Executive Summary
In December 2025, Cloudflare successfully detected and mitigated the largest recorded distributed denial-of-service (DDoS) attack, peaking at 29.7 terabits per second. The attack was orchestrated by the AISURU botnet, leveraging up to four million infected hosts to launch a hyper-volumetric assault. The malicious traffic targeted Cloudflare’s infrastructure, testing the limits of web security and putting critical online services at risk of disruption during the 69-second onslaught. This incident illustrates the increasing scale and sophistication of botnet-driven DDoS attacks, forcing organizations to reassess their mitigation strategies.
The AISURU attack underscores a troubling trend in the growth of for-hire botnets and record-breaking DDoS volumes seen in 2025. These evolving threats continue to challenge traditional perimeter defenses, making advanced detection, automated response, and robust network segmentation more critical than ever.
Why This Matters Now
The explosive rise of botnet-for-hire services like AISURU means any organization can be targeted with internet-scale disruption, threatening uptime and eroding user trust. Mitigating record-breaking DDoS attacks now requires not just high-capacity defenses but advanced segmentation, traffic anomaly detection, and coordinated incident response—highlighting the urgent need for proactive investments in modern security architectures.
Attack Path Analysis
Attackers leveraged the AISURU botnet to compromise a massive number of hosts, likely exploiting unpatched systems and weak configurations. The malware propagated to gain foothold and escalate privileges on infected devices. The botnet coordinated laterally across millions of hosts, establishing reliable infrastructure for attack execution. Command and control mechanisms maintained persistent control, issuing instructions to launch the DDoS. No data exfiltration was observed in this case. The attack culminated in a record-breaking 29.7 Tbps DDoS event targeting cloud infrastructure, severely impacting service availability.
Kill Chain Progression
Initial Compromise
Description
Devices worldwide were compromised by the AISURU botnet, likely via exploitation of vulnerabilities or weak exposures.
Related CVEs
CVE-2017-5259
CVSS 9.8A command injection vulnerability in Cambium Networks' cnPilot routers allows remote attackers to execute arbitrary commands.
Affected Products:
Cambium Networks cnPilot – All versions prior to firmware update addressing CVE-2017-5259
Exploit Status:
exploited in the wildCVE-2023-28771
CVSS 9.8A command injection vulnerability in Zyxel devices allows remote attackers to execute arbitrary commands.
Affected Products:
Zyxel Various models – Specific versions vulnerable to CVE-2023-28771
Exploit Status:
exploited in the wildCVE-2023-50381
CVSS 9.8A buffer overflow vulnerability in Realtek Jungle SDK allows remote attackers to execute arbitrary code.
Affected Products:
Realtek Jungle SDK – Specific versions vulnerable to CVE-2023-50381
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Network Denial of Service
Spearphishing Link
Compromise Infrastructure: Botnet
XSL Script Processing
Data Encoding
Exploit Public-Facing Application
Proxy
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Implement and Maintain Change and Anti-DDoS Controls
Control ID: 6.4.1
NYDFS 23 NYCRR 500 – Incident Response Plan
Control ID: 500.16
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Art. 10
CISA Zero Trust Maturity Model 2.0 – Monitor and Respond to Network Threats
Control ID: Network – Visibility & Analytics
NIS2 Directive – Incident Handling Procedures
Control ID: Article 21(2)(e)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Internet
Primary target for 29.7 Tbps DDoS attacks via AISURU botnet requiring enhanced egress security, threat detection capabilities, and distributed policy enforcement mechanisms.
Financial Services
Critical infrastructure vulnerable to hyper-volumetric DDoS disrupting services, requiring zero trust segmentation, anomaly detection, and compliance with regulatory data protection standards.
Telecommunications
Network infrastructure susceptible to massive traffic floods from 4 million infected hosts, demanding multicloud visibility, encrypted traffic protection, and resilient connectivity.
Information Technology/IT
Cloud-native systems face distributed attacks requiring kubernetes security, inline IPS inspection, east-west traffic monitoring, and comprehensive security fabric implementation.
Sources
- Record 29.7 Tbps DDoS Attack Linked to AISURU Botnet with up to 4 Million Infected Hostshttps://thehackernews.com/2025/12/record-297-tbps-ddos-attack-linked-to.htmlVerified
- AISURU Botnet Fuels Record-Breaking 11.5 Tbps DDoS Attack With 300,000 Hijacked Routershttps://gbhackers.com/aisuru-botnet/Verified
- Aisuru Botnet Powers Record DDoS Attack Peaking at 29 Tbpshttps://www.securityweek.com/aisuru-botnet-powers-record-ddos-attack-peaking-at-29-tbps/Verified
- Aisuru botnet: Early October attacks escalate into record-setting DDoS activityhttps://www.cloudflare.com/zh-cn/threat-intelligence/research/report/aisuru-botnet/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, egress policy enforcement, and distributed traffic visibility could have detected and limited botnet activity across cloud workloads, preventing lateral propagation and blocking outbound attack traffic, thereby dramatically reducing DDoS amplification.
Control: Cloud Firewall (ACF)
Mitigation: Blocked initial exploitation attempts against cloud workloads.
Control: Zero Trust Segmentation
Mitigation: Limited attacker access, containing threats to only the initially compromised workload.
Control: East-West Traffic Security
Mitigation: Detected and blocked unauthorized lateral movement within cloud networks.
Control: Egress Security & Policy Enforcement
Mitigation: Blocked or alerted on malicious outbound C2 traffic.
Control: Multicloud Visibility & Control
Mitigation: Verified lack of data exfiltration and maintained observability during incident.
Detected and disrupted abnormal outbound traffic spikes.
Impact at a Glance
Affected Business Functions
- Network Operations
- Customer Services
- Online Transactions
Estimated downtime: 1 days
Estimated loss: $5,000,000
No data exposure reported; primary impact was service disruption due to DDoS attack.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust segmentation to restrict lateral movement and enforce least privilege within cloud environments.
- • Enforce strict cloud firewall and egress policies to block unauthorized inbound and outbound traffic—including to known DDoS C2 domains.
- • Enable real-time threat and anomaly detection across all cloud workloads to identify botnet behaviors early.
- • Utilize centralized visibility solutions for prompt detection of abnormal traffic patterns or large-scale attacks.
- • Regularly review and update cloud access, network, and container security policies to mitigate exposure to mass exploitation vectors.
