This week, Microsoft confirmed it had mitigated the largest DDoS attacks ever observed on Azure: a 15.72 Tbps, 3.64 Bpps barrage against a single public IP endpoint in Australia. The attack was powered by Aisuru — the same TurboMirai-class botnet behind the 22 Tbps attack recently reported by Cloudflare.
That alone is noteworthy. But the more interesting part is when this happened. Only weeks ago, many of us in the industry — including FastNetMon and KrebsOnSecurity — noted that Aisuru appeared to be shifting its focus towards residential proxy services and broader “multi-use” abuse, potentially stepping back from DDoS as its primary business model. Our own research suggested a tactical pivot: moving away from high-profile DDoS events and towards monetisable, less noisy operations.
But this latest attack shows something different. Aisuru hasn’t left the DDoS scene — it’s simply operating with a highly selective, high-impact strategy.
A powerful botnet, but a blunt instrument
Despite its size and sophistication in other areas, Aisuru has notable weaknesses when used for DDoS:
- Single-vector attacks
Most Aisuru attacks are direct-path UDP floods or simple TCP/UDP bursts — not the complex, multi-vector sequences we often see in more advanced campaigns. - Little to no spoofing
TurboMirai-class malware can’t generate spoofed traffic, which makes traceback possible
- Blunt-force strategy
Aisuru relies on raw volume — enormous bandwidth and packet rates — rather than subtlety. It hits hard, but not cleverly.
So should we conclude that Aisuru is less dangerous than it looks? Not quite.
The operational reality: if you’re too slow, you’re down
The uncomfortable truth is this: unless an organisation has a very rapid response capability and the network capacity to absorb the immediate impact, an Aisuru-class attack is not survivable.
The attacks Aisuru launches are over and done with usually in less than a minute. If you cannot detect and mitigate within seconds, you will experience an outage. Many networks simply don’t have that level of readiness — and Aisuru is build around this factor.
The blind spot no one is talking about: outbound DDoS
There’s an even more interesting angle that the industry is barely discussing yet: the collateral damage of the attacks. Aisuru’s attacks send extraordinary volumes of traffic through networks that are not the intended targets. These are often broadband access networks hosting compromised devices.
This raises a critical, under-examined challenge: outbound DDoS.
We wrote about this recently — the idea that networks may unknowingly host massive attacks leaving their ASN. The operational, regulatory, and reputational risks here are there, yet many operators still focus almost exclusively on inbound protection.
Outbound DDoS may well be the quietest problem in the DDoS ecosystem today. But as the attack volumes are growing exponentially, how much longer can we afford to ignore it?
Where we go from here
The Azure attack is a reminder that:
- Aisuru hasn’t abandoned DDoS — it is doubling down on high-volume, low-complexity attacks.
- Major scrubbing centers can absorb the attack volume, but the speed of detection may pose a problem.
- The real systemic risk may become in the form of the networks carrying the attack, not only the networks receiving it.
If we want a more resilient Internet, the telco and ISP community must collaborate. Inter-ASN FlowSpec and outbound traffic monitoring offer a vendor-neutral way to contribute to resolving the situation. The solutions already exist — but they only work if deployed across the ecosystem. The DDoS landscape is evolving fast, and the times are, in every sense, very interesting.
About FastNetMon
FastNetMon is a leading solution for network security, offering advanced DDoS detection and mitigation. With real-time analytics and rapid response capabilities, FastNetMon helps organisations protect their infrastructure from evolving cyber threats.
For more information, visit https://fastnetmon.com