{
	"id": "5de19c6b-a466-4f9b-932c-610055e8400f",
	"created_at": "2026-04-06T00:11:56.53137Z",
	"updated_at": "2026-04-10T03:20:52.479996Z",
	"deleted_at": null,
	"sha1_hash": "2bcd3fd6f3c40f265109afc891a6783fff5505dc",
	"title": "Aisuru DDoS Campaign: Threat Intelligence Assessment",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 206333,
	"plain_text": "Aisuru DDoS Campaign: Threat Intelligence Assessment\r\nBy heavyscientist\r\nArchived: 2026-04-05 16:59:46 UTC\r\nExecutive Summary\r\nWhat's Happening:\r\nGaming platforms (Steam, Riot Games, PlayStation Network) experienced major disruptions October 6-7, 2025,\r\nsuspected but NOT confirmed as DDoS attacks\r\nThe widely-circulated 29.69 Tbps claim is UNCONFIRMED—appears only in social media, no mitigation vendor\r\nverification\r\nConfirmed: 22.2 Tbps attack on September 22, 2025 (Cloudflare), largest verified DDoS on record, suspected Aisuru\r\ninvolvement\r\nConfirmed: 11.5 Tbps attack early September 2025 (Cloudflare), definitively attributed to Aisuru botnet by XLab\r\nresearchers\r\nAisuru: ~300,000-node IoT botnet, capable of sustained multi-terabit attacks, operated by three-person group\r\nKey Findings:\r\nAttack durations: 35-65 seconds (too short for manual mitigation)\r\nDominant vectors: UDP floods (99%+), TCP carpet bombing across IP ranges, short hyper-volumetric bursts\r\nMitigation reality: At 20-30 Tbps, only always-on cloud scrubbing with global anycast has proven effective\r\nInfection vector breakthrough: April 2025 Totolink router firmware supply-chain compromise grew botnet from\r\n\u003c100k to 300k+ nodes\r\nGame publishers face unique challenge: Zero downtime tolerance vs. infrastructure protection trade-offs\r\nCritical Assessment: October 6-7 gaming disruptions are real but lack official DDoS confirmation from victims or\r\nmitigation providers. The 29.69 Tbps figure should be treated as unsubstantiated speculation until verified by tier-1 vendors.\r\nIncident Timeline: Last 10 Days\r\nDate\r\n(UTC)\r\nTarget\r\nPeak\r\nBandwidth\r\nPeak\r\nBpps\r\nDuration Vectors Status Source\r\nSept\r\n22,\r\n2025\r\nEuropean\r\nnetwork\r\ninfrastructure\r\ncompany\r\n22.2 Tbps\r\n10.6\r\nBpps\r\n40 sec\r\nUDP\r\ncarpet\r\nbomb\r\n(31,000-\r\n47,000\r\nports/sec)\r\nCONFIRMED\r\nCloudflare\r\nofficial\r\nEarly\r\nSept\r\n2025\r\nUndisclosed\r\n(Cloudflare\r\ncustomer)\r\n11.5 Tbps 5.1 Bpps 35 sec UDP\r\nflood,\r\nmulti-CONFIRMED,\r\nAisuru\r\nattributed\r\nCloudflare +\r\nXLab\r\nhttps://gist.github.com/heavyscientist/de6a7c14e68b5862734b94a3c10e574c\r\nPage 1 of 18\n\nDate\r\n(UTC)\r\nTarget\r\nPeak\r\nBandwidth\r\nPeak\r\nBpps\r\nDuration Vectors Status Source\r\nsource\r\n(IoT +\r\ncloud)\r\nOct 6,\r\n~00:00\r\nUTC\r\nSteam, Riot\r\nGames, PSN,\r\nXbox, Epic,\r\nAWS\r\n29.69 Tbps\r\n(UNVERIFIED)\r\nUnknown Unknown\r\nTCP\r\ncarpet\r\nbomb\r\n(reported)\r\nSUSPECTED,\r\nNO official\r\nconfirmation\r\nSocial media\r\nonly\r\nOct 6-\r\n7,\r\n2025\r\nRiot Games\r\n(all\r\nplatforms)\r\nUnknown Unknown\r\n36+ hours\r\nintermittent\r\nUnknown\r\nDisruption\r\nCONFIRMED,\r\nDDoS\r\nunconfirmed\r\nRiot Games\r\nofficial\r\nstatement\r\nOct 6-\r\n7,\r\n2025\r\nSteam/Valve Unknown Unknown Intermittent Unknown\r\nDisruption\r\nreported, NO\r\nofficial\r\nstatement\r\nDownDetector,\r\ncommunity\r\nreports\r\nKey Context (Just Prior):\r\nMay 2025: 7.3 Tbps attack (Cloudflare), 45 seconds, 37.4 TB delivered, 99.996% UDP floods\r\nMay 12, 2025: KrebsOnSecurity 6.3 Tbps attack, Google Shield mitigation, confirmed Aisuru by Google\r\nConfidence Assessment Table\r\nClaim Bandwidth Source Attribution Confidence Level Evidence\r\n29.69 Tbps\r\nattack\r\n29.69 Tbps\r\nSocial media\r\n(X/Reddit)\r\nAisuru\r\nsuspected\r\nUNCONFIRMED\r\nFastNetMon: \"figures\r\nremain unverified\"; NO\r\nvendor confirmation;\r\nCybernews cites \"early\r\nreports from cybersecurity\r\ncommunity\"\r\n22.2 Tbps\r\nattack\r\n22.2 Tbps\r\nCloudflare\r\nofficial\r\n(X/Twitter)\r\nAisuru\r\nsuspected\r\nCONFIRMED\r\n(attack), LIKELY\r\n(attribution)\r\nCloudflare: \"twice as large\r\nas anything seen\";\r\nSecurityWeek: Cloudflare\r\n\"believes it may have been\r\npowered by Aisuru\"; XLab\r\nattribution analysis\r\n11.5 Tbps\r\nattack\r\n11.5 Tbps Cloudflare\r\nofficial\r\nAisuru\r\nconfirmed\r\nCONFIRMED Cloudflare announcement\r\n+ XLab detailed technical\r\nreport with C2 tracking;\r\nhttps://gist.github.com/heavyscientist/de6a7c14e68b5862734b94a3c10e574c\r\nPage 2 of 18\n\nClaim Bandwidth Source Attribution Confidence Level Evidence\r\n404,000+ source IPs\r\nverified\r\nOct 6-7\r\ngaming\r\noutages\r\nUnknown\r\nRiot Games,\r\ncommunity\r\nUnknown\r\nCONFIRMED\r\n(outages),\r\nUNCONFIRMED\r\n(DDoS cause)\r\nRiot Games: \"intermittent\r\nnetwork issues\"; NO\r\nvendor confirmation of\r\nDDoS; NO official\r\nstatements from Steam,\r\nPSN, Xbox\r\nBotnet size:\r\n300k nodes\r\nN/A\r\nXLab CTIA\r\n+ leaked\r\npanels\r\nAisuru CONFIRMED\r\nXLab telemetry data\r\ncorroborated with\r\nanonymous insider +\r\nleaked panel screenshots\r\nshowing 340k nodes\r\nTotolink\r\nsupply-chain\r\nbreach\r\nN/A\r\nXLab +\r\nanonymous\r\ninsider\r\nAisuru\r\noperator\r\n\"Tom\"\r\nCONFIRMED\r\nXLab report with technical\r\ndetails; domain\r\nupdatetoto[.]tw reached\r\nTranco 672,588; malicious\r\nscript t.sh verified\r\nCambium\r\ncnPilot 0-\r\nday\r\nN/A\r\nXLab report\r\n(June 2024)\r\nAisuru\r\nexploitation\r\nCONFIRMED\r\nXLab contacted vendor\r\nwith no response; Snort\r\ndetection rule provided;\r\nongoing exploitation\r\nverified\r\nTechnical Analysis: Aisuru