Cloudflare Inc. revealed it thwarted the most massive distributed denial-of-service attack ever publicly documented, a 31.4 terabits-per-second barrage unleashed by the Aisuru/Kimwolf botnet on December 19, 2025. Dubbed “The Night Before Christmas” for its timing, the assault combined hyper-volumetric HTTP floods exceeding 200 million requests per second with Layer 4 attacks peaking at 31.4 Tbps, overwhelming targets in telecommunications and information technology services. “The campaign targeted Cloudflare customers as well as Cloudflare’s dashboard and infrastructure with hyper-volumetric HTTP DDoS attacks exceeding rates of 200 million requests per second (rps) alongside Layer 4 DDoS attacks peaking at 31.4 Terabits per second, making it the largest attack ever disclosed publicly,” Cloudflare stated in its 2025 Q4 DDoS Threat Report.

This incident shattered the prior benchmark of 29.7 Tbps set by Aisuru earlier in 2025, underscoring the escalating potency of IoT-driven botnets. Ninety percent of the strikes in the campaign topped out between 1 and 5 Tbps, with 94% delivering 1 to 5 billion packets per second; over half endured just one to two minutes, yet packed enough punch to cripple unprepared networks. Cloudflare’s autonomous defenses absorbed the deluge without manual intervention or service disruptions, a testament to its global anycast network spanning more than 330 cities.

Botnet’s Explosive Growth and Hybrid Evolution

The Aisuru/Kimwolf network draws firepower from millions of hijacked Internet-of-Things devices, including routers, IP cameras, and notably Android TV streaming boxes for this campaign. Researchers at QiAnXin XLab linked Kimwolf as an Android-focused variant of Aisuru, infecting 1.8 million to over 2 million devices by exploiting exposed Android Debug Bridge ports via residential proxy networks. “Kimwolf is a botnet compiled using the NDK. In addition to typical DDoS attack capabilities, it integrates proxy forwarding, reverse shell, and file management functions,” XLab detailed in its analysis.

Synthient reported Kimwolf’s spread accelerated since August 2025, abusing proxy providers like IPIDEA to bypass NAT firewalls and scan local networks for vulnerable TV boxes on ports 5555, 5858, 12108, and 3222. By late 2025, the botnet issued 1.7 billion DDoS commands in three days, with C2 domains like 14emeliaterracewestroxburyma02132[.]su briefly topping Cloudflare’s global rankings ahead of Google. Krebs on Security highlighted operators’ infighting, with alleged controllers “Dort” and “Snow” claiming 3.5 million bots after rival takeovers.

Cloudflare mitigated 2,867 Aisuru attacks through 2025, including 1,304 hyper-volumetric ones in Q3 alone—a 54% quarter-over-quarter surge—per its Q3 report. Microsoft Azure fended off a 15.72 Tbps Aisuru strike from 500,000 IPs in October, calling it the largest cloud DDoS recorded, as reported by BleepingComputer.

Attack Mechanics and Evasion Tactics

The December peak employed UDP carpet-bombing across 15,000 ports per second, randomizing packet attributes to dodge filters—a hallmark refined from prior 22.2 Tbps and 14.1 billion packets-per-second assaults. Short bursts, with 71% of HTTP and 89% of network-layer attacks ending under 10 minutes, exploit manual response lags, prolonging recovery via system validations. “Chunks of Aisuru are offered by distributors as botnets-for-hire, so anyone can potentially inflict chaos on entire nations… all at a cost of a few hundred to a few thousand U.S. dollars,” Cloudflare warned.

Operators leverage vulnerabilities in Realtek chips, T-Mobile, Zyxel, D-Link, and Linksys routers, plus breached firmware servers like TotoLink’s, ballooning the herd to 1-4 million nodes. XLab observed Kimwolf co-infecting with Aisuru via shared scripts from September to November, blending IoT and Android payloads for hybrid resilience. Black Lotus Labs null-routed over 550 C2 nodes since October 2025, tying Canadian SSH proxies to the infrastructure.

Geographically, Bangladesh led attack origins, trailed by Ecuador and Indonesia; targets clustered in China, Hong Kong, Germany, Brazil, and the U.S. Collateral spillover disrupted U.S. ISPs not directly aimed, per Krebs on Security and Cloudflare, foreshadowing risks to healthcare, emergency, and military systems.

2025 Surge: Volume, Velocity, and Vectors

Cloudflare’s Q4 report logged 47.1 million DDoS incidents in 2025—a 121% year-over-year leap, averaging 5,376 attacks hourly, up 31% quarter-over-quarter and 58% annually. Network-layer floods comprised 73%, HTTP-based 27%; hyper-volumetric events over 100 million packets per second spiked 600%, those above 1 Tbps rose 65% sequentially. “We’ve entered an era where DDoS attacks have rapidly grown in sophistication and size—beyond anything we could’ve imagined a few years ago,” Cloudflare noted.

UDP floods, amplified by Aisuru, jumped 231% in Q3, topping vectors ahead of DNS, SYN, and ICMP. Mirai variants lingered at 2% of network attacks. Sectors hammered included telecommunications, IT services, gambling, casinos, and gaming; AI firms saw 347% monthly spikes amid regulatory debates, per Cybersecurity Dive. Over 71.5% of HTTP DDoS traced to documented botnets.

Indonesia dominated sources for a year, its HTTP traffic surging 31,900% since 2021; Argentina climbed to fourth as Russia fell. Q3 alone saw 8.3 million blocks, 15% up quarterly and 40% yearly, with 36.2 million year-to-date exceeding 2024’s total by 170%.

Defensive Imperatives for Enterprises

Traditional scrubbing centers falter above 20 Tbps ingress; Cloudflare’s autonomous mitigation proved decisive, but unprotected backbones remain vulnerable. “Cybercriminals attack from all angles and are incredibly relentless… volume-powered DDoS campaigns are still evolving faster than the majority of organisations’ defences,” ESET advisor Jake Moore told HackRead. Proxy providers must bar local network access and high-risk ports, as Synthient urged post-IPIDEA restrictions.

Device makers face mandates for secure defaults; consumers should wipe infected Android boxes. Enterprises demand always-on, globally distributed scrubbing with AI-driven anomaly detection. As botnets commoditize via Telegram sales, proactive IoT hardening and traffic engineering grow essential against nation-scale disruptions for pennies.

The Aisuru/Kimwolf reign signals DDoS entering a hyper-scale epoch, where fleeting floods from household armies test the internet’s resilience core. Cloudflare’s reports and peers like The Hacker News affirm defenses must scale exponentially or yield to chaos.