Microsoft late last month was the victim of a massive distributed denial-of-service (DDoS) attack by threat actors using the Aisuru botnet, a Mirai-style botnet comprising hundreds of thousands of Internet of Things (IoT) devices that has been responsible for a series of record-breaking attacks since first emerging in August 2024.

The incident was launched from more than 500,000 source IPs from across the world and targeted a single endpoint in Australia, creating a multi-vector DDoS attack measuring 15.72 terabits per second (Tbps) and almost 3.64 billion packets per second (pps) in what Sean Whalen, senior product marketing manager for Azure Security, called the “largest DDoS attack ever observed in the cloud.”

“The attack involved extremely high-rate UDP [User Datagram Protocol] floods targeting a specific public IP address, launched from over 500,000 source IPs across various regions,” Whelan wrote in a brief blog post this week. “These sudden UDP bursts had minimal source spoofing and used random source ports, which helped simplify traceback and facilitated provider enforcement.”

Microsoft was able to mitigate the attack using the globally distributed DDoS Protection infrastructure and continuous detections features in Azure, with the malicious traffic being filtered and redirected to ensure that service availability was not interrupted and that customer workloads were not affected.

Scaling Attacks with the Internet

Whelan added that the attack was the latest example of attackers scaling as the internet grows.

“As fiber-to-the-home speeds rise and IoT devices get more powerful, the baseline for attack size keeps climbing,” he wrote. “As we approach the upcoming holiday season, it is essential to confirm that all internet-facing applications and workloads are adequately protected against DDOS attacks.”

He also warned that organizations need to proactive and not wait for an attack to happen before assessing their defenses and operational readiness, adding that they should run regular simulations to detect and correct potential issues.

Record-Breaking DDoS Attacks

Internet services company Cloudflare, which tracks DDoS attacks, wrote in July that such attacks continue to break records, with the company blocking one the month before that peaked at 7.3 Tbps and 4.8 billon pps.

“While the majority of DDoS attacks are small, hyper-volumetric DDoS attacks are increasing in size and frequency,” the company wrote. “[Six] out of every 100 HTTP DDoS attacks exceed 1M rps [requests per second], and 5 out of every 10,000 L3/4 DDoS attacks exceed 1 Tbps — a 1,150% [quarter-over-quarter] increase.”

In another blog post, Jérôme Meyer, a security researcher with Nokia’s Deepfield network analytics and security software unit, wrote about the escalating size of DDoS botnets, noting that “the pool of machines that can be co-opted for malicious uses is larger and more liquid.”

As an example, Meyer pointed to BadBox 2.0, which Google – which is suing the operators of the botnet – says comprises more than 10 million Android devices.

Aisuru an IoT Botnet

According to Netscout researchers, the Aisuru botnet nodes “primarily consist of consumer-grade broadband access routers, online CCTV and DVR systems, and other vulnerable CPE devices running similar OEM firmware variants. The botnet operators actively research new exploits in order to compromise fresh populations of devices and enroll them as Aisuru nodes.”

According to researchers with Chinese cybersecurity research lab Qianxin XLab, the Aisuru botnet as many as 300,000 such compromised devices.

An Evolving Business Model

ChangingCybersecurity journalist Chris Krebs – whose own site, KrebsOnSecurity was the victim of a large Aisuru DDoS attack in June – wrote in October that the developers behind the botnet changed their strategy. Instead of only using the botnet to launch huge DDoS attacks, they now are renting hundreds of thousands of infect IoT devices to proxy services. Krebs said the new business model is lower key and more lucrative and sustainable.

“Experts say a glut of proxies from Aisuru and other sources is fueling large-scale data harvesting efforts tied to various artificial intelligence (AI) projects, helping content scrapers evade detection by routing their traffic through residential connections that appear to be regular Internet users,” Krebs wrote.