For thirty five seconds in November 2025, somebody fired the largest DDoS attack ever recorded at a single European network company. The peak hit 31.4 terabits per second. To put that in perspective, that is roughly the combined throughput of every undersea cable connecting North America to Europe, all aimed at one IP address.
The attack lasted barely longer than a tweet takes to read. Cloudflare's automated systems caught it and routed the traffic into the void before any human noticed. But the botnet that fired it, called Aisuru, was just getting started. By March 2026 the U.S. Department of Justice, working with Canadian and German authorities, would seize servers and disrupt four interconnected botnets that together controlled more than 3 million compromised devices around the world.
This is the story of how Aisuru worked, why it could grow so fast, and what it tells us about the messy intersection of IP intelligence, residential networks, and modern attack infrastructure. It is also a useful warning for anyone who runs a server, because the underlying problem that made Aisuru possible has not actually been solved.
What happened in November 2025
The 31.4 Tbps record was set on a single IPv4 destination at an unnamed European infrastructure provider. Cloudflare published the details a few weeks later: 35 second duration, autonomously detected and mitigated, traced to the Aisuru botnet which by that point was operating under a new variant called Kimwolf.
The numbers around it are worth sitting with. Cloudflare reported that during Q4 2025 hyper-volumetric attacks (over 1 Tbps) increased by 40% compared to the previous quarter, jumping from 1,304 to 1,824. Average attack size during the simultaneous "Night Before Christmas" campaign was 4 Tbps and 54 million requests per second. Across all of 2025, Cloudflare mitigated 34.4 million network-layer DDoS attacks compared to 11.4 million in 2024. They blocked an average of 5,376 attacks per hour throughout Q1 2026.
For a separate attack in September 2025 that peaked at 22.2 Tbps, Cloudflare traced the source traffic back to over 404,000 unique IP addresses spread across 14 different ASNs. Their analysis confirmed the source IPs were not spoofed. Real devices, real networks, real residential and small business connections being weaponised in real time.
Meet Aisuru, the botnet that grew up on residential proxies
Aisuru first showed up in late 2024. By mid 2025 it was launching record breaking attacks. The thing that separated it from older botnets like Mirai was not raw size, although the size was unprecedented. It was the spreading mechanism.
In October 2025, Aisuru got an upgrade and was rebranded as Kimwolf. The novelty, according to Tom Scholl at AWS who described it on LinkedIn, was that Kimwolf did not scan the open internet for vulnerable devices the way every botnet before it had. Instead, it infiltrated home networks through residential proxy mechanisms. Once inside, it could reach devices that home routers normally protect from external scanning. Streaming TV boxes, IoT cameras, mesh wifi gear, anything sitting on the internal LAN was suddenly exposed.
This matters because it broke the entire defensive model. For twenty years the assumption was that your router NAT acted as a firewall. Devices behind it could be insecure but unreachable from outside. Kimwolf got around that by being already inside, riding in via a separate proxy infection. The vulnerability used to do this was disclosed publicly by security firm Synthient on January 2, 2026, and involved exposed Android Debug Bridge interfaces on devices reachable through proxy provider IPIDEA's network.
By March 2026 the technique had been copied. Two more botnets, JackSkid and Mossad, started using the same approach. Black Lotus Labs at Lumen reported that JackSkid was averaging more than 150,000 victims per day in the first two weeks of March, peaking at 250,000 on March 8th. The same vulnerable pool of devices was being fought over by competing criminal operations.
What 3 million devices actually means
The DOJ's seizure paperwork claimed the four botnets together had infected more than 3 million IoT devices. By April 2026, Hackread cited tracking data showing the largest single botnet had grown to 13.5 million infected devices, a tenfold increase in one year, with infections concentrated across the United States, Brazil, and India.
