DDoS Botnet Aisuru Blankets US ISPs In Record DDoS

An anonymous reader quotes a report from KrebsOnSecurity: The world's largest and most disruptive botnet is now drawing a majority of its firepower from compromised Internet-of-Things (IoT) devices hosted on U.S. Internet providers like AT&T, Comcast and Verizon, new evidence suggests. Experts say the heavy concentration of infected devices at U.S. providers is complicating efforts to limit collateral damage from the botnet's attacks, which shattered previous records this week with a brief traffic flood that clocked in at nearly 30 trillion bits of data per second.

Since its debut more than a year ago, the Aisuru botnet has steadily outcompeted virtually all other IoT-based botnets in the wild, with recent attacks siphoning Internet bandwidth from an estimated 300,000 compromised hosts worldwide. The hacked systems that get subsumed into the botnet are mostly consumer-grade routers, security cameras, digital video recorders and other devices operating with insecure and outdated firmware, and/or factory-default settings. Aisuru's owners are continuously scanning the Internet for these vulnerable devices and enslaving them for use in distributed denial-of-service (DDoS) attacks that can overwhelm targeted servers with crippling amounts of junk traffic.

As Aisuru's size has mushroomed, so has its punch. In May 2025, KrebsOnSecurity was hit with a near-record 6.35 terabits per second (Tbps) attack from Aisuru, which was then the largest assault that Google's DDoS protection service Project Shield had ever mitigated. Days later, Aisuru shattered that record with a data blast in excess of 11 Tbps. By late September, Aisuru was publicly flexing DDoS capabilities topping 22 Tbps. Then on October 6, its operators heaved a whopping 29.6 terabits of junk data packets each second at a targeted host. Hardly anyone noticed because it appears to have been a brief test or demonstration of Aisuru's capabilities: The traffic flood lasted less only a few seconds and was pointed at an Internet server that was specifically designed to measure large-scale DDoS attacks.

Aisuru's overlords aren't just showing off. Their botnet is being blamed for a series of increasingly massive and disruptive attacks. Although recent assaults from Aisuru have targeted mostly ISPs that serve online gaming communities like Minecraft, those digital sieges often result in widespread collateral Internet disruption. For the past several weeks, ISPs hosting some of the Internet's top gaming destinations have been hit with a relentless volley of gargantuan attacks that experts say are well beyond the DDoS mitigation capabilities of most organizations connected to the Internet today.

Go for the source of the problem

[Todd Knarr]

It's time to go after the source of the problem: the compromised devices. Identify them and force the ISPs that serve them to block outgoing traffic from that customer, on pain of having entire netblocks blocked by Cloudflare etc..

Re:

[vbdasc]

Identify them

Good luck.

Re:

[Todd Knarr]

Source addresses of the attack are known. The ISPs know which customer was using that address at that time, and dealing with the customer is their problem not the attack target's. If they don't deal with it, they get to deal with lots of angry customers who've suddenly lost connectivity to the majority of the Internet because entire blocks of the ISP's address space are being blocked by Cloudflare et. al..

For what purpose?

[battingly]

Where's the profit in this? Is it a state actor getting ready for internet warfare?

Re:For what purpose?

[evanh]

Nope, just kiddies doing kiddie things. IoT doing the one thing it's actually good at.

Re:

[innocent_white_lamb]

If the Russians and North Koreans haven't started doing this yet I'm sure they'll be getting into it very shortly.

It's too effective as a weapon to leave it undeveloped.

Re:

[DewDude]

I mean there are people that will exchange bitcoin for attacks. Ones this large scale? Could be for the lulz. How much does a compromised device cost? I suppose there could be some money sitting there scanning every IPv4; but there's only a few billion of them and lots of ranges you know you can ignore. I'm pretty sure my current VPS could do the job with no problem. They likely use compromised systems to scan anyway.

So from the script kiddie angle: it's for the lulz. "Look at what I can do". Maybe they saw

Fixes exist

[sinkskinkshrieks]

ISPs should be blocking malicious network traffic because they know which crazy streams are coming from which customers.

It's also possible, although draconian, to temporarily block access selectively and send the user emails/notifications that they have compromised device(s) or unusual traffic.

Re:

[madbrain]

Maybe, but it is not trivial. These bot nets act as proxy VPNs.
The ISP can make guesses based on traffic, but can't specifically identify the compromised devices.

IoT = "Internet of Turds"

[jenningsthecat]

'nuff said.

IoT has always been a disaster waiting to happen

[maird]

After getting worried about having smart lightbulbs, smart power sockets, a fridge, a dishwasher, some amazon echos and a Google thermostat on my home network with my computers I re-wired it all and put all the IoT devices on their own wifi, using their own IP network, their own cabling to their own NIC on the linux router and blocked traffic from that NIC to anything other than the Internet. Now I think I'll try to add a data rate restriction for the IoT network. Other than playing music on the Amazon ech

Re:

[maird]

Things like the Google Thermostat, my fridge and dishwasher allow me to remotely control them when not at home, so the apps for them have central links that the devices and apps for them link to. My Amazon Echo devices do all language decoding only if connected to the Internet, I couldn't ask it to play my choice of music or radio and get a response unless it has an uplink. Most of my cheap smart lightbulbs and smart power plugs also have central "registration" servers that the control apps link through ba