Executive Summary

A botnet-for-hire service known as Aisuru has been identified as the force behind a new record-setting Distributed Denial-of-Service (DDoS) attack, which peaked at an unprecedented 29.7 Terabits per second (Tbps). The botnet, comprised of millions of compromised Internet of Things (IoT) devices and consumer-grade routers, is being rented out to cybercriminals, lowering the barrier for launching catastrophic-level attacks. In a three-month span during late 2025, Aisuru was linked to over 1,300 distinct DDoS attacks, primarily targeting organizations in the gaming, telecommunications, and financial services industries. The sheer power of this botnet poses a threat not just to direct targets, but to the stability of regional internet infrastructure.

Threat Overview

• Threat: Aisuru, a massive botnet-for-hire (DDoS-as-a-Service) platform.
• Capability: Launched a record-breaking 29.7 Tbps DDoS attack.
• Composition: Millions of compromised IoT devices (e.g., cameras, DVRs) and home routers.
• Activity: Over 1,300 attacks in three months.
• Targeted Sectors: Gaming, Telecommunications, Financial Services.
• Modus Operandi: The service allows paying customers to rent time on the botnet to launch powerful DDoS attacks against targets of their choice.

Technical Analysis

The Aisuru botnet operates by exploiting a fundamental and widespread security weakness: insecure IoT devices. The attack lifecycle is as follows:

1. Scanning & Exploitation: The botnet operators continuously scan the internet for vulnerable IoT devices. They exploit common weaknesses like default credentials, weak passwords, or unpatched firmware vulnerabilities (T1190 - Exploit Public-Facing Application).
2. Infection: Once a device is compromised, a lightweight malware payload is installed. This payload enlists the device into the Aisuru botnet, causing it to listen for commands from the attacker's Command and Control (C2) servers.
3. Aggregation: Millions of these infected devices form a massive, geographically distributed network of bots.
4. Weaponization (T1498 - Network Denial of Service): When a customer rents the botnet, the C2 server issues a command to a large number of bots, instructing them to flood a target IP address with a massive volume of network traffic. This can be a volumetric attack (e.g., UDP flood) or a more complex application-layer attack.

The 29.7 Tbps peak indicates an extremely large and powerful botnet, capable of overwhelming the defenses of even well-prepared organizations and ISPs.

Impact Assessment

The impact of Aisuru is critical. The availability of such a powerful DDoS weapon for hire has several major consequences:

• Service Unavailability: Direct targets of the attacks will experience complete service outages, leading to revenue loss, customer churn, and reputational damage.
• Collateral Damage: Attacks of this magnitude can cause collateral damage, congesting the networks of upstream Internet Service Providers (ISPs) and impacting services for customers who are not being directly targeted.
• Democratization of Attack Tools: The botnet-for-hire model makes it easy and cheap for low-skilled actors to launch devastating attacks, which can be used for extortion, revenge, or competitive disruption.
• Systemic Risk: The continued growth of massive IoT botnets poses a systemic risk to the stability of the global internet.

Detection & Response

For Victims/Targets:

1. Traffic Analysis (D3-ISVA): During an attack, the primary detection method is analyzing incoming traffic to identify the attack pattern (e.g., UDP flood on a specific port, TCP SYN flood). This analysis is typically performed by a DDoS mitigation service.
2. Performance Monitoring: Abnormally high network traffic, 100% CPU utilization on network appliances, and service unavailability are key indicators of a DDoS attack.

Response:

• The primary response is to route traffic through a cloud-based DDoS mitigation provider (a "scrubbing center"). These providers have the bandwidth and technology to absorb the attack traffic and pass only legitimate traffic on to the target's network.

Mitigation

For Organizations (Potential Targets):

1. DDoS Mitigation Service: Proactively contract with a reputable DDoS mitigation service. Relying on on-premise firewalls or ISP-level protection is insufficient against attacks of this scale. An always-on or on-demand cloud scrubbing service is essential.
2. Network Redundancy: Architect applications and networks for resiliency, distributing assets across multiple data centers or cloud regions to make it harder for an attacker to take everything offline with a single attack.

For the Internet Ecosystem (Device Owners & Manufacturers):

1. Platform Hardening (D3-PH): IoT manufacturers must ship devices with unique, strong default passwords and disable unnecessary open ports. They should also provide a mechanism for automatic security updates (D3-SU).
2. User Training/Awareness (M1017): Users who purchase IoT devices must be educated to change default passwords and keep their devices updated. This is a shared responsibility problem.