Microsoft on Monday disclosed that it automatically detected and neutralized a distributed denial-of-service (DDoS) attack targeting a single endpoint in Australia that measured 15.72 terabits per second (Tbps) and nearly 3.64 billion packets per second (pps).
The tech giant said it was the largest DDoS attack ever observed in the cloud, and that it originated from a TurboMirai-class Internet of Things (IoT) botnet known as AISURU. It’s currently not known who was targeted by the attack.
“The attack involved extremely high-rate UDP floods targeting a specific public IP address, launched from over 500,000 source IPs across various regions,” Microsoft’s Sean Whalen said.
“These sudden UDP bursts had minimal source spoofing and used random source ports, which helped simplify traceback and facilitated provider enforcement.”
According to data from QiAnXin XLab, the AISURU botnet is powered by nearly 300,000 infected devices, most of which are routers, security cameras, and DVR systems. It has been attributed to some of the biggest DDoS attacks recorded to date. In a report published last month, NETSCOUT classified the DDoS-for-hire botnet as operating with a restricted clientele.
“Operators have reportedly implemented preventive measures to avoid attacking governmental, law enforcement, military, and other national security properties,” the company said. “Most observed AISURU attacks to date appear to be related to online gaming.”
Botnets like AISURU also enable multi-use functions, going beyond DDoS attacks exceeding 20Tbps to facilitate other illicit activities like credential stuffing, artificial intelligence (AI)-driven web scraping, spamming, and phishing. AISURU also incorporates a residential proxy service.
“Attackers are scaling with the internet itself. As fiber-to-the-home speeds rise and IoT devices get more powerful, the baseline for attack size keeps climbing,” Microsoft said.
The disclosure comes as NETSCOUT detailed another TurboMirai botnet called Eleven11 (aka RapperBot) that’s estimated to have launched about 3,600 DDoS attacks powered by hijacked IoT devices between late February and August 2025, around the same time authorities disclosed an arrest and the dismantling of the botnet.
Some of the command-and-control (C2) servers associated with the botnet are registered with the “.libre” top-level domain (TLD), which is part of OpenNIC, an alternative DNS root operated independently of ICANN and has been embraced by other DDoS botnets like CatDDoS and Fodcha.
“Although the botnet has likely been rendered inoperable, compromised devices remain vulnerable,” it said. “It is likely a matter of time until hosts are hijacked again and conscripted as a compromised node for the next botnet.”