When you look at this from an IP intelligence standpoint, those numbers translate to something specific. Most of these devices are sitting in residential IPv4 space belonging to ordinary consumer ISP pools. Pull up something like 73.142.187.220, a typical Comcast home connection, and there is nothing in the registration data that flags it as compromised. The reverse DNS looks normal. The ASN looks normal. To any standard IP intelligence tool, it shows up as a residential connection from a respected ISP and you would conclude the address was probably fine.
That is exactly the problem. Traditional IP blacklists rely on reputation accumulating slowly over time. A spam source gets reported, eventually shows up on Spamhaus, eventually gets added to commercial feeds. The whole loop takes hours or days. Aisuru and its variants attack from millions of residential IPs that nobody has any reputation data on, and rotate through them fast enough that by the time one address gets flagged, the attacker has already moved to ten thousand others. GreyNoise research published in early 2026 found that 78% of attacking IPs disappear from active use before any reputation database picks them up.
The compromised hardware breakdown is also instructive. Court documents and Lumen analysis describe the typical Aisuru victim profile: cheap Android TV boxes (often off brand, often shipped with debugging interfaces enabled), DVRs, IP cameras, and consumer routers running outdated firmware. These are devices people buy once, plug in, and never update for the next eight years. They are not laptops or phones where security patches arrive automatically. They are the soft underbelly of consumer networks, and there are billions of them.
The DOJ takedown of March 2026
On March 19 and 20, 2026, the Justice Department executed seizure warrants against domains and virtual servers used by Aisuru, Kimwolf, JackSkid, and Mossad. The action was coordinated with law enforcement in Canada and Germany. Some of the seized infrastructure had been used to launch attacks against U.S. Department of Defense systems, which gave the Defense Criminal Investigative Service jurisdiction.
According to the DOJ press release, the four botnets had collectively issued hundreds of thousands of DDoS commands. Some attacks measured around 30 Tbps. The operators were allegedly running classic DDoS for hire services, with a sideline in extortion: pay up or we sustain the attack against your business.
Brian Krebs, who has been on the Aisuru beat for over a year (and whose own site was hit by a 6.3 Tbps Aisuru attack), traced the apparent administrator of Kimwolf to a 23 year old in Ottawa, Canada, named Jacob Butler. Butler told Krebs he had not used the alias the operator was running under since 2021 and that someone had compromised his old credentials. Whether that holds up in court is somthing for the prosecutors to decide.
What the takedown actually accomplished is more limited than the press release suggests. Lumen's Black Lotus Labs null routed nearly 1,000 of the C2 servers used by Aisuru and Kimwolf, which broke the command channels for those botnets at the moment of seizure. But the 3 million compromised devices are still sitting in homes around the world. Their firmware is still vulnerable. The vulnerability used to recruit them is public knowledge. The next operator who wants to build a botnet has the same hardware pool to draw from, and many of the same techniques are being used by Mossad and other variants that were not part of the takedown.
Why your IP blacklist stopped working
This is the part that matters if you run a server. The shift from datacenter botnets to residential proxy enabled botnets has fundamentally changed what IP based defense looks like.
The old model assumed that attack traffic came from cheap VPS hosts in places like Bulgaria, Russia, or Vietnam. Block those ASNs at the firewall and you eliminated 80% of garbage traffic without affecting real users. This worked for years. It does not work anymore.
When Aisuru hits you, it comes from Comcast residential IPs in Texas. From Vodafone DSL in Germany. From Telekom Malaysia mobile addresses. From actual people's actual homes. If you blanket block residential ranges you also block your customers, because in 2026 a huge percentage of legitimate traffic comes from mobile and CGNAT pooled addresses. The whole concept of "block bad ASNs" stops being viable when bad and good traffic share the same ASN.
The defensive options that still work all involve faster feedback loops:
Real time community feeds beat static blacklists by hours or days. A community Fail2Ban blacklist that propagates a malicious IP within minutes of first detection across thousands of participating servers gives you a fighting chance. By the time a commercial database publishes its monthly update, the IP has already rotated.
