On November 18, 2025, Microsoft disclosed the mitigation of an unprecedented distributed denial-of-service (DDoS) attack that peaked at 15.72 terabits per second (Tbps) and nearly 3.64 billion packets per second (pps), targeting a single endpoint in Australia. The attack was launched by the AISURU botnet, a TurboMirai-class Internet of Things (IoT) botnet comprising approximately 300,000 infected devices, predominantly routers, security cameras, and DVR systems. AISURU’s architecture allows it to generate massive UDP flood attacks with minimal source IP spoofing and randomized source ports, facilitating traceback and enforcement by providers. The botnet operates with a restricted clientele, reportedly avoiding attacks on governmental, law enforcement, military, and national security targets, focusing instead on online gaming and other commercial targets. Beyond DDoS, AISURU supports multi-use malicious activities including credential stuffing, AI-driven web scraping, spamming, phishing, and residential proxy services. The attack leveraged the increasing bandwidth of fiber-to-the-home connections and more powerful IoT devices, pushing the baseline for attack sizes higher. Microsoft’s automated cloud-based mitigation systems successfully detected and neutralized the attack, preventing disruption. However, the persistence of compromised IoT devices means the threat of future large-scale attacks remains. The disclosure also references related botnets like Eleven11 (RapperBot), which have been dismantled but leave vulnerable devices behind. The use of alternative DNS roots such as the .libre TLD for command-and-control servers highlights evolving evasion techniques. This incident underscores the growing scale and complexity of IoT-driven DDoS threats and the critical need for robust detection and mitigation strategies.

For European organizations, the AISURU botnet-driven DDoS attacks pose significant risks to availability and operational continuity, especially for online services, gaming platforms, and cloud infrastructure providers. The sheer volume of traffic generated can overwhelm network resources, leading to service outages and degraded performance. Although the botnet reportedly avoids governmental and military targets, critical infrastructure and private sector enterprises remain vulnerable, particularly those with exposed public-facing endpoints. The multi-functional nature of AISURU, enabling credential stuffing and phishing, also threatens confidentiality and integrity by facilitating data breaches and fraud. The increasing baseline for attack sizes driven by faster internet connections and more powerful IoT devices means European networks may face escalating DDoS volumes. Additionally, the use of residential proxies and AI-driven scraping can impact data privacy and intellectual property. The persistence of compromised IoT devices in Europe, combined with the continent’s high IoT adoption rates, increases the risk of local devices being conscripted into such botnets, further amplifying the threat. Disruption to online services can have economic consequences and erode user trust, while mitigation efforts may incur significant operational costs.

European organizations should implement advanced DDoS detection and mitigation solutions that leverage behavioral analytics and automated traffic filtering to respond rapidly to volumetric attacks. Network operators must collaborate with ISPs to enforce ingress and egress filtering (BCP 38) to reduce IP spoofing and limit botnet effectiveness. IoT device manufacturers and consumers should prioritize secure configuration, timely firmware updates, and network segmentation to reduce device compromise risk. Deployment of network-level rate limiting and geo-fencing can help contain attack traffic from known malicious regions. Organizations should engage in threat intelligence sharing to stay informed about emerging botnet activity and indicators of compromise. Cloud service users should leverage scalable cloud-based DDoS protection services with capacity to absorb multi-terabit attacks. Regular audits of IoT device inventories and vulnerability assessments are critical to identify and remediate weak points. Finally, law enforcement and industry cooperation is essential to disrupt botnet command-and-control infrastructure and reduce the pool of compromised devices.