Microsoft reports dismantling largest cloud DDoS attack ever

The denial-of-service (DDoS) attack detected on Microsoft’s cloud on October 24 has been taken down, the Windows operating system developer said on Monday.

According to Microsoft’s blog, the DDoS assault targeted a single endpoint in Australia and reached 15.72 terabits per second (Tbps) and nearly 3.64 billion packets per second (pps).

The attack was traced to a TurboMirai-class Internet of Things (IoT) botnet known as AISURU, which security firm Krebson discovered had compromised US internet service providers AT&T, Verizon and Comcast for almost a year. 

Microsoft did not reveal the identity of the target, but confirmed its automated defenses neutralized the attack before any significant disruption occurred.

AISURU could have executed record-breaking attacks

Per the analysis published by Microsoft, the assault relied on extremely high-rate UDP floods on a specific public IP address. “The attack involved extremely high-rate UDP floods targeting a specific public IP address, launched from over 500,000 source IPs across various regions,” Senior Product Marketing Manager of Azure Security Sean Whalen explained.

Azure’s analysts wrote that minimal source spoofing and randomized source ports were used to simplify traceback and enable ISPs to enforce mitigation measures effectively.

AISURU exploits compromised home routers, cameras, and DVR systems within residential ISPs in the United States and other countries. QiAnXin XLab estimates the botnet commands nearly 300,000 infected devices. 

“Aisuru’s owners are continuously scanning the Internet for these vulnerable devices and enslaving them for use in distributed denial-of-service (DDoS) attacks that can overwhelm targeted servers with crippling amounts of junk traffic,” KrebsOnSecurity researchers noted.

American AIOps and technology company Netscout also found AISURU operating with a restricted clientele to avoid government, military, and law enforcement. The majority of observed attacks are linked to online gaming platforms, where high-volume traffic can cause collateral disruption to other networks.

“The outbound and cross-bound DDoS attacks can be just as disruptive as the inbound stuff. We’re now in a situation where ISPs are routinely seeing terabit-per-second plus outbound attacks from their networks that can cause operational problems,” Netscout engineer Roland Dobbins surmised.

Azure’s Whalen also mentioned that the botnet facilitates credential stuffing, AI-driven web scraping, spamming, phishing, and operates a residential proxy service, with attacks exceeding 20 Tbps.

AISURU botnet damages in 2025 so far

In May, cybersecurity blog KrebsOnSecurity reported a near-record 6.35 Tbps attack that was countered by Google’s Project Shield. AISURU then crossed the record with an 11 Tbps assault within the next months, and by late September, attacks had topped 22 Tbps. 

The botnet sent 29.6 Tbps of junk data to a dedicated server measuring extreme DDoS traffic, according to an October 6 report by security journalist Brian Krebs. 

Steven Ferguson, principal security engineer at Global Secure Layer (GSL) in Brisbane, said TCPShield, a DDoS protection service supporting over 50,000 Minecraft servers, was hit with more than 15 Tbps of junk data on October 8. 

“This was causing serious congestion on their Miami external ports for several weeks, shown publicly via their weather map,” Ferguson said.

The attack caused significant congestion on upstream provider OVH’s Miami ports, leaving the company with no choice but to terminate service for TCPShield. However, he revealed the network is now fully protected by GSL security services, a subscription that smaller ISPs may not have the budget to pay for.

Although the DDoS exploits target online gaming networks mostly, the volume of malicious traffic affects unrelated services and connectivity in the surrounding area. Most organizations do not have the resources to withstand such attacks because they lack specialized mitigation tools that could protect them from exposure and damage.

Microsoft’s disclosure comes on the heels of Netscout’s reporting on Eleven11, also known as RapperBot, another TurboMirai-class IoT botnet. Between late February and August, Eleven11 is estimated to have launched approximately 3,600 DDoS attacks.

Some of Eleven11’s command-and-control (C2) servers were registered under the “.libre” top-level domain (TLD), part of OpenNIC, an alternative DNS root independent of ICANN. Malware analysis also revealed that the botnet used ICANN generic top-level domains (.live and .info), with C2 server IPs encrypted in the records. 

Netscout cited samples from 2024 showing Eleven11’s source code had matured to dynamically reconfigure C2 infrastructure using domain names rather than hardcoded IPs. 

Want your project in front of crypto’s top minds? Feature it in our next industry report, where data meets impact.