The largest distributed denial-of-service attack ever recorded did not come from a data center, a nation-state’s cyber unit, or a warehouse full of purpose-built attack servers. It came from somewhere far more ordinary: the broadband routers, security cameras, and digital video recorders sitting in homes and small businesses around the world. Hundreds of thousands of them, possibly millions, acting in concert on command, pointed all at once at a single target.

The botnet behind it is called Aisuru, and at its peak it generated a flood of traffic measured at 29.7 terabits per second — roughly 14.1 billion packets every second — eclipsing the previous record of around 22 terabits per second set only months earlier. To put the figure in human terms: a single second of that attack moved more data than most home internet connections move in years. And it was assembled almost entirely out of devices that their owners had no idea were participating.

What a TurboMirai Botnet Is

Aisuru belongs to a class of malware that security researchers have started calling “TurboMirai.” The name acknowledges its lineage. The original Mirai botnet, which surfaced in 2016, was the first to demonstrate that the vast and growing population of insecure consumer IoT devices could be conscripted into a DDoS weapon of historic scale. Mirai scanned the internet for cameras and routers protected only by default passwords, logged in, installed itself, and waited for orders. At its height it knocked major chunks of the internet offline.

A decade later, the formula has not changed so much as it has been refined and industrialized. TurboMirai-class botnets like Aisuru use the same fundamental approach — compromise large numbers of poorly secured consumer devices, aggregate their modest individual bandwidth into an overwhelming collective flood — but they do it with better tooling, faster propagation, more sophisticated command-and-control, and a deliberate commercial model. The “turbo” reflects both the raw throughput these newer botnets achieve and the efficiency with which they recruit and weaponize devices.

The devices that make up Aisuru are, overwhelmingly, consumer-grade. Broadband access routers. CCTV cameras. DVR systems. Other gear running similar OEM firmware versions — the kind of white-label hardware that gets rebranded by dozens of vendors and shipped with identical, rarely-updated software underneath. These are not powerful machines individually. A single compromised camera contributes a trivial amount of traffic. But Aisuru’s estimated population sits somewhere between one and four million devices, and at that scale, trivial individual contributions sum to a record-breaking total.

The Numbers Behind the Record

The scale of Aisuru’s operations is documented in detail because the attacks have repeatedly slammed into the infrastructure of large network providers, who measure and report what hits them.

The headline 29.7 Tbps peak, with its approximately 14.1 billion packets per second, set a new world record for attack volume — a substantial jump from the prior high near 22 Tbps recorded the previous quarter. But the single largest attack is only part of the picture. Across the period that Aisuru has been active, one major mitigation provider reported blocking 2,867 distinct Aisuru attacks. In a single recent quarter, hyper-volumetric DDoS events — the truly enormous floods — numbered 1,304, a 54% increase quarter over quarter, averaging roughly fourteen mega-attacks every single day.

The attack technique itself is built for maximum disruption. Aisuru favors UDP “carpet bombing”: rather than hammering a single port on a single server, it sprays traffic across roughly 15,000 destination ports per second with randomized packet attributes. This makes the flood far harder to filter, because there is no single signature, port, or pattern for defenders to block. The randomization defeats simplistic mitigation and forces defenders into far more expensive, infrastructure-level responses.

And the attacks are fast. The overwhelming majority end within ten minutes — short enough that, as one analysis put it, they are too fast for manual response or on-demand mitigation contracts to reliably catch. By the time a human notices and engages emergency mitigation, the attack is often already over, having done its damage. Speed is a weapon in its own right.

The targets have been telecommunications providers, online gaming platforms, hosting companies, and financial services firms. Gaming in particular has been a recurring victim — DDoS-for-hire services have long catered to players who want to knock rivals offline — but the industries most heavily hit have been IT and services, telecoms, and the gambling sector.

The Business Model: Your Router for Rent

Aisuru is not a hobby project or a one-off act of vandalism. It is a commercial enterprise. Portions of the botnet are openly available for rent, with reporting indicating prices ranging from the hundreds to the thousands of dollars for enough capacity to saturate the backbone links of serious infrastructure. The operators run it as cybercrime-as-a-service: they maintain the fleet of compromised devices, and they sell access to that fleet to anyone willing to pay for a DDoS campaign, sometimes pairing the attacks with extortion demands against the victims.

