Key Findings

• The AISURU/Kimwolf botnet hit a record-breaking 31.4 Tbps DDoS attack that lasted just 35 seconds in November 2025.

• Cloudflare automatically detected and blocked the attack as part of a surge in hyper-volumetric HTTP DDoS attacks observed in late 2025.

• The number and size of DDoS attacks increased significantly in 2025, with a 40% rise in hyper-volumetric attacks in Q4 2025 compared to the previous quarter.

• The largest attacks targeted Cloudflare customers in the Telecommunications, Service Providers, and Carriers sector, as well as Gaming and Generative AI services.

• China, the United States, Germany, and Brazil remained among the most targeted countries, while Hong Kong and the United Kingdom saw sharp increases in attacks.

• Bangladesh became the top source of DDoS traffic, overtaking Indonesia, with notable rises also seen from Ecuador and Argentina.

• Most DDoS attacks in Q4 2025 originated from IPs linked to major cloud platforms like DigitalOcean, Microsoft, Tencent, Oracle, and Hetzner, as well as telcos in Asia-Pacific.

Background

The AISURU/Kimwolf botnet was linked to the record-breaking DDoS attack that peaked at 31.4 Tbps and lasted just 35 seconds in November 2025. Cloudflare, a leading cloud-based security and content delivery network provider, reported that the incident was part of a surge in hyper-volumetric HTTP DDoS attacks observed in late 2025, all of which were automatically detected and mitigated by the company.

Attack Details

Throughout 2025, Cloudflare observed a continuous increase in hyper-volumetric DDoS attacks. In Q4 2025, these attacks increased by 40% compared to the previous quarter, and the size of the attacks grew by over 700% compared to the large attacks seen in late 2024, with one reaching a staggering 31.4 Tbps.

The AISURU/Kimwolf botnet, acting as a DDoS-for-hire service, primarily targeted broadband providers, causing serious disruptions with attacks exceeding 1.5 Tb/sec from infected customer devices. The botnet incorporates additional dedicated DDoS attack capabilities and multi-use functions, enabling operators to carry out other illicit activities, such as credential stuffing, AI-driven web scraping, spamming, and phishing.

The attacks utilized a combination of UDP, TCP, and GRE floods with medium-sized packets and randomized ports/flags, overwhelming the targeted networks and causing router line card failures.

Botnet Analysis

The Kimwolf Android botnet, linked to the Aisuru botnet, has infected over 1.8 million devices and issued more than 1.7 billion DDoS attack commands, according to security researchers. The botnet primarily targets TV boxes, using the NDK for compilation and incorporating DDoS, proxy forwarding, reverse shell, and file management functions. It employs encryption, DNS over TLS, and elliptic curve digital signatures to evade detection and resist takedowns.

Targeted Sectors and Regions

In Q4 2025, the largest DDoS attacks mainly targeted Cloudflare customers in the Telecommunications, Service Providers, and Carriers sector, followed by Gaming and Generative AI services. Cloudflare's own infrastructure was also attacked using HTTP floods, DNS attacks, and UDP floods.

Globally, China, the United States, Germany, and Brazil remained among the most targeted countries, while Hong Kong and the United Kingdom saw sharp increases in attacks. Regarding attack origins, Bangladesh became the top source of DDoS traffic, overtaking Indonesia, with notable rises also seen from Ecuador and Argentina.

Mitigation and Recommendations

Cloudflare offers a free DDoS Botnet Threat Feed, with 800+ networks collaborating to identify and shut down abusive IPs. However, the report concludes that DDoS attacks are rapidly growing in sophistication and size, surpassing previous norms, presenting a significant challenge for many organizations to keep pace.

The report suggests that organizations currently relying on on-premise mitigation appliances or on-demand scrubbing centers may benefit from re-evaluating their defense strategy to better protect against these evolving threats.

Sources

• https://securityaffairs.com/187690/hacking/record-breaking-31-4-tbps-ddos-attack-hits-in-november-2025-stopped-by-cloudflare.html

• https://x.com/securityaffairs/status/2019789799645737463

• https://x.com/shah_sheikh/status/2019792601839509821

• https://x.com/shah_sheikh/status/2019793536548302997