Botnet\r\nArchitecture \u0026 Composition\r\nMalware Base: Mirai-variant with sophisticated enhancements (Malpedia classification)\r\nVariants: AISURU (Aug 2024) → kitty (Oct 2024) → AIRASHI (Nov 2024-present)\r\nCurrent Scale: ~300,000 compromised devices (XLab CTIA tracking + leaked panel verification)\r\nDevice Infrastructure:\r\nPrimary (90%+): Consumer routers (Totolink, D-Link, Linksys, Zyxel), IP cameras, DVRs/NVRs\r\nSecondary: Limited cloud instances (Google Cloud confirmed in 11.5 Tbps attack but \"not majority\")\r\nGeographic concentration: Brazil, Russia, Vietnam, Indonesia (compromised devices); China, USA, Germany, UK\r\n(attack targets)\r\nInfection Vectors\r\nPRIMARY: Supply-Chain Compromise (April 2025)\r\nTarget: Totolink router firmware update server\r\nhttps://gist.github.com/heavyscientist/de6a7c14e68b5862734b94a3c10e574c\r\nPage 3 of 18\n\nMethod: Operator \"Tom\" compromised update URL, injected malicious script (t.sh)\r\nDomain: updatetoto[.]tw (reached Tranco rank 672,588 within one month)\r\nImpact: Any router performing automatic updates infected; botnet grew \u003c100k → 300k+ nodes\r\nStatus: Patched; operators posted \"RIP TOTOLINK 2025-2025\"\r\nSECONDARY: Exploitation\r\nZero-day: Cambium Networks cnPilot routers (exploited since June 2024, still active)\r\nN-days: 15+ CVEs spanning 2013-2024 including CVE-2023-28771 (Zyxel ATP), CVE-2023-50381 (Realtek SDK),\r\nCVE-2024-3721 (TBK DVR)\r\nCredential attacks: Telnet brute-force with 60+ default credential pairs\r\nCommand \u0026 Control\r\nC2 Method: DNS TXT record resolution with encrypted payloads\r\nEncryption: Base64 + XOR (key: ca fe ba be ); earlier versions used Base64 + ChaCha20\r\nProtocol: HMAC-SHA256 + ChaCha20 encryption (AIRASHI variant); custom RC4 variant (key: PJbiNbbeasddDfsc )\r\nInfrastructure: 60+ C2 IPs across 19 countries, 10+ ASNs; GRE tunneling via 151.242.2.22-25\r\nExample C2 Domains (mocking security researchers):\r\nxlabresearch[.]ru, xlabsecurity[.]ru, foxthreatnointel[.]africa, ilovegaysex[.]su\r\nAttack Tactics \u0026 Capabilities\r\nDominant Vectors:\r\nUDP floods (99.996% of 7.3 Tbps attack)—primary weapon for record-breaking attacks\r\nTCP SYN floods (270.52 Mpps observed)\r\nDNS amplification (NTP, QOTD, Echo, RIPv1 reflection/amplification as secondary vectors)\r\nTCP carpet bombing (October 2025, new tactic reported by TCPShield)\r\n\"Carpet Bombing\" Technique:\r\nDistributes attack across wide IP ranges (/24, /20, /16 CIDR blocks) simultaneously\r\nEvades per-host detection thresholds (e.g., 10-50 Mbps per IP × 1000 IPs = 10-50 Gbps aggregate)\r\n7.3 Tbps attack: Average 21,925 destination ports/sec, peak 34,517 ports/sec\r\nPrevalence: 75% of all DDoS attacks in 2024 used carpet bombing (Vercara data)\r\nAttack Characteristics:\r\nDuration: 35-65 seconds (hyper-volumetric \"hit-and-run\" bursts)\r\nFrequency: Several hundred targets hit daily (XLab tracking)\r\nPacket rates: Up to 10.6 Bpps confirmed (22.2 Tbps attack)\r\nNo industry targeting: Indiscriminate across gaming, hosting, ISPs, financial services\r\nDemonstrated Capacity:\r\nStable operational: 1-3 Tbps (advertised on Telegram)\r\nRecord attacks: 11.5 Tbps confirmed; 22.2 Tbps suspected; 29.69 Tbps unverified\r\nOperator Profile\r\nhttps://gist.github.com/heavyscientist/de6a7c14e68b5862734b94a3c10e574c\r\nPage 4 of 18\n\nGroup Structure (XLab anonymous insider):\r\nSnow: Botnet development, malware coding\r\nTom: Vulnerability research, exploitation (responsible for Totolink breach)\r\nForky: Business operations, DDoS-for-hire sales\r\nOperational Behavior:\r\n\"Flamboyant\" style with taunting messages embedded in malware\r\nMock security researchers with C2 domain names\r\nAttack ISPs \"for fun\" under ideological pretexts\r\nDDoS-as-a-Service pricing: $150/day, $600/week (Aug 2024 Telegram)\r\nNew revenue: Residential proxy service (high-bandwidth nodes identified via speed tests)\r\nEvasion \u0026 Persistence\r\nAnti-Analysis:\r\nDetects VMs (VMware, VirtualBox, KVM, QEMU), analysis tools (tcpdump, wireshark)—terminates if found\r\nWrites -1000 to /proc/self/oom_score_adj (evades Linux OOM Killer)\r\nRenames binary to libcow.so , process to system daemons (telnetd, dhclient, lighttpd)\r\nMaps shared libraries to resist rival botnet \"killer\" scripts\r\nPersistence:\r\nModifies /etc/rc.local for boot persistence\r\nDoes NOT delete binary after execution (unlike typical Mirai variants)\r\nPer-Region Patterns\r\nAttack Sources (7.3 Tbps attack):\r\n122,145 source IPs from 5,433 ASNs across 161 countries\r\nTop sources: Brazil (Telefonica Brazil, 10.5%), Vietnam (Viettel Group, 9.8%), China (China Unicom, 3.9%)\r\nNear 50% combined from Brazil and Vietnam\r\nAttack Targets:\r\nPrimary: China, USA, Germany, UK, Hong Kong\r\nAIRASHI variant: Poland, Russia also targeted heavily\r\nHyperscale Mitigation Playbook (≥20 Tbps, ≥5 Bpps)\r\nUpstream/CDN Layer\r\nWhat Works at 20-30 Tbps:\r\nAnycast Network Architecture ⭐ PROVEN\r\nCapacity requirement: 200-300+ Tbps total across 200+ PoPs (10x largest expected attack)\r\nDeployment: Already active if pre-deployed; 6-12 months + $10M+ for new infrastructure\r\nhttps://gist.github.com/heavyscientist/de6a7c14e68b5862734b94a3c10e574c\r\nPage 5 of 18\n\nReal-world proof: Cloudflare 22.2 Tbps (40 sec), 7.3 Tbps (45 sec)—fully autonomous mitigation\r\nFirst 15 minutes (always-on): No action needed; monitor dashboards only\r\nTrade-offs: Cloud service $10K-500K/mo vs. self-built (6-12 months, $10M+ capex)\r\nScrubbing Center Design\r\nAlways-on cloud scrubbing: Detection \u003c1 sec, mitigation 0-3 sec ✅ MANDATORY for 20-30 Tbps\r\nOn-demand scrubbing: 2-5 min activation ❌ TOO SLOW (attacks last 40-65 sec)\r\nCapacity: 500 Gbps-1 Tbps per center; need 30-40+ centers for 20+ Tbps aggregate\r\nArchitecture: GRE tunnels or anycast symmetric routing\r\nFirst 15 minutes (on-demand): Initiate BGP route advertisement if not automated\r\nPitfall: Not testing BGP announcements before attack; incorrect GRE MTU causing fragmentation\r\nDynamic Routing \u0026 Traffic Engineering\r\nBGP route control: Anycast withdrawal, traffic concentration, /24-/26 route specificity\r\nAutomated vs. manual: \u003c10 sec automated vs. 30-120 sec manual (manual IMPOSSIBLE at 40-sec attack duration)\r\nPrerequisites: Pre-defined policies triggered on attack signatures\r\nInter-Provider Signaling\r\nBGP communities: 65535:666 (RTBH blackhole RFC 7999), custom communities per provider\r\nFlowSpec: BGP SAFI 133 for granular filtering rules\r\nLimitations: Requires pre-established relationships; not all providers support customer-triggered RTBH\r\nNetwork Layer\r\nBGP FlowSpec ⭐ EFFECTIVE FOR UDP/TCP VOLUMETRIC\r\nCapabilities: 12 filter types (source/dest IP, protocol, ports, TCP flags, packet length, DSCP, fragments)\r\nWhen effective: ✅ UDP floods (DNS, NTP, QOTD), TCP SYN floods; ❌ L7 attacks, encrypted payload\r\ninspection\r\nDeployment: 1-3 weeks initial setup; \u003c60 sec rule activation if automated\r\nFirst 15 minutes: Deploy via FastNetMon, Arbor ATLAS, or custom automation\r\nVendor support: Cisco ASR/NCS, Juniper MX/PTX, Arista 7500R/7280R, Nokia SR-series\r\nExample rule (DNS amplification):\r\nmatch: dest 203.0.113.1/32, protocol UDP/17, dest-port 53\r\naction: drop (rate 0)\r\nCritical pitfall: Not validating BGP community filters → customers can blackhole entire networks\r\nRemotely Triggered Black Hole (RTBH)\r\nMechanism: Advertise /32 with BGP community, edge routers rewrite next-hop to null0\r\nWhen effective: ✅ Single-target volumetric overwhelming transit (buys time for scrubbing setup); ❌ Multi-service\r\nhosts (collateral damage), critical always-on services\r\nDeployment: 30-90 sec automated; 5-15 min manual\r\nFirst 15 minutes: Should auto-trigger via monitoring\r\nCritical limitation: \"Success = achieving attacker's goal\" (service offline); drops ALL traffic\r\nhttps://gist.github.com/heavyscientist/de6a7c14e68b5862734b94a3c10e574c\r\nPage 6 of 18\n\nGame publisher vs. ISP: Publishers use as last resort only (unacceptable downtime); ISPs use commonly (protects\r\ninfrastructure)\r\nUnicast Reverse Path Forwarding (uRPF)\r\nPurpose: Anti-spoofing, verify source IP legitimacy\r\nModes: Strict (source reachable via same interface), loose (source exists in routing table)\r\nWhen effective: ✅ Preventing reflection/amplification FROM your network; ❌ Not effective for attacks targeting\r\nyou\r\nDeployment: 1-2 weeks (test asymmetric routing), 2-5% CPU increase\r\nBest practice: Loose mode at customer edges, strict mode at single-homed connections\r\nCarpet Bombing Defenses ⭐ CRITICAL FOR 2024-2025 THREAT LANDSCAPE\r\nDetection challenge: Traditional per-host thresholds (25-50 Mbps) don't trigger; 10 Mbps × 1000 IPs = 10 Gbps\r\naggregate\r\nWhat works:\r\n✅ Context-based detection: Monitor individual IPs AND subnet aggregates simultaneously\r\n✅ Managed Object Misuse alerts: Detect total DDoS across network segment\r\n✅ Precise Protection Prefixes: Divert /25, /26, /27 (not entire /24) to scrubbing\r\n✅ Known Attacker Detection: Block IPs from threat intelligence feeds\r\nNETSCOUT/Arbor solution: Carpet bombing alert thresholds on total misuse, auto-redirect most-specific subnets\r\nFlowSpec approach: Can filter specific vectors (UDP/53 across subnet) but doesn't solve detection\r\nDeployment: 24 hours-30 days for baseline tuning; 5-10 min manual response if pre-tuned\r\nL4/L7 Application Layer\r\nSYN Cookies \u0026 TCP Hardening\r\nPerformance: Handles 1M+ SYN/sec\r\nWhen effective: ✅ SYN floods \u003c100K SYN/sec; ❌ Not effective for 20-30 Tbps volumetric (bandwidth\r\nexhaustion, not state table)\r\nDeployment: Linux net.ipv4.tcp_syncookies = 1 (default); should already be enabled\r\nFirst 15 minutes: Pre-configured, no action needed\r\nAdvanced (Cloudflare): Statistical analysis of connection patterns, automatic challenge-response\r\nUDP \u0026 QUIC Protocol Hardening\r\nChallenge: UDP stateless (no handshake), QUIC encrypted (limited inspection)\r\nDefenses:\r\nRate limiting per source: 100-1000 pps (general), 10K pps (game servers), 1K pps (DNS)\r\nConnection limiting: Max concurrent sessions per IP\r\nChallenge gates: Probe packet, require response before state allocation\r\nQUIC-specific: Validate connection IDs, rate-limit Initial packets, limit response size until handshake complete\r\nGame Protocol Rate Limiting \u0026 Challenge Gates\r\nMulti-layer defense:\r\nConnection establishment: 1-5 new connections per IP/minute, require challenge-response before gameplay,\r\nexponential backoff\r\nhttps://gist.github.com/heavyscientist/de6a7c14e68b5862734b94a3c10e574c\r\nPage 7 of 18\n\nIn-game rate limiting: 10-100 commands/sec (game-dependent), packet size limits, state validation\r\nBurst handling: Allow 5-10 packet bursts, surge queues buffer 100-1000 packets\r\nFirst 15 minutes:\r\n1. Increase rate limits 20-50% (accommodate legitimate spikes)\r\n2. Enable aggressive filtering\r\n3. Activate standby servers\r\n4. Geo-block non-player regions\r\nCircuit Breakers \u0026 Surge Queues\r\nCircuit breaker pattern: Closed (normal) → Half-Open (testing