A newly disclosed attack campaign linked to the IoT botnet Aisuru led to a massive surge in malicious traffic, temporarily disrupting major online gaming platforms, with nearly 29.6 Tbps of DDoS packets.
According to logs shared by security engineers, the incident lasted only a few seconds on October 8, 2025, with the bulk of the botnet’s muscle lying in compromised devices — home routers, IP cameras, and DVRs — hosted under leading US ISPs like AT&T, Comcast, Verizon, T-Mobile, and Charter.
“ISPs hosting some of the Internet’s top gaming destinations have been hit with a relentless volley of gargantuan attacks that experts say are well beyond the DDoS mitigation capabilities of most organizations connected to the Internet today,” investigative cybersecurity journalist Brian Krebs said in a blog post.
Krebs noted that while recent Aisuru attacks targeted only ISPs serving online gaming communities such as Minecraft, these DDoS sieges often result in widespread Internet disruption.
ISPs turned into botnet launchpads
According to the analysis, a majority of Aisuru’s traffic now originates from within US ISP networks. Logs from the recent attack showed that 11 out of top 20 traffic sources were these ISPs. Because so many infected endpoints are on US consumer networks, ISPs are now dealing with outbound traffic surges, not just defending against inbound attacks, Krebs added.
The shift means ISPs must now grapple with maintaining service integrity not just for victims of DDoS, but for their own non-compromised customers whose performance may suffer when neighbor devices become attack nodes.
Krebs cited Steven Ferguson, principal security engineer at Global Secure Layer (GSL), which hosts the TCPShield DDoS protection to more than 50000 Minecraft servers worldwide, as reporting that TCPShield was flooded with more than 15 terabits of junk traffic per second on October 8. “Ferguson said that after the attack subsided, TCPShield was told by its upstream provider OVH that they were no longer welcome as a customer,” Krebs added.
Notably, the October 8 surge wasn’t an isolated episode. Ferguson’s earlier telemetry showed that Aisuru had already launched major assaults in mid-September, including a series of multi-terabit strikes targeting networks that serve popular online gaming communities, including Minecraft servers, Steam, and Riot games.
The September attacks likely served as warm-up runs for the massive wave that followed weeks later.
From Mirai roots to proxy sales
Aisuru is not new. Its foundations trace back to leaked code of the Mirai IoT botnet from 2016, which held “KrebsOnSecurity,” the investigative blog run by Krebs, offline for four days. “The 2016 assault was so large that Akamai – which was providing pro-bono DDoS protection for KrebsOnSecurity at the time — asked me to leave their service because the attack was causing problems for their paying customers,“ Krebs had said then.
This time, Aisuru’s operators seem to be monetizing and scaling their creation. The botnet is now believed to serve dual roles, acting as a DDoS engine while also functioning as a residential proxy network. These proxies allow cybercriminals to route attacks through “legitimate” US home devices, masking the true origin of malicious traffic. Krebs also cited security researchers who believe a compromise of router firmware distribution infrastructure, with one alleged breach at Totolink’s firmware server in April 2025, could have accelerated device enrollment into Aisuru’s ranks. The timing of the takedown of a rival botnet (Rapper Bot) in August 2025 may have also allowed Aisuru to absorb the abandoned infected devices, boosting its growth.
No Responses