure teams understand escalation paths, and confirm that telemetry sources, such as flow logs, PPS alerts, and global IP diversity monitoring, are tuned for multi-vector events at terabit scale. Maintaining architectural resilience through distributed ingress points, load balancing, and redundant DNS paths reduces the impact of single-endpoint targeting. As IoT botnets like Aisuru continue to grow alongside residential broadband capacity, maintaining visibility into abnormal bursts, cross-region traffic spikes, and unexpected edge-device behavior remains essential to preparing for and responding to large-scale volumetric attacks.
Link(s):
https://www.bleepingcomputer.com/ne...sed-500-000-ips-in-15-tbps-azure-ddos-attack/
https://techcommunity.microsoft.com...a-record-breaking-15-tbps-ddos-attack/4470422