Aisuru botnet drives record surge in DDoS attacks worldwide

Distributed Denial-of-Service (DDoS) attacks reached new highs in the third quarter of 2025, with the emergence of the Aisuru botnet fundamentally altering the scale and frequency of disruptive attacks.

Cloudflare's latest industry report details the impact of Aisuru and identifies shifting targets in the DDoS landscape, reflecting both technological vulnerabilities and broader geopolitical events.

Aisuru escalation

The Aisuru botnet has been pinpointed as the primary driver of recent, record-breaking hyper-volumetric DDoS assaults. With an estimated 1-4 million infected hosts, Aisuru delivered routine attacks in excess of 1 terabit per second (Tbps) and 1 billion packets per second (Bpps).

During the quarter, Aisuru-related attacks rose by 54% compared to the previous quarter, with Cloudflare mitigating 1,304 such incidents, including a record-setting 29.7 Tbps attack and a 14.1 Bpps attack. Several sectors, including telecommunications, gaming, hosting, and financial services, were directly targeted.

Such was the intensity that unintentional Internet disruption in the United States was reported, despite targeted attacks being aimed elsewhere. The Aisuru botnet is available through botnet-for-hire services, enabling actors with limited resources to disrupt backbone networks and critical services by renting segments for hundreds or thousands of US dollars.

Attack statistics

Across the third quarter, Cloudflare automatically detected and mitigated 8.3 million DDoS attacks, averaging 3,780 per hour. This marked a 15% increase quarter-on-quarter and a 40% jump year-on-year. Network-layer DDoS attacks made up 71% of incidents, doubling over the last twelve months, while HTTP layer attacks decreased by 17% year-on-year.

Of note, DDoS attacks at the network layer exceeding 100 million packets per second rose by 189% in the quarter. Similarly, the frequency of assaults surpassing 1 Tbps climbed by 227%. While most attacks are short-lived-a majority ending in under 10 minutes-the after-effects on operational and engineering teams can last significantly longer.

Changing targets

Some of the sharpest increases in attack volume have been observed against artificial intelligence (AI) companies. In September 2025, HTTP DDoS attacks targeting generative AI service providers spiked by 347% month-on-month. The period coincided with heightened public and regulatory scrutiny of AI amid high-profile UK reviews and public polling indicating economic concerns over AI deployment.

Other industries heavily targeted included Mining, Minerals & Metals, and Automotive. Escalating European Union-China trade tensions over rare earth elements and electric vehicle tariffs corresponded with surges in DDoS attempts. The Automotive sector, in particular, rose 62 positions to become the sixth most attacked industry. Cybersecurity companies also faced increased activity, moving up 17 places in the global rankings for attack frequency.

Geopolitical drivers

Patterns of DDoS attacks tracked events such as the Maldivian protests and French demonstrations against austerity policies. The Maldives became the world's 38th most attacked country after a 125-place jump, while France moved up 65 places, ranking 18th. Belgium also saw a notable increase during pro-Gaza demonstrations, reflecting a clear link between physical protests and cyber disruption.

China remained the most attacked country overall, followed by Turkey and Germany. The United States and the Philippines also saw significant movements within the top 10.

Source geographies

Indonesia has emerged as the dominant source of DDoS attacks for the fifth consecutive quarter. Attack requests originating from Indonesia have risen by 31,900% in the past five years. Seven of the top ten source countries for DDoS attacks are located in Asia, underscoring the region's role in global cyberattack activity.

Attack methods

UDP-based DDoS attacks, which were partially fuelled by Aisuru, grew by 231% in the quarter, making them the most common network-layer attack type. DNS, SYN, and ICMP flood attacks collectively accounted for more than half of all network-layer DDoS activity. While Mirai botnet variants still accounted for a small but persistent minority of attacks, the sophistication and speed at which new botnets can disrupt services have expanded considerably.

Defensive challenges

Short-burst attacks-most ending in less than ten minutes-present unique challenges for response teams, often leaving longer-term operational disruption in their wake. The report notes the insufficiency of legacy on-premise DDoS defenses to cope with the current threat environment, particularly when attacks can disrupt core services in seconds.

"Chunks" of Aisuru are offered by distributors as botnets-for-hire, so anyone can potentially inflict chaos on entire nations by crippling backbone networks and saturating Internet links, disrupting millions of users and impairing access to essential services - all at a cost of a few hundred to a few thousand U.S. dollars, the research finds.