recovery) → Open (reject new requests)\r\nSurge queue: 1000-10000 request capacity, 5-30 sec timeout, prioritize authenticated \u003e anonymous\r\nGame publisher specific: Match service circuit breaker, login queue during auth floods, asset servers via CDN\r\nmandatory\r\nOrganizational Preparedness\r\nPeering Strategy\r\nMulti-homing minimum: 3 upstreams (2 transit + 1 IXP); best: 5-10 upstreams including Tier 1; hyperscale: 50-\r\n100+ peering\r\nCapacity planning: Each link 50-75% of total traffic (N+1 redundancy); example: 100 Gbps normal → 4×50G links\r\n(200G capacity)\r\nFirst 15 minutes: Single link saturated: Emergency AS-prepending; multi-homed: Natural distribution (no action if\r\ncapacity OK)\r\nMulti-CDN Architecture\r\nStrategy: Primary CDN 70-80% traffic, secondary 20-30% (hot standby), DNS failover 60-300 sec TTL\r\nGame publishers: Static content multi-CDN for patches; dynamic/game single provider (low latency critical);\r\nregional optimization\r\nOut-of-Path Scrubbing Model Comparison\r\nModel Monthly Cost Activation Effectiveness at 20-30 Tbps\r\nAlways-On Cloud $10K-500K Instant ✅ PROVEN (22.2 Tbps)\r\nOn-Demand\r\n$5K-50K +\r\nfees\r\n2-5 min ❌ Too slow (40-65 sec\r\nattacks)\r\nHybrid (on-prem +\r\ncloud)\r\n$20K-100K\r\n\u003c100Gbps instant, \u003e100Gbps 2-\r\n5min ✅ Works if below threshold\r\nDIY Self-hosted $50K-200K N/A ❌ Insufficient capacity\r\nRecommendation: Always-on cloud scrubbing is the ONLY viable option for 20-30 Tbps defense.\r\nIncident Runbooks \u0026 First 15 Minutes\r\nhttps://gist.github.com/heavyscientist/de6a7c14e68b5862734b94a3c10e574c\r\nPage 8 of 18\n\nTime Action Owner\r\n0:00 Alert triggered Automated\r\n0:01 Confirm attack NOC Tier 1\r\n0:02 Activate automated mitigation NOC/Security\r\n0:03 Notify Security lead NOC\r\n0:05 Assess effectiveness Security team\r\n0:10 Escalate to provider if needed Security lead\r\n0:10 Begin customer communication Comms team\r\n0:15 Document in incident log NOC\r\nCommunication Templates:\r\nInternal: \"DDoS attack detected, traffic X% above baseline\"\r\nCustomer/Players: \"Connectivity issues due to external attack, teams working to resolve\"\r\nUpstream providers: \"Under attack, requesting RTBH for [IPs]\"\r\nQuarterly Drills:\r\nTabletop exercise (decision tree walkthrough)\r\nTechnical drill (test BGP announcements with test prefixes)\r\nCommunication drill (customer/stakeholder messaging)\r\nGame Publisher vs. ISP/CDN Response Differences\r\nAspect Game Publisher ISP/CDN Provider\r\nDowntime tolerance 0 seconds (players quit immediately) Minutes acceptable if infrastructure protected\r\nRTBH usage Last resort only Commonly used\r\nMitigation priority Precision (don't block legitimate players) Speed (protect infrastructure)\r\nTypical capacity 10-100 Gbps 1-20+ Tbps\r\nLatency requirements \u003c50ms critical \u003c200ms acceptable\r\nBest approach Always-on cloud mandatory Multiple options viable\r\nPriority Implementation Roadmap\r\nImmediate (24 Hours):\r\nSign up for cloud DDoS protection (Cloudflare/Akamai/AWS Shield)\r\nEnable SYN cookies and kernel hardening ( net.ipv4.tcp_syncookies = 1 )\r\nConfigure NetFlow/sFlow exports to monitoring platform\r\nhttps://gist.github.com/heavyscientist/de6a7c14e68b5862734b94a3c10e574c\r\nPage 9 of 18\n\nWeek 1:\r\nEstablish traffic baselines (Mbps per host, per subnet, total ingress)\r\nConfigure initial FlowSpec rules (test with dry-run mode)\r\nTest BGP announcements using test prefixes (DO NOT test with production IPs)\r\nCreate communication templates (internal, customer, upstream)\r\nMonth 1:\r\nDeploy always-on scrubbing OR configure on-demand triggers with automation\r\nImplement automated alerting (per-host 25-100 Mbps, per-subnet 1-5 Gbps, total ingress 75%+ link)\r\nConduct first DDoS drill (tabletop exercise)\r\nDocument procedures in incident runbook\r\nQuarter 1:\r\nExpand to multi-CDN architecture (static content distribution)\r\nDeploy advanced monitoring (carpet bombing detection, subnet aggregates)\r\nConduct technical drill (test BGP failover with non-production prefixes)\r\nEstablish upstream DDoS contacts (get direct phone numbers, escalation paths)\r\nWhat FAILS at 20-30 Tbps\r\n❌ Manual intervention: Attack duration (40-65 sec) \u003c human reaction time → Solution: Autonomous\r\ndetection/mitigation only\r\n❌ Single-location scrubbing: Transit saturates before reaching scrubber → Solution: Distributed anycast scrubbing\r\n❌ On-premises appliances: Typical capacity 10-100 Gbps → Solution: Cloud scrubbing or hybrid with overflow\r\n❌ Static defenses: Modern attacks shift vectors every 10-30 seconds → Solution: Dynamic fingerprinting, adaptive rules\r\n❌ Reactive scaling: Auto-scaling takes 3-10 minutes (attack over) → Solution: Always-on over-provisioned capacity\r\nKey Operational Pitfalls\r\n1. Not testing BGP failover → Manual errors under pressure\r\n2. Insufficient NetFlow sampling → Missed/late detection\r\n3. No baseline traffic profiles → False positive overload\r\n4. Forgetting to document blackholes → Services stay offline\r\n5. Provider doesn't support FlowSpec → Discovered during attack\r\n6. GRE tunnel MTU issues → Fragmentation degrades performance\r\n7. No pre-established provider contacts → Wasting time escalating\r\n8. Assuming long attacks → Missing 60-second attacks\r\n9. Rate limits too aggressive → Blocking legitimate users\r\n10. No carpet bombing playbook → Treating as multiple small attacks\r\nGaps \u0026 Unknowns: What to Watch\r\nCritical Information Gaps\r\nOctober 6-7, 2025 Gaming