Aisuru, a massive IoT botnet, recently pushed outbound traffic close to 30 Tbps from infected devices inside major U.S. ISPs — one of the largest DDoS events ever recorded. Outbound DDoS attacks, where malicious traffic leaves your network rather than entering it, are increasingly straining upstream capacity and exposing operators to significant operational and reputational risk.
Let’s look at what’s happening across ISP networks, why outbound DDoS requires a different response model, and how FastNetMon’s per-direction hostgroup thresholds can help detect and suppress such attacks quickly.
Aisuru: record outbound floods shake U.S. ISPs
As reported by KrebsOnSecurity, Aisuru has rapidly evolved into the world’s most disruptive IoT botnet. On October 6, 2025, it briefly reached a staggering 29.6 terabits per second in outbound traffic — a short-lived record-breaking flood allegedly connected to the major gaming platform outages.
Aisuru draws its strength from hundreds of thousands of compromised consumer devices — routers, cameras, and DVRs — many hosted within U.S. broadband providers. This heavy domestic concentration means large volumes of attack traffic now originate from inside the same networks that deliver internet access to millions of customers, amplifying the risk of collateral congestion and service degradation.
In recent months, Aisuru had already broken several records: a 11 Tbps flood in September, followed by an attack measuring 1.5 billion packets per second just a few weeks later, and another one reaching 22 Tbps. While many of these attacks targeted gaming networks and hosting providers, they collectively signaled a broader shift — DDoS traffic is no longer primarily an inbound threat. Increasingly, it’s something operators must monitor and control on the way out.
The latest wave of events shows that even large ISPs can struggle when hundreds of thousands of their own customer devices begin transmitting at terabit-per-second rates simultaneously. Outbound attacks of this scale don’t just affect their immediate targets — they can congest peering links, disrupt adjacent services, and trigger automatic mitigation or rate limiting from upstream peers. The ability to detect and suppress outbound abuse in real time is now an operational necessity, not an optional safeguard.
Why outbound DDoS demands a new defensive mindset
The Aisuru events revealed a simple but often-overlooked truth: some of the largest DDoS attacks in history are now being launched from within ISP networks themselves. Infected consumer IoT devices are generating enormous volumes of outbound traffic, concentrated across limited egress points, overloading shared uplinks and affecting legitimate customers.
Unlike traditional inbound DDoS events, these floods originate inside your own infrastructure, often going unnoticed until they congest upstream links or trigger mitigation from peers. Operators can’t directly disinfect or patch customer IoT devices, but they can contain and control their behavior at the network level. That means detecting abusive sources early, limiting their impact, and automating response wherever possible.
Mitigation starts with visibility — monitoring egress flows per host and per direction — followed by automated containment that can throttle or block malicious traffic before it leaves the network. Networks that rely only on manual intervention or inbound defenses are already behind the curve.
This is where FastNetMon comes in: it gives operators the per-direction visibility, thresholds, and automation required to detect and suppress outbound attacks in real time.
FastNetMon approach to outbound DDoS — technical overview
FastNetMon analyses NetFlow, IPFIX, sFlow, or mirrored packet samples to detect abnormal per-host traffic rates in real time. Exporters should use short export intervals (≤30 seconds) and appropriate sampling (1:1000 or finer) for best responsiveness.
Detection is based on packets per second (pps), bytes per second (bps), and flows per second. To detect outbound events specifically, enable
per_direction_hostgroup_thresholds = true
in FastNetMon Advanced. This allows operators to configure different thresholds for outbound traffic, applying more aggressive limits to egress flows that indicate abuse.
When thresholds are exceeded, FastNetMon can trigger automatic mitigations:
- BGP FlowSpec rules to drop or rate-limit malicious traffic directly at the router.
- Dynamic ACL insertion at access or aggregation layers.
- Local blackhole routing as a controlled, short-term containment measure.
Integration via Ansible, NETCONF, or REST APIs ensures automated and consistent deployment across multi-vendor environments.
For configuration details, see the documentation: Per-direction hostgroup thresholds — FastNetMon Advanced
The bigger picture
Aisuru’s record-setting floods mark a turning point for the industry: large-scale DDoS attacks now originate from inside broadband networks, powered by infected IoT devices. Outbound detection is no longer optional — it’s essential to maintaining stability and reputation.
With FastNetMon Advanced, operators can deploy per-direction thresholds, automate containment, and stop outbound abuse in real time — protecting not only their own customers, but the wider internet.
About FastNetMon
FastNetMon is a leading solution for network security, offering advanced DDoS detection and mitigation. With real-time analytics and rapid response capabilities, FastNetMon helps organisations protect their infrastructure from evolving cyber threats.For more information, visit fastnetmon.com.