Executive Summary

In October 2025, multiple high-impact direct distributed denial-of-service (DDoS) demonstration attacks exceeding 20Tb/sec and/or 4gpps were publicly reported. These attacks, primarily targeting online internet gaming organizations, were launched using a Mirai-derivative Internet of Things (IoT) DDoS-capable botnet commonly referred to as “Aisuru.” The Aisuru DDoS botnet operates as a DDoS-for-hire service with restricted clientele; operators have reportedly implemented preventive measures to avoid attacking governmental, law enforcement, military, and other national security properties. Most observed Aisuru attacks to date appear to be related to online gaming. Multiple broadband access network operators have experienced significant operational impact due to outbound DDoS attacks in excess of 1.5Tb/sec launched from Aisuru botnet nodes residing on end-customer premises.

Key Findings

• Aisuru and related TurboMirai-class IoT botnets have launched DDoS attacks exceeding 20Tb/sec and 4gpps, primarily related to online gaming activities.
• The term “TurboMirai” is used to describe this general class of Mirai-variant DDoS botnets capable of generating multi-tb/sec and -gpps direct-path DDoS attacks.
• Attacks typically consist of direct-path UDP, TCP, and GRE packet floods utilizing medium-size packets (540–750 bytes) with pseudo-randomized ports and TCP flag combinations. Other packet sizes and characteristics have also been observed.
• Outbound/crossbound attack traffic exceeding 1Tb/sec from compromised customer premise equipment (CPE) devices has caused significant disruption to wireline and wireless broadband access networks. High-throughput attacks (4gpps+) have caused chassis-based router line card failures.
• These botnets cannot generate spoofed DDoS attack traffic, allowing traceback and correlation with subscriber information that can be utilized to identify, quarantine, and remediate compromised devices.
• Comprehensive defense requires instrumentation of all network edges with outbound/crossbound suppression equal in priority to inbound mitigation. Intelligent DDoS mitigation systems (IDMSs), network infrastructure best current practices (BCPs) such as infrastructure ACLs (iACLs), and proactive remediation of abusable CPE are essential.

Description

Aisuru is one of multiple “TurboMirai” DDoS-capable IoT botnets enhanced to substantially increase attack traffic generated per botnet node. These botnets incorporate additional dedicated DDoS attack capabilities and multi-use functions, enabling both DDoS attacks and other illicit activities such as credential stuffing, artificial intelligence (AI)-driven web scraping, spamming, and phishing. Aisuru includes an onboard residential proxy service used to reflect HTTPS application-layer DDoS attacks generated by external attack harnesses.

Aisuru botnet nodes primarily consist of consumer-grade broadband access routers, online CCTV and DVR systems, and other vulnerable CPE devices running similar OEM firmware variants. The botnet operators actively research new exploits in order to compromise fresh populations of devices and enroll them as Aisuru nodes.

The botnet retains the direct-path UDP, TCP, GRE, and DNS query-flooding capabilities of the original Mirai botnet, supplemented by carpet-bombing targeting, pseudo-randomization of UDP and TCP source/destination ports and TCP flag combinations, and organic HTTP application-layer DDoS capability.

Both high-bandwidth (large packets, high bps) and high-throughput (small packets, high pps) DDoS attacks have been observed. UDP and TCP direct-path flooding capabilities default to medium-size packets in the 540–750-byte range, balancing bps and pps. Small-packet/high-pps attacks of 4gpps and above have overwhelmed line cards of chassis-based routers and layer-3 switches, causing them to drop off chassis backplane fabrics and disrupting bystander traffic. In some cases, BCPs intended to protect network infrastructure equipment may not have been fully implemented.

Outbound and crossbound (east-west) DDoS attacks are often as disruptive as inbound attacks. Multiple broadband access network operators have experienced negative operational impact from outflows of Aisuru DDoS attack traffic exceeding 1Tb/sec and/or 1gpps, sourced from compromised on-net and/or downstream CPE devices. While some network operators have implemented outbound/crossbound DDoS attack suppression functionality, many have not.

In addition to high-impact multi-Tb/sec and/or gpps DDoS attacks, Aisuru and related IoT DDoS botnets are also utilized in considerable numbers of lower-volume DDoS attacks, which are nevertheless effective against undefended targets.

Recommended Actions

To date, all observed DDoS attacks launched via Aisuru and related TurboMirai-class IoT botnets have been single-vector, direct-path attacks. In a small number of instances, these botnets have participated in multivector attacks that appear to leverage additional DDoS-for-hire services to simultaneously generate UDP- and TCP-based reflection/amplification attack traffic (these botnets cannot generate spoofed traffic necessary for reflection/amplification attacks).

