Microsoft Thwarts Record-Breaking 15.72 Tbps DDoS Attack Orchestrated by AISURU Botnet
Executive Summary
In November 2025, Microsoft successfully detected and mitigated an unprecedented Distributed Denial-of-Service (DDoS) attack that peaked at 15.72 Tbps, targeting a cloud endpoint in Australia. The attack, orchestrated by the AISURU botnet leveraging TurboMirai-class malware, generated nearly 3.64 billion packets per second. Advanced protections within Microsoft's Azure platform automatically neutralized the threat before it could affect customer availability or data. Microsoft attributed the attack to highly automated botnets leveraging compromised IoT devices and observed a rapid, multi-vector assault designed to test cloud resilience and incident response.
This record-breaking event highlights the escalating scale and sophistication of DDoS activity targeting foundational cloud infrastructure. As attackers exploit larger IoT botnets and novel malware strains, defenders face mounting pressure to evolve detection and mitigation at cloud-scale. Organizations must increasingly invest in robust DDoS protection and continuously monitor for emerging threats.
Why This Matters Now
The scale and automation demonstrated in this DDoS attack signal a new phase in cyber risk to cloud services and critical business operations. With botnets growing in size and targeting the global cloud, organizations need to reassess the adequacy of their defenses to ensure business continuity against unprecedented volumes.
Attack Path Analysis
The AISURU botnet orchestrated a massive DDoS attack by amassing a fleet of compromised hosts to target a cloud endpoint. There was no evidence of privilege escalation or lateral movement, as the attack was volumetric and external. Command and control mechanisms coordinated globally distributed bots, allowing sustained attack traffic to flow into the cloud provider. No data exfiltration was observed, as the motive focused solely on service disruption. The ultimate impact was a record-breaking attempt at service denial, mitigated by dynamic cloud defenses and high-capacity filtering.
Kill Chain Progression
Initial Compromise
Description
Attackers compromised numerous external devices, forming a botnet (AISURU), which was then leveraged to launch a coordinated volumetric DDoS attack against a cloud endpoint.
Related CVEs
CVE-2017-5259
CVSS 9.8A command injection vulnerability in Cambium Networks' cnPilot routers allows remote attackers to execute arbitrary commands via crafted HTTP requests.
Affected Products:
Cambium Networks cnPilot Routers – All versions prior to firmware update addressing CVE-2017-5259
Exploit Status:
exploited in the wildCVE-2023-28771
CVSS 9.8A command injection vulnerability in Zyxel devices allows remote attackers to execute arbitrary commands via crafted packets.
Affected Products:
Zyxel Various Zyxel Devices – Specific versions vulnerable as per vendor advisory
Exploit Status:
exploited in the wildCVE-2023-50381
CVSS 9.8A buffer overflow vulnerability in Realtek Jungle SDK allows remote attackers to execute arbitrary code via crafted packets.
Affected Products:
Realtek Jungle SDK – Specific versions vulnerable as per vendor advisory
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Endpoint Denial of Service
Network Denial of Service
Acquire Infrastructure: Botnets
Network Service Scanning
Phishing
Application Layer Protocol: Web Protocols
Proxy
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – DDoS Attack Mitigation
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Incident Response Plan
Control ID: 500.16
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Art. 8
CISA ZTMM 2.0 – Maintain Service Availability
Control ID: Resilience-3
NIS2 Directive – Business Continuity and Crisis Management
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Information Technology/IT
Cloud infrastructure providers face massive DDoS attacks reaching 15.72 Tbps, requiring advanced traffic segmentation and threat detection capabilities for service continuity.
Financial Services
Banking systems vulnerable to record-breaking DDoS attacks disrupting online services, necessitating zero trust segmentation and encrypted traffic protection for compliance.
Telecommunications
Network infrastructure targeted by IoT botnets generating 3.64 billion packets per second, demanding enhanced egress security and anomaly detection systems.
Government Administration
Critical government endpoints face unprecedented volumetric attacks requiring multicloud visibility, threat response capabilities, and secure hybrid connectivity for operational resilience.
Sources
- Microsoft Mitigates Record 15.72 Tbps DDoS Attack Driven by AISURU Botnethttps://thehackernews.com/2025/11/microsoft-mitigates-record-572-tbps.htmlVerified
- Defending the cloud: Azure neutralized a record-breaking 15 Tbps DDoS attackhttps://techcommunity.microsoft.com/blog/azureinfrastructureblog/defending-the-cloud-azure-neutralized-a-record-breaking-15-tbps-ddos-attack/4470422Verified
- Aisuru botnet behind new record-breaking 29.7 Tbps DDoS attackhttps://www.bleepingcomputer.com/news/security/aisuru-botnet-behind-new-record-breaking-297-tbps-ddos-attack/Verified
- Aisuru Botnet Powers Record DDoS Attack Peaking at 29 Tbpshttps://www.securityweek.com/aisuru-botnet-powers-record-ddos-attack-peaking-at-29-tbps/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation and CNSF controls—such as cloud-native firewalling, real-time anomaly detection, and distributed traffic inspection—would have greatly limited the attack surface and provided layered mitigation by filtering malicious traffic at ingress, identifying attack patterns early, and enforcing least privilege communication, thereby reducing impact even in the event of unprecedented volumetric attacks.
Control: Cloud Firewall (ACF)
Mitigation: Immediate detection and filtering of malicious inbound traffic targeting cloud endpoints.
Control: Zero Trust Segmentation
Mitigation: Enforced least privilege by restricting network access pathways, preventing internal spread in case of any service weakness.
Control: East-West Traffic Security
Mitigation: Blocked any unauthorized internal traffic in case of service overflow or misrouted packets.
Control: Threat Detection & Anomaly Response
Mitigation: Early detection of anomalous traffic patterns and suspicious C2 coordination to trigger automated mitigation.
Control: Egress Security & Policy Enforcement
Mitigation: Prevents any unauthorized outbound data movements in case attacker pivots objectives.
Rapid, distributed inline inspection and coordinated response minimize service downtime and maintain availability.
Impact at a Glance
Affected Business Functions
- Cloud Services
- Network Infrastructure
Estimated downtime: N/A
Estimated loss: N/A
No data exposure reported; attack aimed at service disruption.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy resilient cloud firewalls and enable distributed, inline DDoS mitigation at every ingress point.
- • Implement zero trust segmentation and restrict access to only authorized sources using identity-based policies.
- • Monitor network traffic continuously for anomaly detection at scale, with automated incident alerting and response.
- • Enforce egress controls to ensure that only sanctioned traffic exits workloads, preventing misuse or covert channels.
- • Regularly validate disaster recovery and failover readiness to maintain service continuity under extreme attack scenarios.
