The Aisuru/Kimwolf botnet unleashed the most important publicly disclosed distributed denial-of-service (DDoS) assault in historical past, peaking at an unprecedented 31.4 terabits per second (Tbps).
The huge assault, dubbed “The Evening Earlier than Christmas” marketing campaign, focused Cloudflare’s infrastructure and clients with hyper-volumetric assaults starting December 19, 2025, combining Layer 4 DDoS assaults at report bandwidth alongside application-layer HTTP floods exceeding 200 million requests per second (rps).
The “Evening Earlier than Christmas” assault marked a big escalation within the DDoS menace panorama, surpassing the earlier report of 29.7 Tbps achieved by the identical Aisuru botnet in September 2025.
The marketing campaign leveraged compromised Android TV units as assault sources, with menace actors exploiting hundreds of thousands of unofficial Android streaming packing containers to generate unprecedented visitors volumes.
The 31.4 Tbps peak represents a scale that will have overwhelmed most DDoS mitigation suppliers, with competitor providers like Akamai Prolexic (20 Tbps capability), Netscout Arbor Cloud (15 Tbps), and Imperva (13 Tbps) dealing with theoretical bandwidth utilization charges exceeding 150-240%.
31.4 Tbps DDoS Assault
Assault Distribution and Traits
The hyper-volumetric assault consisted of hundreds of particular person assaults with distinct patterns that exposed refined coordination by the botnet operators.
Evaluation of the assault distribution confirmed that 90.3% of assaults peaked at 1-5 Tbps, 5.5% at 5-10 Tbps, and solely 0.1% exceeded 30 Tbps. From a packet price perspective, 94.5% of assaults generated between 1-5 billion packets per second (Bpps), with 4% peaking between 5-10 Bpps and 1.5% reaching 10-15 Bpps.
Assault period patterns demonstrated a choice for brief, intense bursts designed to overwhelm defenses earlier than triggering mitigation responses. Solely 9.7% of assaults lasted below 30 seconds, whereas 27.1% sustained for 30-60 seconds, and a majority of 57.2% persevered between 60-120 seconds.
Merely 6% of assaults exceeded two minutes in period, suggesting the botnet operators optimized for rapid-fire volleys somewhat than sustained campaigns.
The marketing campaign demonstrated clear strategic concentrating on of important infrastructure and high-value sectors. Gaming firms bore the brunt of the assaults, accounting for 42.5% of hyper-volumetric assaults, adopted by Data Know-how and Providers organizations at 15.3%.
Attacked industries
Telecommunications suppliers represented 2.2% of targets, whereas Web service suppliers, playing operations, and pc software program companies comprised the remaining top-tier targets.
Geographic distribution revealed concentrated assaults towards main web hubs and financial facilities. The US absorbed 30.8% of all hyper-volumetric network-layer assaults, making it the first goal, whereas China confronted 7.7% and Hong Kong obtained 3.2%.
Assault by area
Brazil (1.9%), the UK (1.8%), Germany (1.7%), Canada (0.7%), India (0.6%), Switzerland (0.6%), and Taiwan (0.2%) rounded out the top-10 most-targeted international locations.
Aisuru/Kimwolf Botnet Evolution
The Aisuru botnet has advanced into one of the crucial formidable DDoS threats in fashionable web historical past, with its Android-focused variant, Kimwolf, splintering off in August 2025. Safety researchers at Synthient documented that Kimwolf contaminated over 2 million unofficial Android TV units, exploiting residential proxy networks to determine a distributed command-and-control infrastructure.
The botnet gained widespread consideration in October 2025 when it quickly claimed the highest place in Cloudflare’s international area rankings by means of large visitors era.
Lumen Applied sciences’ Black Lotus Labs has been actively disrupting the botnet’s operations since early October 2025, null-routing visitors to greater than 550 command-and-control servers related to each Aisuru and Kimwolf infrastructure.
