On 12 May 2025, digital-forensics journalist Brian Krebs watched his site absorb a flood of traffic that briefly touched 6.3 terabits per second. The surge lasted just 45 seconds, delivering about 585 million UDP packets per second to random ports – enough throughput to overwhelm all but the biggest carrier links.
Size and technique point to Aisuru (also called Airashi), a year-old botnet built from compromised routers, DVRs and other IoT devices. Researchers first tracked Aisuru in August 2024; since then it has re-emerged with new exploits, including a zero-day in Cambium cnPilot routers, and is openly advertised on Telegram at up to US $600 per week.
Brian Krebs’ 2016 Mirai incident showed how source-code leaks can fracture a monolithic botnet into weaker clones. Aisuru is still private, giving one operator control of uncommon fire-power. Experts noted that public release of Aisuru’s code, or at least the exploit list, would force that power to fragment, bringing individual floods back within reach of most mitigation services.
The attack also underlines a shift towards hyper-volumetric ‘demo’ blasts. Bursts under a minute are long enough to prove capability to prospective customers yet short enough to avoid lengthy engagement with defenders. Cloudflare says it blocked more than 700 attacks above 1 Tbps in Q1 2025; most lasted 35–45 seconds.
For defenders, the lesson is readiness rather than attribution. Services must assume that trafficked IoT devices and for-hire channels can deliver terabit-scale hits on short notice. That means:
- Keeping capacity on hand or under contract for sudden multi-Tbps spikes
- Deploying stateless filtering and rate-limiting at the edge to drop large UDP floods before they reach application layers
- Instrumenting networks to react automatically in the first few seconds
- Sharing fingerprints of new botnet traffic quickly with upstream providers
Until the underlying device security improves, hyper-volumetric floods will remain a risk that must be well planned for. Read Brian Krebs’ analysis of the events here.
About FastNetMon
FastNetMon is a leading solution for network security, offering advanced DDoS detection and mitigation. With real-time analytics and rapid response capabilities, FastNetMon helps organisations protect their infrastructure from evolving cyber threats.
For more information, visit https://fastnetmon.com