Currently, the modern internet is characterized by near-constant contention, in which defensive controls are being continuously tested against increasingly sophisticated adversaries. However, there are some instances where even experienced security teams are forced to rethink long-held assumptions about scale and resilience when an incident occurs.
There has been an unprecedented peak of 31.4 terabits per second during a recent Distributed Denial of Service attack attributed to the Aisuru botnet, which has proven that the recent attack is firmly in that category.
Besides marking a historical milestone, the event is revealing a sharp change in botnet orchestration, traffic amplification, and infrastructure abuse, demonstrating that threat actors are now capable of generating disruptions at levels previously thought to be theoretical.
As a consequence of this attack, critical questions are raised regarding the effectiveness of current mitigation architectures and the readiness of global networks to withstand such an attack.
Aisuru-Kimwolf is at the center of this escalation, a vast array of compromised systems that has rapidly developed into the most formidable DDoS platform to date.
Aisuru and its Kimwolf offshoot are estimated to have infected between one and four million hosts, consisting of a diverse array of consumer IoT devices, digital video recorders, enterprise network appliances, and virtual machines based in the cloud.
As a result of this diversity, the botnet has been able to generate volumes of traffic which are capable of overwhelming critical infrastructure, destabilizing national connectivity, and surpassing the handling capacities of many legacy cloud-based DDoS mitigation services. As far as operational performance is concerned, Aisuru-Kimwolf has demonstrated its consistency in executing hyper-volumetric and packet-intensive campaigns at a scale previously deemed impractical.
As documented by the botnet, the botnet is responsible for record-breaking flooding reaches 31.4 Tbps, packet rates exceeding 14.1 billion packets per second, and highly targeted DNS-based attacks, including random prefixes and so-called water torture attacks, as well as application-layer HTTP floods that exceed 200 million requests per second.
As part of these operations, carpet bombing strategies are used across wide areas and packet headers and payload attributes are randomly randomized, a deliberate design choice meant to frustrate signature-based detection and slow automated mitigation.
The attack usually occurs rapidly and in high intensity bursts that reach peak throughput almost instantly and subside within minutes, creating a hit-and-run attack that makes attribution and response more difficult.
There was an increase of more than 700 percent in attack potential observed in the Aisuru-Kimwolf ecosystem between the years 2025 and 2026, demonstrating the rapid development of this ecosystem. Aisuru botnets serve as the architectural core of this ecosystem, which are responsible for this activity.
In addition to serving as a foundational platform, Aisuru enables the development and deployment of derivative variants, including Kimwolf, which extends the botnet's reach and operational flexibility. By continuously exploiting exposed or poorly secured devices in the consumer and cloud environments, the ecosystem has created a globally distributed attack surface reflective of a larger shift in how modern botnets are designed.
In contrast to the traditional techniques of DDoS relying solely on persistence, Aisuru-based networks emphasize scalability, rapid mobilization, and adaptive attack techniques, signalling the development of an evolving threat model that is reshaping the upper limits of large-scale DDoS attacks.
Additionally, people have seen a clear shift from long-duration attacks to short-duration, high-intensity attacks that are designed to maximize disruptions while minimizing exposure.
There has been a significant decrease in the number of attacks that persist longer than a short period of time, with only a small fraction lasting longer than that period.
There were overwhelmingly three to five billion packets per second at peak for the majority of incidents, while the overall packet rate was overwhelmingly clustered between one and five terabits per second.
It reflects a deliberate operational strategy to concentrate traffic within narrowly defined, yet extremely extreme thresholds, with the goal of promoting rapid saturation over prolonged engagement.
Although these attacks were large in scope, Cloudflare's defenses were automatically able to identify and mitigate them without initiating internal escalation procedures, highlighting the importance of real-time, autonomous mitigation systems in combating modern DDoS threats.
Although Cloudflare's analysis indicates a notable variation in attack sourcing during the so-called "Night Before Christmas" campaign as compared to previous waves of Aisuru botnet activity originating from compromised IoT devices and consumer routers, Cloudflare's analysis shows a significant change in attack sourcing.
As part of that wave of activity, Android-based television devices became the primary source of traffic, which highlights how botnet ecosystems continue to engulf non-traditional endpoints.
In addition to expanding attack capacity, this diversity of compromised hardware complicates defensive modeling, as traffic originates from devices which blend into legitimate consumer usage patterns, increasing the complexity of defensive modeling.
