Record-Breaking DDoS Attack at 31.4 Tbps
The recent distributed denial-of-service (DDoS) attack, attributed to the AISURU/Kimwolf botnet, has made headlines with its unprecedented peak of 31.4 terabits per second (Tbps). This aggressive assault lasted a mere 35 seconds but left an indelible mark on the cybersecurity landscape. Cloudflare, the web infrastructure company that successfully detected and mitigated this attack, reports that it is part of a troubling trend involving hyper-volumetric DDoS attacks, particularly prevalent in late 2025.
Growing Threats from AISURU/Kimwolf
In addition to its record-setting attack, AISURU/Kimwolf was linked to another significant operation known as “The Night Before Christmas,” which began on December 19, 2025. Throughout this campaign, attacks averaged an alarming 3 billion packets per second (Bpps), 4 Tbps in data volume, and 54 requests per second (Mrps). The peak rates during this barrage climbed to astonishing figures: 9 Bpps, 24 Tbps, and 205 Mrps.
Dramatic Increase in DDoS Attacks in 2025
Cloudflare’s data reveals a staggering 121% increase in DDoS attacks in 2025, averaging 5,376 attacks mitigated every hour during the year. The total number of DDoS incidents surged to an astounding 47.1 million, more than doubling from previous years. Notably, Cloudflare mitigated 34.4 million network-layer DDoS attacks in 2025, a significant rise from 11.4 million in 2024. By the fourth quarter, network-layer DDoS attacks constituted 78% of all attacks recorded.
The final quarter of 2025 also saw a 40% increase in hyper-volumetric attacks, showcasing a stark rise from 1,304 in the previous quarter to 1,824 incidents. Year-over-year, these attacks grew by over 700% when compared to late 2024, marking a sharp increase in both frequency and intensity.
The Role of Compromised Devices in DDoS Campaigns
A significant factor behind the AISURU/Kimwolf botnet is the compromise of over 2 million Android devices, primarily derived from off-brand televisions. These devices are often hijacked via residential proxy networks, such as IPIDEA. Recently, Google took action against this network, disrupting its operations and initiating legal proceedings to shut down numerous domains tied to controlling and commoditizing these compromised devices.
The collaboration between Google and Cloudflare has also targeted IPIDEA’s domain resolution, effectively hampering the botnet’s ability to command infected devices and control proxy traffic. IPIDEA has reportedly utilized at least 600 trojanized Android apps embedded with different proxy software development kits (SDKs). Additionally, over 3,000 trojanized Windows binaries posing as updates have also been identified as part of this ecosystem.
What’s concerning is that IPIDEA has been marketing various VPN and proxy applications that covertly convert users’ devices into exit nodes without their explicit consent. The operators manage multiple proxy businesses that, despite appearing legitimate, are ultimately connected to a centralized infrastructure under IPIDEA’s control.
Industry and Geographic Trends in DDoS Attacks
In its latest report, Cloudflare highlighted several critical trends observed during the last quarter of 2025:
– The telecommunications sector emerged as the most commonly targeted industry, closely followed by IT services, gaming, and software development.
– Countries such as China, Germany, and the United States were frequently attacked, with Bangladesh overtaking Indonesia as the largest source of DDoS incidents.
– Other notable sources of DDoS attacks included Ecuador, Argentina, and Ukraine, indicating a diverse geographic footprint of these malicious activities.
Cloudflare emphasized the increasing sophistication and scale of DDoS attacks, presenting a significant challenge to organizations trying to keep pace. As organizations reevaluate their cybersecurity strategies, those relying on traditional defenses like on-premise mitigation appliances may need to rethink their approach in light of these evolving threats.