Incidents:\r\nhttps://gist.github.com/heavyscientist/de6a7c14e68b5862734b94a3c10e574c\r\nPage 10 of 18\n\nNo official DDoS confirmation from any affected company (Steam, Riot, PSN, Xbox, Epic, AWS)\r\nNo mitigation vendor data published by Cloudflare, Akamai, Radware, NETSCOUT\r\n29.69 Tbps figure appears nowhere in official channels—likely exaggerated, aggregated across targets, or fabricated\r\nRoot cause unknown: Could be infrastructure issues, routing problems, or smaller-scale DDoS handled internally\r\nRiot Games statement: Acknowledged \"intermittent network issues\" and \"challenges to network stability\" but did\r\nNOT confirm DDoS\r\nAttribution Uncertainties:\r\n22.2 Tbps attack: Cloudflare \"believes it may have been\" Aisuru but \"yet to determine\" definitively\r\nOctober 6-7 incidents: Aisuru attribution based purely on speculation and timing, no technical fingerprinting\r\npublished\r\nTechnical Unknowns:\r\nExact Cambium cnPilot 0-day details: XLab withheld to prevent further abuse\r\nFull extent of cloud infrastructure usage: Google Cloud confirmed but proportion unclear\r\nTCP carpet bombing by Aisuru: October 2025 tactic new, technical details limited (reported by TCPShield only)\r\nBotnet command structure: Relationship between operators Snow/Tom/Forky and attack customer selection\r\nunknown\r\nWhat to Monitor Next\r\nShort-Term (Days-Weeks):\r\nVendor disclosures: Watch for delayed incident reports from Cloudflare, Akamai, AWS Shield Q4 2025 reports\r\n(expected Oct-Nov)\r\nVictim statements: Monitor Valve/Steam, Sony, Microsoft investor relations for security incident disclosures\r\nXLab updates: Aisuru attribution analysis for October incidents\r\nBotnet size: Track if Aisuru growth continues post-Totolink patch\r\nMedium-Term (Months):\r\nQ3 2025 DDoS reports: Cloudflare, Akamai, NETSCOUT quarterly threat intelligence (October-November release)\r\nNew infection vectors: Watch for additional supply-chain compromises or 0-day exploitation\r\nAttack evolution: Monitor for sustained attacks (\u003e5 minutes) vs. continued short-burst strategy\r\nOperator activity: Telegram DDoS-for-hire channels for Aisuru pricing/capability updates\r\nLikely Next Targets:\r\nISPs and hosting providers: Aisuru operators stated they attack ISPs \"for fun\"\r\nFinancial services: Emerging target sector in Q2 2025 per Cloudflare\r\nTelecommunications: Most-attacked industry in Q2 2025\r\nGaming platforms: If October incidents were Aisuru, expect continued targeting\r\nIndicators to Watch:\r\nBotnet growth signals: Tranco rank spikes for suspicious domains (like updatetoto[.]tw jump to 672,588)\r\nIoC emergence: New C2 domains matching xlabresearch[.]ru pattern (mocking security researchers)\r\nVendor firmware compromises: Similar supply-chain attacks on other router manufacturers\r\nAttack size escalation: 22.2 Tbps is 4x larger than 2024 record (5.6 Tbps)—trend suggests 30+ Tbps attacks feasible\r\nhttps://gist.github.com/heavyscientist/de6a7c14e68b5862734b94a3c10e574c\r\nPage 11 of 18\n\nDetection Recommendations\r\nNetwork-Level Monitoring:\r\nDNS TXT record queries with Base64 content + XOR key ca fe ba be\r\nGRE tunnel establishment to specific C2 IPs (151.242.2.22-25)\r\nShort-duration, high-intensity traffic bursts (30-65 seconds)\r\nUDP flood patterns with port-based carpet bombing (20K-35K ports/sec)\r\nHost-Based Detection (IoT/Router):\r\nOOM score adjustments to -1000 ( /proc/self/oom_score_adj )\r\nProcess renames to system daemons (telnetd, dhclient, lighttpd) with binary libcow.so\r\nSpeedtest API queries from IoT devices (identifying high-bandwidth nodes for proxy assignment)\r\nSuspicious network connections to known C2 infrastructure\r\nThreat Intelligence Feeds:\r\nAISURU IoC tracking: C2 domains, sample hashes, source IP ranges\r\nCarpet bombing signatures: Subnet-level traffic distribution patterns\r\nBotnet size tracking: Monitor for growth beyond 300k nodes\r\nReferences\r\nPrimary Authoritative Sources\r\nCloudflare (DDoS Mitigation Vendor):\r\nCloudflare Q2 2025 DDoS Trends Report—7.3 Tbps attack technical details, Q2 statistics\r\nCloudflare X/Twitter Official: 22.2 Tbps attack announcement (September 22, 2025)\r\nCloudflare Q1 2025 Report: 6.5 Tbps attack, 4.8 Bpps campaign data\r\nXLab/Qianxin (Threat Research):\r\nXLab Blog: \"The Most Powerful Ever? Inside the 11.5Tbps-Scale Mega Botnet AISURU\"—Comprehensive\r\ntechnical analysis, C2 infrastructure, operator profiles\r\nXLab Blog: \"Botnets Never Die: An Analysis of the Large Scale Botnet AIRASHI\"—AIRASHI variant analysis,\r\nCambium 0-day, encryption protocols\r\nSecurity Vendors \u0026 Threat Intelligence:\r\nSecurityWeek (Eduard Kovacs, Ionut Arghire): Cloudflare statements on 22.2 Tbps, Aisuru attribution\r\nKrebsOnSecurity: 6.3 Tbps attack on site, Google Shield mitigation details\r\nVercara/DigiCert: \"Aisuru Ascending: The Near-Record Attack on Krebs\"—Geographic distribution analysis\r\nNETSCOUT ASERT: Carpet bombing technique analysis (2016-present)\r\nMalpedia (Fraunhofer FKIE): Aisuru malware family classification\r\nAffected Platforms \u0026 Victims:\r\nRiot Games Official Status Pages: October 6-7 network issues confirmation\r\nPC Gamer: Riot Games spokesperson Joe Hixson statement (\"challenges to network stability\")\r\nhttps://gist.github.com/heavyscientist/de6a7c14e68b5862734b94a3c10e574c\r\nPage 12 of 18\n\nDownDetector: October 6 outage spike data for Steam, PSN, Xbox, Epic\r\nTechnical Documentation \u0026 Standards:\r\nRFC 5635: Remotely Triggered Black Hole (RTBH) Filtering\r\nRFC 8955: BGP FlowSpec Dissemination of Flow Specification Rules\r\nRFC 7999: BLACKHOLE BGP Community for Blackholing\r\nMANRS (Mutually Agreed Norms for Routing Security): Anti-spoofing best practices\r\nDDoS Mitigation Platforms:\r\nAkamai Prolexic: 20+ Tbps scrubbing capacity documentation\r\nAWS Shield Advanced: Hyperscale DDoS protection technical guides\r\nFastNetMon: Open-source DDoS detection, October 6 unverified 29.69 Tbps note\r\nNETSCOUT/Arbor ATLAS: Global DDoS threat intelligence, carpet bombing detection\r\nResearch \u0026 Analysis:\r\nUSENIX Security 2022: \"Anycast Agility\" research on BGP routing for DDoS mitigation\r\nNANOG (Network Operators Group): Presentations on hyperscale DDoS defense\r\nCybernews, BleepingComputer, The Hacker News, Dark Reading: Secondary reporting on confirmed attacks\r\nOutage Tracking \u0026 Community\r\nDownDetector: Real-time outage reports and user-submitted data\r\nTCPShield: TCP carpet bomb attack reports (October 6)\r\nGaming community forums and subreddits: Symptom reports (login failures, disconnections)\r\nFinal Assessment\r\nConfirmed Facts:\r\nAisuru is a 300,000-node IoT botnet capable of 11.5+ Tbps attacks (verified)\r\n22.2 Tbps attack on September 22, 2025 is largest on record (Cloudflare official)\r\nAttack durations 35-65 seconds require autonomous mitigation (manual impossible)\r\nAlways-on cloud scrubbing with global anycast is the ONLY proven defense at 20-30 Tbps\r\nHigh-Confidence Assessments:\r\nOctober 6-7 gaming disruptions are real but DDoS cause unconfirmed\r\n29.69 Tbps claim is unsubstantiated speculation until vendor verification\r\nAisuru likely involved in 22.2 Tbps attack based on fingerprints but not definitively attributed\r\nCarpet bombing is dominant tactic (75% of 2024 attacks) requiring subnet-level detection\r\nRecommendations:\r\nImmediate: Deploy always-on cloud DDoS protection if not already active\r\nShort-term: Tune carpet bombing detection (subnet aggregates, not just per-host)\r\nOngoing: Monitor vendor Q4 reports for October incident disclosures, track XLab Aisuru updates\r\nStrategic: Accept that 30+ Tbps attacks are feasible and plan capacity accordingly\r\nhttps://gist.github.com/heavyscientist/de6a7c14e68b5862734b94a3c10e574c\r\nPage 13 of 18\n\nComplete Citation List\r\nPrimary Sources - Cloudflare (Mitigation Vendor)\r\n1. Cloudflare. (2025, September 22). \"Cloudflare mitigates new record-breaking 22.2 Tbps DDoS attack.\" Cloudflare\r\nBlog. https://blog.cloudflare.com/\r\n2. Cloudflare. (2025, July). \"Defending the Internet: How Cloudflare blocked a monumental 7.3 Tbps DDoS attack.\"\r\nCloudflare Blog. https://blog.cloudflare.com/defending-the-internet-how-cloudflare-blocked-a-monumental-7-3-tbps-ddos/\r\n3. Cloudflare. (2025, July). \"Hyper-volumetric DDoS attacks skyrocket: Cloudflare's 2025 Q2 DDoS threat report.\"\r\nCloudflare Blog. https://blog.cloudflare.com/ddos-threat-report-for-2025-q2/\r\n4. Cloudflare. (2025). \"DDoS threat report for 2025 Q2.\" Cloudflare Radar. https://radar.cloudflare.com/reports/ddos-2025-q2\r\n5. Cloudflare. (2024). \"How Cloudflare auto-mitigated a world record 3.8 Tbps DDoS attack.\" Cloudflare Blog.\r\nhttps://blog.cloudflare.com/how-cloudflare-auto-mitigated-world-record-3-8-tbps-ddos-attack/\r\n6. Cloudflare. (2025). \"Famous DDoS attacks | Biggest DDoS attacks.\" Cloudflare Learning Center.\r\nhttps://www.cloudflare.com/learning/ddos/famous-ddos-attacks/\r\n7. Cloudflare. (2025). \"What is a distributed denial-of-service (DDoS) attack?\" Cloudflare Learning Center.\r\nhttps://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/\r\nPrimary Sources - XLab/Qianxin (Threat Research)\r\n8. XLab Threat Intelligence Center. (2025). \"The Most Powerful Ever? Inside the 11.5Tbps-Scale Mega Botnet\r\nAISURU.\" Qianxin XLab Blog. https://blog.xlab.qianxin.com/super-large-scale-botnet-aisuru-en/\r\n9. XLab Threat Intelligence Center. (2025). \"Botnets Never Die: An Analysis of the Large Scale Botnet AIRASHI.\"\r\nQianxin XLab Blog. https://blog.xlab.qianxin.com/large-scale-botnet-airashi-en/\r\n10. APNIC Blog. (2025, March 13). \"Botnets never die.\" Asia-Pacific Network Information Centre.\r\nhttps://blog.apnic.net/2025/03/13/botnets-never-die/\r\nSecurity News \u0026 Analysis - Tier 1\r\n11. Kovacs, E. (2025, September). \"Record-Breaking DDoS Attack Peaks at 22 Tbps and 10 Bpps.\" SecurityWeek.\r\nhttps://www.securityweek.com/record-breaking-ddos-attack-peaks-at-22-tbps-and-10-bpps/\r\n12. Arghire, I. (2025, September). \"Cloudflare mitigates new record-breaking 22.2 Tbps DDoS attack.\"\r\nBleepingComputer. https://www.bleepingcomputer.com/news/security/cloudflare-mitigates-new-record-breaking-222-tbps-ddos-attack/\r\n13. BleepingComputer. (2025, September). \"Cloudflare blocks largest recorded DDoS attack peaking at 11.5 Tbps.\"\r\nhttps://www.bleepingcomputer.com/news/security/cloudflare-blocks-record-breaking-115-tbps-ddos-attack/\r\n14. Krebs, B. (2025, May 12). \"KrebsOnSecurity Hit With Near-Record 6.3 Tbps DDoS.\" Krebs on Security.\r\nhttps://krebsonsecurity.com/2025/05/krebsonsecurity-hit-with-near-record-6-3-tbps-ddos/\r\nhttps://gist.github.com/heavyscientist/de6a7c14e68b5862734b94a3c10e574c\r\nPage 14 of 18\n\n15. The Hacker News. (2025, September). \"Tech Overtakes Gaming as Top DDoS Attack Target, New Gcore Radar\r\nReport Finds.\" https://thehackernews.com/2025/09/tech-overtakes-gaming-as-top-ddos.html\r\nSecurity News \u0026 Analysis - Tier 2\r\n16. CyberSecureFox. (2025, September). \"Cloudflare Thwarts Record 22.2 Tbps DDoS As Botnet Firepower Surges.