These findings correspond to broader trends documented in Cloudflare's fourth-quarter 2025 DDoS Threat Report, which documented a 121 percent increase in attack volume compared with the previous year, totaling 47.1 million incidents.
A Cloudflare application has been able to mitigate over 5,300 DDoS attacks a day, nearly three quarters of which occurred on the network layer and the remainder targeting HTTP application services. During the final quarter, the number of DDoS attacks accelerated further, increasing by 31 percent from the previous quarter and 58 percent from the previous year, demonstrating a continuing increase in both frequency and intensity.
A familiar pattern of industry targeting was observed during this period, but it was becoming increasingly concentrated, with telecommunications companies, IT and managed services companies, online gambling platforms and gaming companies experiencing the greatest levels of sustained pressure. Among attack originators, Bangladesh, Ecuador, and Indonesia appeared to be the most frequently cited sites, with Argentina becoming a significant source while Russia's position declined.
Throughout the year, organizations located in China, Hong Kong, Germany, Brazil, and the United States experienced the largest amount of DDoS attacks, reflecting the persistent focus on regions with dense digital infrastructure and high-value online services.
According to a review of attack source distribution in the fourth quarter of 2025, there have been notable changes in the geographical origins of malicious traffic, which supports the emergence of a fluid global DDoS ecosystem.
A significant increase was recorded in attack traffic by Bangladesh during the period, displace Indonesia, which had maintained the top position throughout the previous year but subsequently fell to third place. Ecuador ranked second, while Argentina climbed twenty positions to take the fourth position, regaining its first place in attack traffic.
In addition to Hong Kong, Ukraine, Vietnam, Taiwan, Singapore, and Peru, there were other high-ranking origins, which emphasize the wide international dispersion of attack infrastructure. The relative activity of Russia declined markedly, falling several positions, while the United States also declined, reflecting shifting operational preferences rather than a decline in regional engagement.
According to a network-level analysis, threat actors continue to favor infrastructure that is scalable, flexible and easy to deploy. A significant part of attacks observed in the past few months have been generated by cloud computing platforms, with providers such as DigitalOcean, Microsoft, Tencent, Oracle, and Hetzner dominating the higher tiers of originating networks with their offerings.
Throughout the trend, there has been a sustained use of on-demand virtual machines to generate high-volume attack traffic on a short notice basis. In addition to cloud services, traditional telecommunications companies remained prominent players as well, especially in parts of the Asia-Pacific region, including Vietnam, China, Malaysia, and Taiwan.
Large-scale DDoS operations are heavily reliant on both modern cloud environments and legacy carrier infrastructure.
The Cloudflare global mitigation infrastructure was able to absorb the unprecedented intensity of the "Night Before Christmas" campaign without compromising service quality.
In spite of 330 points of presence and a total mitigation capacity of 449 terabits per second, only a small fraction of the total mitigation capacity was consumed, which left the majority of defensive capacity untouched during the record-setting flood of 31.4 Tbps.
It is noteworthy that detection and mitigation were performed autonomously, without the need for internal alerts or manual intervention, thus underscoring the importance of machine-learning-driven systems for responding to attacks that unfold at a rapid pace.
As a whole, the campaign illustrates the widening gap between hackers’ growing capability and the defensive limitations of organizations relying on smaller-scale protection services, many of which would have been theoretically overwhelmed by an attack of this magnitude if it had taken place.
An overall examination of the Aisuru campaign indicates that a fundamental shift has taken place in the DDoS threat landscape, with attack volumes no longer constrained by traditional assumptions about bandwidth ceilings and device types.
The implications for defenders are clear: resilience cannot be treated as a static capability, but must evolve concurrently with adversaries operating at a machine-scale and speed that is increasingly prevalent.
Due to the complexity of the threats that are becoming more prevalent in the world, organizations have been forced to reevaluate not only their mitigation capabilities, but also the architectural assumptions that lay behind their security strategies, particularly when latency, availability, and trust are essential factors.
Hypervolumetric attacks are becoming shorter, sharper, and more automated over time. Therefore, effective defense will be dependent on global infrastructure, real-time intelligence, and automated response mechanisms that are capable of absorbing disruptions without human intervention.
Accordingly, the Aisuru incident is less of an anomaly and more of a preview of the operational baseline against which modern networks must prepare.
