On May 12th, the cybersecurity community witnessed a significant escalation: a Distributed Denial-of-Service (DDoS) attack targeting KrebsOnSecurity.com. This assault, peaking at an astonishing 6.3 Terabits per second (Tbps) and 585 Million packets per second (Mpps), lasted for less than a minute but marked a critical moment for the current threat landscape. It stands as the second-largest attack ever observed, closely following a 6.5 Tbps attack on another platform in April.
The Incident: A High-Profile Target Under Fire
Brian Krebs, a highly respected cybersecurity blogger and former Washington Post writer, frequently breaks news on cybercriminal activities, making his platform a logical, albeit challenging, target. His site is protected by Google Shield, Google’s DDoS mitigation service. Google Shield is frequently offered to news organizations, prominent independent journalists, human rights organizations, and other political targets. The scale of the May 12th attack was immense, and Google corroborated the reported traffic volume. Crucially, both Google security experts and Krebs independently attributed the attack to the Aisuru Botnet attack tool, which was also implicated in the record-setting 6.5 Tbps attack on another platform in April.
The brief, high-intensity nature of this assault is characteristic of a “test run” or demonstration of capability, a common tactic employed by botnet operators to showcase their firepower to potential clients.
Understanding the Aisuru Botnet: A Growing Threat
The Aisuru botnet is a relatively new but rapidly evolving threat, first identified in August 2024. It is predominantly comprised of Internet of Things (IoT) devices, including vulnerable IP cameras, DVRs, and routers, which have been compromised and enlisted into its malicious network.
Let’s look at this formidable threat a little more closely.
Evolution and Capabilities
The rapid development cycle of Aisuru is a key characteristic. What began as a basic DDoS “stressor” tool quickly evolved through distinct variants, notably “kitty” and “AIRASHI.” This evolution signifies a strategic expansion of its malicious functionalities:
- DDoS-as-a-Service (DDoS-for-Hire): At its core, Aisuru operates as a commercial “Botnet-as-a-Service” (BaaS) platform. It provides DDoS capabilities for hire, typically capable of launching attacks ranging from 1-3 Tbps. The recent 6.3 Tbps and 6.5 Tbps peaks underscore its potential for extreme volumetric assaults.
- Proxyware: Beyond DDoS, Aisuru has diversified to include “proxyware” functionality. This allows the botnet to covertly route internet traffic through compromised devices, effectively using them as proxies to hide the attacker’s true origin or to sell access to these compromised connections.
- Remote Code Execution (RCE) and Reverse Shell: The evolved variants of Aisuru are equipped with advanced capabilities such as Remote Code Execution (RCE) and reverse shell access. This means the botnet operators can execute arbitrary commands on compromised devices and establish persistent, interactive remote control over them, enabling deeper infiltration and potential for further malicious activities.
How Aisuru Infiltrates Devices
Aisuru employs an aggressive and multi-pronged approach to compromise IoT devices:
- Zero-Day Vulnerabilities: It actively exploits newly discovered, undisclosed flaws (known as “zero-day vulnerabilities”). A notable example is its exploitation of a zero-day in Cambium Networks cnPilot routers, allowing it to compromise devices before patches are available.
- N-Day Exploits: The botnet extensively leverages known, but unpatched, weaknesses in older devices. This includes numerous “N-day exploits” targeting equipment from manufacturers like AVTECH cameras, DrayTek, and Zyxel, among others.
- Default and Weak Credentials: A significant portion of its recruitment relies on the simplest attack vector: devices still using default or easily guessable passwords. This highlights a persistent and widespread security hygiene issue across the IoT landscape.
- Targeted Devices: Its primary targets are ubiquitous internet-connected gadgets: home routers, IP cameras, and digital video recorders (DVRs), devices often deployed with minimal security configurations and infrequent updates.
Geographic Reach and Operational Model
The Aisuru botnet compromised devices are globally dispersed, indicating a broad and effective infection campaign. Significant concentrations of these infected devices have been observed in Brazil, Russia, Vietnam, and Indonesia.
The “DDoS-for-hire” model is a key aspect of Aisuru operation. Access to the power of the botnet is openly marketed via platforms like Telegram, with clear pricing structures. This commercialization significantly lowers the barrier for launching high-impact cyberattacks, making powerful tools accessible to a wider range of malicious actors.
A Persistent and Expanding Threat
The attack on KrebsOnSecurity.com serves as a stark reminder of the escalating capabilities of modern botnets like Aisuru—descendants of Mirai. The rapid evolution of Aisuru, sophisticated exploitation techniques (including zero-days), diverse attack capabilities (DDoS, proxyware, RCE), and a commercialized “as-a-service” model make it a significant and adaptable threat.
For individuals and organizations, the incident underscores the critical importance of robust cybersecurity practices:
- Patch Management: Promptly apply security updates to all internet-connected devices, especially routers, cameras, and DVRs.
- Strong Authentication: Replace all default passwords with strong, unique credentials for every device.
- Network Segmentation: Consider segmenting your network to isolate IoT devices from more sensitive systems.
- DDoS Mitigation: For critical online services, invest in an advanced DDoS protection solution that can adapt to evolving attack vectors and volumetric surges.