\"\r\nhttps://cybersecurefox.com/en/cloudflare-thwarts-record-22-2-tbps-ddos-aisuru-botnet/\r\n17. CyberInsider. (2025, September). \"Cloudflare Mitigated Record-Breaking 22.2 Tbps DDoS Attack.\"\r\nhttps://cyberinsider.com/cloudflare-mitigated-record-breaking-22-2-tbps-ddos-attack/\r\n18. Cyber Security News. (2025, September). \"22.2 Tbps DDoS Attack Breaks Internet With New World Record.\"\r\nhttps://cybersecuritynews.com/ddos-attack-world-record/\r\n19. Cyber Security News. (2025, September). \"AISURU Botnet With 300,000 Hijacked Routers Behind The Recent\r\nMassive 11.5 Tbps DDoS Attack.\" https://cybersecuritynews.com/aisuru-botnet-with-300000-hijacked-routers/\r\n20. GBHackers. (2025, September). \"AISURU Botnet Fuels Record-Breaking 11.5 Tbps DDoS Attack With 300,000\r\nHijacked Routers.\" https://gbhackers.com/aisuru-botnet/\r\n21. GBHackers. (2025, September). \"Massive 22.2 Tbps DDoS Attack Sets New World Record.\"\r\nhttps://gbhackers.com/massive-22-2-tbps-ddos-attack/\r\n22. Security Affairs. (2025, September). \"Cloudflare mitigates largest-ever DDoS attack at 22.2 Tbps.\"\r\nhttps://securityaffairs.com/182521/security/cloudflare-mitigates-largest-ever-ddos-attack-at-22-2-tbps.html\r\n23. Security Online. (2025). \"AISURU Botnet: From Record-Breaking DDoS to Residential Proxy Empire.\"\r\nhttps://securityonline.info/aisuru-botnet-from-record-breaking-ddos-to-residential-proxy-empire/\r\n24. Cyber Press. (2025). \"AISURU's 300,000 compromised routers unleashed an 11.5 Tbps global DDoS storm.\"\r\nhttps://cyberpress.org/aisuru-ddos-attack/\r\n25. NPAV Security Blogs. (2025). \"Unveiling AISURU: The 11.5 Tbps Mega Botnet Behind Record-Breaking DDoS\r\nAttacks and Totolink Router Compromise.\" https://blogs.npav.net/blogs/post/unveiling-aisuru-the-115-tbps-mega-botnet-behind-record-breaking-ddos-attacks-and-totolink-router-co\r\nGaming Industry \u0026 Affected Platforms\r\n26. Marshall, C. (2025, October 7). \"Today's Steam outage may have been part of a massive DDoS attack targeting\r\nXbox, PlayStation, Riot, and other game companies.\" PC Gamer. https://www.pcgamer.com/games/todays-steam-outage-may-have-been-part-of-a-massive-ddos-attack-targeting-xbox-playstation-riot-and-other-game-companies/\r\n27. Cybernews. (2025, October 6). \"Major gaming platforms hit by disruptions: unprecedented DDoS suspected.\"\r\nhttps://cybernews.com/security/steam-riot-gaming-services-hit-by-disruptions-ddos-suspected/\r\n28. GosuGamers. (2025, October 6). \"Steam, PlayStation, Xbox, Riot Games and Epic outage sparks concerns of\r\ncoordinated DDoS attack.\" https://www.gosugamers.net/entertainment/news/77434-steam-playstation-xbox-riot-games-and-epic-outage-sparks-concerns-of-coordinated-ddos-attack\r\n29. FastNetMon. (2025, October 8). \"Another record-breaking DDoS? Aisuru botnet suspected behind 29.69 Tbps\r\ngaming outages.\" https://fastnetmon.com/2025/10/08/another-record-breaking-ddos-aisuru-botnet-suspected-behind-29-69-tbps-gaming-outages/\r\nhttps://gist.github.com/heavyscientist/de6a7c14e68b5862734b94a3c10e574c\r\nPage 15 of 18\n\n30. PlayStation LifeStyle. (2025, September 4). \"PSN Partially Down for Some Users.\"\r\nhttps://www.playstationlifestyle.net/2025/09/04/psn-outage-september-4-2025/\r\nDDoS Mitigation Vendors \u0026 Technical Analysis\r\n31. Vercara/DigiCert. (2025, May). \"Aisuru Ascending: The Near-Record Attack on Krebs and What It Means for You.\"\r\nhttps://vercara.digicert.com/resources/aisuru-ascending-the-near-record-attack-on-krebs-and-what-it-means-for-you\r\n32. Vercara/DigiCert. (2024). \"2024: Year of the Carpet Bomb in DDoS.\" https://vercara.digicert.com/resources/2024-\r\nyear-of-the-carpet-bomb-in-ddos\r\n33. NETSCOUT ASERT. (2024). \"Carpet-Bombing.\" NETSCOUT Blog. https://www.netscout.com/blog/asert/carpet-bombing\r\n34. NETSCOUT. (2024). \"Carpet Bombing DDoS Protection.\" NETSCOUT Solutions.\r\nhttps://www.netscout.com/solutions/carpet-bombing-protection\r\n35. NSFOCUS Global. (2024). \"A Deep Dive into DDoS Carpet-Bombing Attacks.\" https://nsfocusglobal.com/a-deep-dive-into-ddos-carpet-bombing-attacks/\r\n36. Tata Communications. (2024). \"Rise of Carpet Bombing Attacks: DDoS Threats and Defense.\"\r\nhttps://www.tatacommunications.com/knowledge-base/ddos/rise-of-carpet-bombing-attacks\r\n37. Akamai. (2025). \"What Is Blackhole (RTBH) Routing? | How Does Blackholing Work?\" Akamai Glossary.\r\nhttps://www.akamai.com/glossary/what-is-blackhole-routing\r\nBGP FlowSpec \u0026 Network Mitigation\r\n38. Kentik. (2025). \"What Is Adaptive Flowspec and Does It Solve the DDoS Problem?\" Kentik Blog.\r\nhttps://www.kentik.com/blog/what-is-adaptive-flowspec-and-does-it-solve-the-ddos-problem/\r\n39. FastNetMon. (2025, February 10). \"BGP Flow Spec for DDoS Mitigation.\" https://fastnetmon.com/2025/02/10/bgp-flow-spec-for-ddos-mitigation/\r\n40. FastNetMon. (2024, December 7). \"BGP Blackhole Automation for DDoS mitigation.\"\r\nhttps://fastnetmon.com/2024/12/07/bgp-blackhole-automation-for-ddos-mitigation/\r\n41. FastNetMon. (2025). \"FlowSpec DDoS Mitigation with FastNetMon.\" https://fastnetmon.com/flowspec-ddos-mitigation/\r\n42. Equinix. (2025). \"Offload DDoS mitigation to your provider's high-capacity network with BGP Flowspec.\"\r\nhttps://deploy.equinix.com/blog/how-to-use-bgp-flowspec-to-filter-and-mitigate-ddos-attacks/\r\n43. Noction. (2025). \"DDoS Mitigation and BGP Flowspec.\" https://www.noction.com/blog/ddos-mitigation\r\n44. Cisco Blogs. (2025). \"DDoS Mitigation for Modern Peering.