Overview:

Microsoft confirmed a massive 15.72 Tbps DDoS attack on its Azure cloud infrastructure. The attack was sourced from over 500,000 IP addresses controlled by the Aisuru botnet, a Mirai-variant currently dominating the IoT threat landscape.

🔎 Key Technical Details

• Attack Volume: 15.72 Tbps
• Source Nodes: 500,000+ unique IPs
• Botnet: Aisuru (TurboMirai-class)
• Infection Vector:
  • IoT devices such as IP cameras and DVRs/NVRs
  • Routers from T-Mobile, Zyxel, D-Link, and Linksys
  • Realtek SoC vulnerabilities
• Rapid Growth Event: In April 2025, attackers breached a TotoLink router firmware update server. This resulted in 100,000+ new device infections and rapidly expanded the botnet’s power.

📉 Azure Impact

• Microsoft has not disclosed the duration of downtime.
• Historically, Azure’s DDoS Protection absorbs large-scale attacks in under 90 seconds.
• No confirmed public-facing outages have been tied to this specific incident at the time of writing.

🧠 Strategic Notes for Blue Teams

• Direct-path attack: This was not an amplification attack. It involved raw traffic from real IPs.
• Residential IP abuse: Blocking traffic becomes more difficult when it’s coming from legitimate consumer ISP ranges.
• Firmware update compromise: Supply chain attacks are not limited to ransomware. They are now a growing method for botnet expansion.
• Short burst, high intensity: Security automation must be capable of detecting and responding within seconds.

🧩 Why This Matters (Even if You’re Not Microsoft)

• Multi-Tbps DDoS attacks are no longer rare. They are now a real threat to any cloud or hybrid organization.
• On-premise systems may also be vulnerable if upstream filters are not designed for this scale.
• Cloudflare DNS services were also targeted: Aisuru operators flooded 1.1.1.1 with traffic to manipulate domain popularity rankings.
• This is a serious concern: Cloudflare’s 1.1.1.1 DNS is trusted globally for its speed and security. Aisuru managed to abuse it as part of an attack against Microsoft. This level of infrastructure compromise shows just how deeply attackers are embedding into the digital backbone.
• Cloudflare responded by removing affected domains and confirmed that the botnet had distorted DNS detection and ranking telemetry.

🛡️ What to Do If You’re Facing a Terabit-Class DDoS

If your organization is not operating at Microsoft’s scale, a multi-terabit DDoS attack could still cause severe disruption. However, there are practical steps you can take to prepare and respond effectively.

📍Before the Attack

• Engage with a DDoS mitigation provider early: Services like Cloudflare, Akamai, AWS Shield Advanced, or Azure’s native protections should be set up before an incident occurs.
• Know your upstream bandwidth ceiling: Talk to your ISP. Understand the thresholds they can handle and whether they blackhole or reroute traffic during an attack.
• Set up aggressive traffic baselines: Collect and review historical data to understand what normal traffic looks like. This helps in quickly identifying anomalies.
• Test failover and rate-limiting controls: Do not assume your CDN or WAF will scale automatically. Validate that geographic load balancing and redundancy work under stress.

🔥 During the Attack

• Drop low-priority services to preserve core functionality: Shut down non-critical portals, static assets, or reporting interfaces to reduce attack surface.
• Enable emergency geofencing: If attack traffic is coming from regions where you do not operate, apply aggressive rate-limiting or blocking.
• Coordinate with your cloud provider or ISP immediately: High-bandwidth attacks often require upstream support for mitigation.
• Do not rely on your application to stop the flood: Once traffic reaches your application layer, it is often too late. Block or scrub it at the edge.

🧯After the Attack

• Preserve logs and network flow data: This is essential for forensics, threat sharing, and post-incident review.
• Trace and report source IPs: Because this botnet used real IP addresses, you may be able to assist in attribution or takedown efforts.
• Update detection signatures: Watch for repeat behaviors from the same ranges, payloads, or service abuse patterns.
• Contribute to threat intel sharing platforms: Sharing what you learned can help others harden their defenses before they are targeted.

🚨 Final Takeaway

The Aisuru botnet didn’t just go after niche targets. It went after Azure by hijacking hundreds of thousands of IoT devices and manipulating trusted services like 1.1.1.1 DNS to help push the attack.

If you think your organization is too small to be targeted, remember that DDoS attacks often affect upstream providers, not just direct victims. Even if you’re not the bullseye, you can still get hit by the blast. Prepare now. When the flood comes, there’s no time for improvisation.