Microsoft Mitigates Massive Azure DDoS Attack Powered by Aisuru Botnet

Microsoft has disclosed that it recently mitigated a record-breaking distributed denial-of-service (DDoS) attack targeting its Azure cloud infrastructure. The event highlights the continued escalation of botnet-driven assaults against service providers and the growing operational sophistication behind modern DDoS-for-hire ecosystems.

Overview of the Attack

According to Microsoft, the attack peaked at 15.72 terabits per second (Tbps) and nearly 3.64 billion packets per second (Bpps), making it the largest DDoS attack ever recorded against Azure. The attack occurred on October 24 and focused on a single public IP address in Australia.

Despite the scale of the assault, Microsoft emphasizes that this was not the largest DDoS attack observed globally. That record remains with a 22.2 Tbps attack previously mitigated by Cloudflare against a European network operator. Both attacks share a common source: the rapidly expanding Aisuru botnet.

The Aisuru Botnet: TurboMirai at Massive Scale

Aisuru is classified as a TurboMirai-class IoT botnet, composed of compromised consumer devices such as:

• Home and small-business routers

• CCTV cameras

• DVR and NVR systems

• Other internet-exposed embedded devices

Aisuru operations demonstrate how easily attackers can build vast botnets from inexpensive, insecure hardware. The botnet is also monetized as a DDoS-for-hire service, commonly used to target gaming platforms, cloud providers, and high-traffic web applications. Beyond DDoS attacks, the same infrastructure can facilitate:

• Credential stuffing

• Automated web scraping

• Phishing infrastructure

• High-volume spam campaigns

Attack Characteristics

Microsoft reports that the assault relied on:

• Extremely high-rate UDP floods

• Over 500,000 source IPs across many regions

• Minimal source IP spoofing

• Randomized source port traffic

The lack of spoofing simplified traceback efforts and helped Microsoft coordinate with providers to curb malicious traffic. This characteristic aligns with observations from NETSCOUT, which has noted that TurboMirai-derived botnets struggle to generate spoofed packets, making it easier to identify and remediate infected devices.

Broader Implications

The Azure attack underscores several key trends:

1. Botnets are rapidly scaling due to the proliferation of insecure IoT devices.

2. DDoS-for-hire services remain cheap and accessible, enabling less-skilled actors to launch devastating attacks.

3. Cloud providers are increasingly the targets, as attackers seek maximum disruption through single high-value endpoints.

4. Global telemetry and coordinated mitigation are essential as attack traffic is now widely distributed across geographies and networks.

Microsoft reports that its automated defense systems successfully absorbed and mitigated the assault without customer impact, but warns that continued growth in botnet capacity may push future attacks even higher.

As DDoS operations evolve, cloud providers, ISPs, and device manufacturers will need to adopt more aggressive security baselines to reduce the pool of exploitable devices feeding these global botnet networks.