\" https://blogs.cisco.com/sp/ddos-mitigation-for-modern-peering\r\n45. NANOG. (2014). \"DDoS Mitigation Using BGP Flowspec.\" Presentation Archive.\r\nhttps://archive.nanog.org/sites/default/files/tuesday_general_ddos_ryburn_63.16.pdf\r\n46. Kentik. (2025). \"How to Configure Remotely Triggered Black-Hole Routing with Kentik Detect.\" Kentik Blog.\r\nhttps://www.kentik.com/blog/how-to-rtbh-with-kentik-detect/\r\nhttps://gist.github.com/heavyscientist/de6a7c14e68b5862734b94a3c10e574c\r\nPage 16 of 18\n\n47. A10 Networks. (2025). \"Remotely Triggered Black Hole Routing.\"\r\nhttps://www.a10networks.com/resources/videos/remotely-triggered-black-hole-routing/\r\n48. SENKI. (2025). \"Remote Triggered Black Hole (RTBH) Filtering.\" https://www.senki.org/operators-security-toolkit/remote-triggered-black-hole-rtbh-filtering/\r\nTechnical Standards \u0026 RFCs\r\n49. IETF. (2009). \"RFC 5635 - Remote Triggered Black Hole Filtering with Unicast Reverse Path Forwarding (uRPF).\"\r\nhttps://datatracker.ietf.org/doc/html/rfc5635\r\n50. IETF. (2010). \"RFC 8955 - Dissemination of Flow Specification Rules.\" https://datatracker.ietf.org/doc/html/rfc8955\r\n51. IETF. (2016). \"RFC 7999 - BLACKHOLE BGP Community for Blackholing.\"\r\nhttps://datatracker.ietf.org/doc/html/rfc7999\r\nMalware Analysis \u0026 Threat Intelligence\r\n52. Malpedia (Fraunhofer FKIE). (2025). \"Aisuru (Malware Family).\"\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.aisuru\r\n53. Wikipedia. (2025). \"Mirai (malware).\" https://en.wikipedia.org/wiki/Mirai_(malware)\r\n54. Owlysec. (2024). \"Hackers Leverage Undisclosed Zero-Day Flaw in cnPilot Routers to Propagate AIRASHI DDoS\r\nBotnet.\" https://owlysec.com/vulnerabilities/hackers-leverage-undisclosed-zero-day-flaw-in-cnpilot-routers-to-propagate-airashi-ddos-botnet\r\n55. FastNetMon. (2025, January 24). \"Cybercriminals Leverage Zero-Day Vulnerability to Launch AIRASHI DDoS\r\nBotnet.\" https://fastnetmon.com/2025/01/24/cybercriminals-leverage-zero-day-vulnerability-to-launch-airashi-ddos-botnet/\r\n56. Hackread. (2025, May). \"KrebsOnSecurity Hit with 6.3 Tbps DDoS Attack via Aisuru Botnet.\"\r\nhttps://hackread.com/krebsonsecurity-6-3-tbps-ddos-attack-aisuru-botnet/\r\nCloud Provider \u0026 CDN Services\r\n57. Global Secure Layer. (2025). \"DDoS Protection.\" https://globalsecurelayer.com/ddos-protection\r\n58. Medium (Tillu, J.). (2024). \"How AWS Shield Protects You From DDoS?\" https://jaytillu.medium.com/how-aws-shield-protects-you-from-ddos-94bd3d933d6d\r\nAdditional Industry Sources\r\n59. Tom's Hardware. (2025, September). \"Cloudflare blocks record-setting 11.5Tbps DDoS attack two months after the\r\nprevious record-setting DDoS attack.\" https://www.tomshardware.com/tech-industry/cyber-security/cloudflare-blocks-record-setting-11-5tbps-ddos-attack-two-months-after-the-previous-record-setting-ddos-attack\r\n60. TechRadar. (2025, September). \"Cloudflare blocked massive 22.2Tbps DDoS attack, surpassing 11.5Tbps record set\r\njust weeks earlier.\" https://www.techradar.com/pro/security/cloudflare-says-it-has-once-again-blocked-the-largest-ever-ddos-attack-in-history\r\nhttps://gist.github.com/heavyscientist/de6a7c14e68b5862734b94a3c10e574c\r\nPage 17 of 18\n\n61. PC Gamer. (2025, September). \"Cloudflare mitigates yet another record-breaking DDoS attack—which, at 22.2 Tbps,\r\nmakes it nearly twice as big as the last hyper-volumetric attack.\" https://www.pcgamer.com/hardware/cloudflare-mitigates-yet-another-record-breaking-ddos-attack-which-at-22-2-tbps-is-nearly-twice-as-big-as-the-last-hyper-volumetric-attack/\r\n62. HotHardware. (2025, September). \"Cloudflare Blocks Massive 22.2 Tbps DDoS Attack Twice As Big As Anything\r\nSeen Before.\" https://hothardware.com/news/cloudflare-blocks-massive-222-tbps-ddos-attack\r\n63. Slashdot. (2025, May). \"KrebsOnSecurity Hit With Near-Record 6.3 Tbps DDoS.\"\r\nhttps://tech.slashdot.org/story/25/05/20/2215258/krebsonsecurity-hit-with-near-record-63-tbps-ddos\r\n64. Fullerton College Cybersecurity Center. (2025, May 20). \"KrebsOnSecurity Hit With Near-Record 6.3 Tbps DDoS.\"\r\nhttps://cybersecurity.fullcoll.edu/2025/05/20/krebsonsecurity-hit-with-near-record-6-3-tbps-ddos/\r\n65. 0xzx. (2025, May). \"IoT Botnet Aisuru Exploits Recent Records to Launch DDoS Attack on Krebsonsecurity\r\nWebsite.\" https://0xzx.com/en/2025052200145523402.html\r\nReport Compiled: October 9, 2025\r\nIntelligence Assessment Level: MEDIUM-HIGH CONFIDENCE (Confirmed attacks, unconfirmed attributions)\r\nNext Review: October 15, 2025 (Post-vendor Q3 report releases)\r\nSource: https://gist.github.com/heavyscientist/de6a7c14e68b5862734b94a3c10e574c\r\nhttps://gist.github.com/heavyscientist/de6a7c14e68b5862734b94a3c10e574c\r\nPage 18 of 18\n\nIoC emergence: Vendor firmware New C2 domains compromises: matching xlabresearch[.]ru Similar supply-chain pattern attacks on (mocking security other router manufacturers researchers) \nAttack size escalation: 22.2 Tbps is 4x larger than 2024 record (5.6 Tbps)-trend suggests 30+ Tbps attacks feasible\n   Page 11 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://gist.github.com/heavyscientist/de6a7c14e68b5862734b94a3c10e574c"
	],
	"report_names": [
		"de6a7c14e68b5862734b94a3c10e574c"
	],
	"threat_actors": [],
	"ts_created_at": 1775434316,
	"ts_updated_at": 1775791252,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2bcd3fd6f3c40f265109afc891a6783fff5505dc.pdf",
		"text": "https://archive.orkl.eu/2bcd3fd6f3c40f265109afc891a6783fff5505dc.txt",
		"img": "https://archive.orkl.eu/2bcd3fd6f3c40f265109afc891a6783fff5505dc.jpg"
	}
}