Another DDoS record has been reported, and once again, it is the same botnet setting it.
In late January 2026, Cloudflare disclosed details of what is now the largest publicly reported DDoS attack to date, an incident that occurred in December 2025 and peaked at 31.4 Tbps. The attack was attributed to the Aisuru botnet. While Kimwolf is often mentioned alongside Aisuru in public reporting, the two are generally understood to be closely related but distinct botnets, with indications that they may be operated independently or by partially overlapping groups. The latest record-breaking attack has been attributed specifically to Aisuru and exceeded its own previous record of 29.7 Tbps observed just three months earlier.
The Night Before Christmas campaign
The campaign, which Cloudflare dubbed “The Night Before Christmas”, began on 19 December and consisted of a large number of short but extremely intense network-layer attacks. Rather than a single sustained flood, the activity was characterised by repeated bursts designed to deliver maximum impact in a very limited time window.
Most of the attacks peaked between 1 and 5 Tbps, with only a small fraction exceeding 10 Tbps. Attacks at the extreme end of the spectrum, including the 31.4 Tbps peak, were rare but significant enough to reset expectations around what is now technically achievable. From a packet-rate perspective, the majority of attacks generated between one and five billion packets per second, underlining the continued shift toward high-volume, packet-intensive Layer 4 attacks.
Duration data paints a similarly clear picture. More than half of the attacks lasted between one and two minutes, while only around six percent exceeded two minutes in length. This preference for short-lived, high-intensity bursts mirrors a broader trend seen across recent large-scale DDoS campaigns, where attackers aim to overwhelm detection and mitigation systems before defenders can react.
Network-layer attacks at unprecedented scale
While the campaign also included application-layer HTTP floods exceeding 200 million requests per second, the defining feature of this incident was its scale at the network layer. According to Cloudflare’s reporting, network-layer attacks continue to account for the majority of DDoS growth, both in absolute numbers and in overall impact.
Targeted industries and regions
Targeting during the campaign focused primarily on high-traffic and latency-sensitive sectors. Telecommunications providers were among the main victims, alongside IT and online services, gaming platforms and gambling-related businesses. These industries tend to operate infrastructure where even short disruptions can have immediate and visible consequences.
Geographically, attacks were concentrated on major internet hubs and economically significant regions. The United States absorbed the largest share of hyper-volumetric attacks, followed by China, Hong Kong, Germany, Brazil and the United Kingdom. Disruptions in these regions can have knock-on effects well beyond a single organisation, particularly when shared infrastructure is involved.
Inside the Aisuru / Kimwolf botnet
The scale of the Aisuru botnet is largely explained by its underlying device population. The Kimwolf variant has been linked to the compromise of millions of unofficial Android TV and streaming devices, which are routinely exposed, poorly secured and rarely patched. This provides attackers with a vast, globally distributed pool of traffic sources that is difficult to disrupt permanently. Despite ongoing takedown and null-routing efforts by multiple security teams, the botnet has shown an ability to rapidly shift command-and-control infrastructure and continue operating.
A broader acceleration in DDoS activity
The record-breaking attack took place against a backdrop of rapidly accelerating DDoS activity. Cloudflare reports that total DDoS attacks reached 47.1 million in 2025, representing a 121 percent increase year over year. Network-layer attacks more than tripled compared to 2024, and the fourth quarter alone accounted for millions of incidents. Attacks exceeding 100 million packets per second grew by 600 percent, while attacks larger than 1 Tbps continued to rise quarter over quarter.
Taken together, these figures suggest that while attacks at the scale of 30 Tbps remain exceptional, multi-terabit DDoS events are no longer unusual. For network operators, the challenge is less about preparing for a single headline-grabbing peak and more about consistently detecting and mitigating frequent, short-lived but extremely aggressive network-layer attacks.
As botnets such as Aisuru continue to evolve and expand, manual intervention and slow detection pipelines are increasingly inadequate. Effective defence depends on real-time visibility, accurate classification and automated response at the packet and flow level.