ASN reputation, scored not blocked. Instead of blocking entire ASNs, weight them. Connections from a residential ISP that has been the source of 50,000 attacks this week get a higher friction score, more captchas, more rate limiting. Connections from clean ASNs flow through normally.
Behavioral fingerprinting. Look at request patterns, TLS signatures, header ordering. Real browsers have specific quirks that botnet code does not replicate. JA4 fingerprinting and similar techniques can identify malicious clients regardless of source IP.
Device tier defense. If your service does not need to support every router on Earth, pick the device classes that matter and fail closed for the rest. Most legitimate users in 2026 are on phones, laptops, or known good cloud egress. A Linux IoT device making POST requests to your login endpoint is almost certainly hostile.
The unsolved problem
Here is the uncomfortable truth that does not show up in DOJ press releases. The takedown of Aisuru, Kimwolf, JackSkid, and Mossad did not eliminate the threat. It removed four operators from the field while leaving the entire infrastructure that made them powerful intact.
Three million devices are still infected, or are still sitting unpatched waiting to be infected by whoever shows up next. The Android Debug Bridge vulnerability is now public, which means the barrier to entry has gone down, not up. Off brand Android TV boxes are still being shipped from factories with the same insecure defaults. Consumer routers are still being deployed with admin/admin credentials. Hospital networks, factory floors, and small ISPs in Brazil are still running thier same equipment that got conscripted in the last round.
There is also a structural reason this keeps happening that nobody likes to talk about. Residential CGNAT pools share IP addresses across hundreds of users, which means any reputation system trying to score by IP is fighting blindfolded. A faster IPv6 transition would actually help here, since direct IPv6 addressing gives each device its own routable identity and its own reputation history. We are nowhere close to that future though, so for the next decade defense has to assume IP based attribution is broken.
The economic incentives also have not changed. DDoS for hire services charge as little as $38 per hour, while the average minute of downtime for a victim costs around $22,000. The attacker to defender cost ratio sits around 1 to 3,000. As long as those numbers hold, somebody is going to fill the vacuum left by the takedown.
The next botnet is being assembled right now. Probably by somebody in their early twenties. Probably using techniques copied from public security research. Probably built on the same residential proxy networks, the same compromised IoT devices, the same gaps in IPv4 reputation data that made Aisuru work.
What this means for ipwhois.net users
If you are running a server, the practical takeaways from the Aisuru episode are seperate from the news cycle. Three things are worth doing this week.
First, audit your defensive stack against the actual threat model. If you are still relying on a quarterly downloaded blacklist file, you are not defending against 2026 attacks. You are defending against 2018 attacks.
Second, when you see suspicious traffic, look up the source ASN, the network owner, and the abuse contact. Real time IP intelligence tells you whether the same /24 has been responsible for ten thousand attacks this hour or whether it is a single misconfigured device. Those are very different problems and call for very different responses.
Third, contribute reputation data back to the community. The reason real time community feeds work is that they aggregate signals from thousands of independent observers. Every time your firewall blocks a residential IP launching a brute force attack, that is a data point. When it gets shared, it protects the next sysadmin who sees the same IP twenty minutes later.
The IP intelligence problem is solvable, but only if defenders share information at the same speed attackers rotate addresses. Static lists, slow feeds, and reputation databases that update once a day are over. Attacks happen at machine speed now, and defense has to too.
DDOS attack simulate, image created with AI Grok
Wrap up
Aisuru was not the biggest news story of 2026. It barely registered outside security press. But it is the most important DDoS event of the decade because of what it proved: that residential networks have become an exploitable resource at scale, that traditional IP defenses have been outflanked, and that takedowns of individual operators do not address the underlying weakness in consumer hardware.
The 31.4 Tbps record will be broken. Probably this year. The next attack will come from a botnet whose name we do not know yet, built on the same hardware pool and the same techniques. The defensive playbook has to change before the next attack, not after.
Comments 0