This commercial structure is what makes botnets like Aisuru so persistent. The operators have a direct financial incentive to keep their fleet large, healthy, and hidden. Every compromised router that stays infected and undetected is a revenue-generating asset. They have every reason to keep the malware quiet, to avoid behavior that would tip off the device owner, and to maintain infections for as long as possible. The router in your home, once recruited, becomes passive income for a criminal — and the entire incentive structure is designed to ensure you never find out.

The March 2026 Takedown — and Its Limits

Aisuru has not operated unchallenged. In March 2026, the U.S. Department of Justice, working with law enforcement partners in Canada and Germany and several major technology companies, ran a coordinated operation against the operators of Aisuru and three related botnets: Kimwolf, JackSkid, and Mossad. The FBI’s Anchorage Field Office played a central role.

Authorities seized domains, servers, and command-and-control infrastructure used by the four botnets — systems that, between them, had infected more than three million IoT devices worldwide, primarily cameras and routers that had been exploited to bypass firewall protections. The scale of the attack activity disrupted was staggering: Aisuru alone had issued over 200,000 attack commands. JackSkid had issued around 90,000, Kimwolf roughly 25,000, and Mossad over 1,000. Some of the attacks linked to this cluster had reached approximately 30 terabits per second.

Operations like this matter. Seizing command-and-control infrastructure disrupts the operators’ ability to direct their fleets and imposes real costs on the criminal enterprise. But there is a hard limit to what infrastructure takedowns can accomplish against an IoT botnet, and it is this: the takedown does not clean the infected devices. The millions of compromised routers and cameras remain compromised, sitting in homes, still running the malware, still vulnerable to being re-recruited the moment new command infrastructure comes online. The underlying weakness — devices shipped with weak credentials, exposed management interfaces, and no meaningful update mechanism — is untouched by any courtroom.

This is the recurring frustration of IoT botnet enforcement. You can arrest operators and seize servers, but the attack surface itself — the installed base of insecure consumer hardware — persists. As long as it persists, the next Aisuru is already being assembled.

How to Keep Your Devices Out of It

The uncomfortable truth about a botnet like Aisuru is that participation is silent. An infected router rarely shows obvious symptoms; the malware is designed to stay quiet so it can keep generating revenue. So the goal is not to detect infection after the fact — it is to make your devices harder to compromise than the next device in the attacker’s scan queue. Botnets like Aisuru are opportunistic; they take the easy targets, and there is an effectively endless supply of them.

Change every default credential. The original Mirai spread almost entirely through default passwords, and the technique still works because the devices still ship with them. Every router, camera, and DVR you own should have its administrative password changed to something unique and strong. This single step removes you from the largest category of trivially compromised devices.

Do not expose device management interfaces to the internet. Aisuru and its kin scan the public internet for devices with web interfaces, Telnet, SSH, or proprietary management ports reachable from outside. Your router’s remote administration feature should be off unless you have a specific, deliberate need for it. Camera and DVR interfaces should never be directly reachable from the internet — if you need remote access, route it through a VPN or the manufacturer’s properly secured cloud service rather than a port forward.

Keep firmware current. TurboMirai botnets exploit known vulnerabilities in addition to default credentials. Manufacturers patch many of these, but only if you install the updates. Enable automatic firmware updates where your devices support it, and check manually for the ones that do not.

Retire devices that no longer receive updates. A camera or router that the manufacturer has stopped supporting is a permanent liability. If there are no more security updates coming, the device’s vulnerabilities are forever — and forever is exactly the timeframe a botnet operator is working with. End-of-life hardware that touches the internet should be replaced.

Segment your IoT devices. Placing cameras, DVRs, and other connected gear on a separate network segment from your computers and phones limits what a compromised device can reach. It does not stop the device from joining a botnet, but it prevents an infected camera from being a stepping stone deeper into your network.

The record will not stand for long. The previous high was 22 Tbps; Aisuru pushed it to 29.7; the next botnet will push it further. Each new record is built from the same raw material — ordinary connected devices that their owners never secured and never think about. The single most useful thing you can do is make sure none of those devices are yours.

Sources