A substantial proportion of DDoS attacks launched via these botnets consists of direct-path packet floods with the following characteristics:

• UDP attacks: Medium-to-large packets are commonplace, although many attacks utilize smaller packets; attack traffic is generally sourced from fixed or pseudo-randomized UDP ephemeral ports and directed toward fixed or semi-randomized UDP destination ports.
• TCP attacks: Packet sizes are predominantly either small or large, with relatively few attacks featuring medium-size TCP packets.
• Pseudo-randomized, purposeful, and arbitrary TCP flag combinations have all been observed, with as many as 119 distinct TCP flag combinations observed in a single attack.
• Organic HTTP application-layer attack capability; HTTPS attacks reflected through onboard residential proxy service.

Some TCP packet-flooding attack traffic appears deliberately crafted to resemble legitimate HTTP request or response packets at layer-4 in order to complicate classification. No consistent, discernible patterns have been observed in packet payload characteristics.

Attack traffic generated by TurboMirai DDoS botnets such as Aisuru is not spoofed because the botnet code does not run in a privileged context on compromised devices; additionally, most botnet nodes are sited on broadband access networks that have source-address validation (SAV) mechanisms enabled by default at the access layer.

DDoS Attack Detection/Classification/Traceback

Network operators should ensure all network edges, including customer aggregation edges and peering edges with large endpoint networks (cloud providers/CDNs/gaming providers/search providers/content providers), are instrumented. Outbound/crossbound DDoS detection/classification/traceback should be enabled for traffic both ingressing and egressing all network edges and incorporated into active DDoS defenses and periodic testing regimes.

Both inbound and outbound/crossbound DDoS attack alerting should be enabled for DDoS detection/classification/traceback systems such as NETSCOUT Arbor Sightline. Operationally significant volumes of outbound and crossbound DDoS attack traffic are generated by Aisuru botnet nodes.

On-net and downstream attack sources should be identified for remediation/decommissioning/replacement. In the event of disruption of botnet command-and-control infrastructure, abusable devices are often recompromised and incorporated into successor TurboMirai-class IoT DDoS botnets.

DDoS Attack Mitigation/Suppression

Intelligent DDoS mitigation: NETSCOUT Arbor Sightline/Threat Mitigation System (TMS) perform granular mitigation and suppression of outbound/crossbound DDoS attack traffic while minimizing underblocking and overblocking.

Infrastructure-based mitigation/suppression: Flowspec mitigations and source-based remotely triggered blackholing (S/RTBH) can drop, redirect, and/or rate-limit traffic based on layer-4 characteristics. However, hardware resources for Flowspec rules are subject to platform/line card/ASIC/OS/train/release-specific limits, and S/RTBH drops both legitimate and illegitimate traffic to/from blackholed devices without differentiation. Both mechanisms should be used with appropriate BCPs to exclude critical resources from inadvertent disruption, as well as observing minimum prefix length constraints to prevent networkwide overblocking.

Mobile and Fixed Wireless Networks

Carpet-bombing targeting and crossbound botnet propagation traffic can cause severe disruption in wireless broadband access networks due to stateful packet core elements, NAT usage, and wireless spectrum exhaustion. NETSCOUT Arbor Sightline Mobile provides visibility into DDoS attack traffic ingressing/egressing/traversing the mobile packet core, with IMSI lookups to provide information on affected subscribers.

Proactive Measures

Organizations with business-critical public-facing internet properties should ensure all relevant network infrastructure, architectural, and operational BCPs have been implemented, including network access policies permitting only required IP protocols, ports, and rates. Internet access network traffic for internal personnel should be deconflated from public-facing internet property traffic and served via separate upstream internet transit links. DDoS defenses should be implemented in a situationally appropriate manner, including periodic testing. Organic, on-site intelligent inbound DDoS mitigation and outbound/crossbound suppression capabilities should be combined with cloud- or transit-based upstream DDoS mitigation services.

Organizations must ensure all servers/services/applications/datastores/infrastructure elements are protected against DDoS attack and included in periodic, realistic testing of the DDoS mitigation plan.

Network operators should strongly consider implementing proactive internal network reconnaissance to identify potentially compromised/abusable CPE infrastructure and implement policies and procedures to remediate, decommission, or replace such devices.

Specifics of countermeasure/protection selection, tuning, and deployment will vary based on individual network/resource particulars; consult relevant NETSCOUT Arbor account teams and/or the Arbor Technical Assistance Center (ATAC) for optimal countermeasure selection and employment.

All potential DDoS attack mitigation/suppression measures described in this document must be tested and customized in a situationally appropriate manner prior to deployment on production networks.

Applicable NETSCOUT Arbor Solutions

NETSCOUT Arbor Sightline, NETSCOUT Arbor TMS, NETSCOUT Arbor Insight, NETSCOUT Arbor Sightline Mobile.

References

/product/arbor-sightline
/product/arbor-insight
/product/arbor-threat-mitigation-system
/product/arbor-sightline-mobile
https://datatracker.ietf.org/doc/html/rfc8955
https://datatracker.ietf.org/doc/html/rfc5635

Title/Version: Aisuru and Related TurboMirai Botnet DDoS Attack Mitigation and Suppression—October 2025—v1.0