Microsoft Azure Hit by Record 15 Tbps DDoS Attack

Microsoft has confirmed that its Azure cloud platform successfully defended against a massive distributed denial-of-service (DDoS) assault, which reached an unprecedented 15.72 terabits per second. This aggressive campaign originated from the Aisuru botnet, leveraging more than 500,000 distinct IP addresses to launch the attack.

The incident involved an extremely high-rate UDP flood directed at a single public IP address located in Australia. At its peak, the attack generated close to 3.64 billion packets every second. According to Sean Whalen, a senior product marketing manager for Azure Security, Aisuru is a Turbo Mirai-class Internet of Things botnet known for repeatedly breaking DDoS records. It primarily compromises home routers and security cameras, many of which are connected to residential internet service providers in the United States and other nations.

Interestingly, the UDP bursts used in the attack showed very little source spoofing and employed random source ports. These characteristics actually made it easier for security teams to trace the attack back to its origins and helped internet providers take enforcement actions.

This is not the first time the Aisuru botnet has made headlines. Cloudflare previously connected the same botnet to an even larger DDoS attack in September 2025, which peaked at 22.2 terabits per second and 10.6 billion packets per second. That particular assault lasted only 40 seconds, but its traffic volume was comparable to one million simultaneous 4K video streams.

Just one week before Microsoft’s report, the XLab research division of Qi’anxin, a Chinese cybersecurity firm, attributed another 11.5 Tbps DDoS attack to Aisuru. At that time, researchers estimated the botnet was controlling roughly 300,000 infected devices.

The botnet specifically targets security flaws in a range of devices, including IP cameras, digital and network video recorders, Realtek chips, and routers from manufacturers such as T-Mobile, Zyxel, D-Link, and Linksys. XLab researchers noted that the botnet’s size expanded dramatically in April 2025. This growth occurred after its operators successfully breached a TotoLink router firmware update server, allowing them to infect approximately 100,000 additional devices.

In a related development, cybersecurity journalist Brian Krebs reported earlier this month that Cloudflare removed several domains associated with the Aisuru botnet from its public “Top Domains” ranking. These malicious domains had begun to outrank legitimate websites like Amazon, Microsoft, and Google in terms of DNS query volume.

Cloudflare explained that the botnet’s operators were intentionally flooding its DNS resolver service, 1.1.1.1, with enormous volumes of malicious query traffic. The goal was to artificially boost the popularity of their own domains while simultaneously undermining confidence in the ranking system. Cloudflare CEO Matthew Prince confirmed that this activity significantly distorted the rankings and announced that the company now redacts or completely hides domains suspected of malicious behavior to prevent future manipulation.

Cloudflare’s 2025 first-quarter DDoS Report, published in April, highlighted a sharp increase in attack frequency. The company observed a 198% quarter-over-quarter jump in mitigated DDoS attacks, alongside a staggering 358% year-over-year increase. Throughout 2024, Cloudflare blocked 21.3 million DDoS attacks targeting its customers. Additionally, it defended against another 6.6 million attacks aimed at its own infrastructure during an intense 18-day multi-vector campaign.

(Source: Bleeping Computer)