The Aisuru BaaS (Botnet as a Service) trajectory highlights a concerning trend: the commoditization of advanced cyberattack capabilities. Staying informed and proactive in securing your digital footprint is more crucial than ever to mitigate the risks posed by such evolving threats.
DigiCert Provides Trust in Availability and Performance for the Enterprise
The threat is real and growing, but enterprises can trust UltraDDoS Protect to preserve availability and performance while protecting against even the biggest or stealthiest DDoS attacks. UltraDDoS Protect provides global coverage with 16 concentrated points of presence (PoPs) covering North America, South America, Europe, the Middle East, and AsiaPac with multiple, comprehensively-peered tier 1 service providers per PoP. UltraDDoS Protect is a dedicated DDoS and application security platform engineered to handle attack traffic with greater than 15 Tbps of capacity shared with no other services. UltraDDoS Protect leverages Machine Learning-assisted Threat Intelligence to provide flexible and automated DDoS protection for the most complex environments and most demanding customers. The flexibility of the platform will wrap around the assets or sites of any organization without requiring client architecture changes. The platform is cloud and service provider agnostic to act as a single point to manage and enforce security policy across a diverse customer footprint. This is ideal for multicloud or hybrid on-premises and cloud architectures. UltraDDoS Protect can be deployed on demand with automatically triggered mitigations or as Always On to meet the strictest customer requirements.
UltraDDoS Protect is a proven service launched in 2011. The service is managed by the DigiCert 24x7x365 SOC, whose engineers are always monitoring the mitigations and available to provide their extensive expertise as well as any consultative manual tuning. UltraDDoS Protect is engineered to mitigate multiple multi-terabit attacks simultaneously and mitigates many attacks in the high hundreds of Gbps and even multiterabit attacks, though smaller carpet bombs are the vector du jour due to their intended evasive nature. UltraDDoS Protect also has the capacity to mitigate up to 80 Bpps attack intensity.
What Is DigiCert Doing to Address the Expanding Threats of the Continuing DDoS Arms Race?
Botnet as a Service (BaaS) platforms are getting smarter through leveraging Artificial Intelligence. AI can be used for target selection based on discovered vulnerabilities, the importance of the target to an organization, or based on the defense posture. AI can monitor the efficacy of an attack to gauge effectiveness and intelligently shift attack vectors during the course of the attack. AI can even script specific attack payloads or sequences based on projected effectiveness. AI can assist with the recruitment of new bots through obfuscation or deception, which leads to larger botnets and bots on better-connected networks or platforms, in turn leading to the ability to produce higher bits per second (bps) or packets per second (pps) attacks. BaaS is a powerful tool capable of ever more attack vectors from DDoS to RCE to proxyware, and with the ability to adaptively shift between multiple vectors based on impact.
DigiCert is continuously evolving its DDoS protection and application security services to stay ahead of the expanding BaaS threat. The Krebs attack highlights the astounding scale and potential of the current BaaS threat environment.
DigiCert UltraDDoS Protect improved DDoS capacity quality both for ingest and clean traffic return. UltraDDoS Protect bandwidth provider and location mix has been reevaluated and optimized for the broadest peering connectivity and capacity. Enhanced traffic engineering capabilities have been harnessed to allow for easier management and tuning of traffic flows to avoid congestion and achieve the lowest latency for legitimate customer traffic.
DigiCert has made organic carpet bomb mitigation improvements. 2024 was the Year of the Carpet Bomb, and this attack method has been leveraged in up to 70% of attacks for any given month in 2024 and 2025. Carpet bombing involves targeting many or all IP addresses in a /24 (256 contiguous IPs) or larger network block. Carpet bombs typically leverage DNS amplification or floods, as well as secondary vectors like TCP SYN, RST, or ACK floods. The goal with a carpet bomb is to evade both detection and mitigation thresholds by sending a lower per-host attack volume to fall below the thresholds while having a greater aggregate impact on the target asset availability or performance. On many DDoS mitigation platforms, either too many alerts or mitigations are generated, or the attacks are not detected at all due to evasion. UltraDDoS Protect has developed organic alert aggregation and mitigation strategies to optimize operational efficiency and minimize impact on our customers. Carpet bombs will no doubt continue to be employed extensively by threat actors, but UltraDDoS Protect is prepared to prevent impact on our customers and ensure availability as well as performance.
As many customers are moving to Always On DDoS protection, where traffic is always routed or proxied through the protection platform, DigiCert can offer additional protections to that customer traffic beyond volumetric DDoS protection. UltraDDoS Protect has made continuous improvements to the Cloud Firewall feature. Cloud Firewall offers the ability to enforce security policy at the network edge upstream from the customer assets and networks. Customers can define and drop non-volumetric malicious traffic, which would not trigger a DDoS mitigation. Customers can filter non-legitimate or undesired nuisance traffic at network borders. Undesired traffic policies can be defined through the customer portal, or customer threat intelligence feeds can be uploaded to leverage current investments with Cloud Firewall.
DigiCert provides trust in the availability and performance of customer assets and applications amid the explosion of Botnet as a Service (BaaS) capabilities.