Regardless of these mitigation efforts, the botnet demonstrated resilience by quickly shifting C2 nodes to new infrastructure, notably leveraging Resi Rack LLC IP addresses and customary autonomous system numbers (ASNs).
The record-breaking assault occurred towards a backdrop of explosive development in DDoS assaults all through 2025. The entire variety of DDoS assaults greater than doubled to 47.1 million in 2025, up 121% from 21.3 million in 2024 and 236% from 14 million in 2023. Cloudflare’s methods mitigated a mean of 5,376 DDoS assaults each hour throughout 2025, comprising 3,925 network-layer assaults and 1,451 HTTP DDoS assaults.
Community-layer DDoS assaults drove the vast majority of this development, greater than tripling year-over-year from 11.4 million in 2024 to 34.4 million in 2025. The fourth quarter alone noticed 8.5 million network-layer assaults, representing a 152% year-over-year improve and 43% quarter-over-quarter development, with these assaults accounting for 78% of all DDoS exercise in This autumn 2025.
The menace panorama demonstrated regarding tendencies in assault sophistication and scale. Community-layer assaults exceeding 100 million packets per second (Mpps) surged by 600%, whereas assaults exceeding 1 Tbps elevated 65% quarter-over-quarter. Practically one in 100 network-layer DDoS assaults exceeded 1 Mpps, indicating a shift towards higher-intensity assault patterns.
On the appliance layer, identified DDoS botnets accounted for 71.5% of all HTTP DDoS assaults, with suspicious HTTP attributes accounting for 18.8%, pretend or headless browsers for five.8%, and generic floods for 1.8%.
Assault period evaluation revealed that 78.9% of HTTP DDoS assaults concluded inside 10 minutes, demonstrating a choice for fast assault cycles.
Assault magnitude distribution confirmed that 69.4% of HTTP DDoS assaults remained below 50,000 requests per second, whereas 2.8% exceeded 1 million rps, which means roughly three out of each 100 HTTP assaults certified as hyper-volumetric.
Cloudflare’s new real-time botnet detection system efficiently recognized and mitigated over 50% of HTTP DDoS assaults robotically with out human intervention.
Assault Infrastructure Sources
The worldwide assault supply distribution revealed important shifts within the geographic origins of malicious visitors throughout This autumn 2025. Bangladesh emerged as the most important supply of DDoS assaults, dethroning Indonesia, which had held the highest place for the earlier yr, and dropped to 3rd place. Ecuador ranked second, whereas Argentina rose 20 locations to turn into the fourth-largest supply.
DDoS Assault Sources
Different important assault sources included Hong Kong (fifth), Ukraine (sixth), Vietnam (seventh), Taiwan (eighth), Singapore (ninth), and Peru (tenth). Russia skilled a notable decline, dropping 5 ranks to tenth place, whereas america fell 4 positions to sixth.
Evaluation of assault supply networks revealed that menace actors primarily exploited cloud computing platforms and telecommunications infrastructure.
Cloud suppliers, together with DigitalOcean (AS 14061), Microsoft (AS 8075), Tencent, Oracle, and Hetzner, dominated as assault sources, representing half of the highest 10 supply networks and demonstrating the exploitation of easily-provisioned digital machines for high-volume assaults.
Conventional telecommunications suppliers from the Asia-Pacific area, notably Vietnam, China, Malaysia, and Taiwan, comprised the remaining top-tier sources.
Regardless of the unprecedented scale of the “Evening Earlier than Christmas” marketing campaign, Cloudflare’s infrastructure demonstrated resilience with its 449 Tbps complete mitigation capability throughout 330 factors of presence (PoPs).
The 31.4 Tbps assault consumed solely 7% of Cloudflare’s accessible bandwidth, leaving 93% remaining capability. The automated detection and mitigation methods efficiently neutralized the hyper-volumetric assaults with out triggering inner alerts or requiring human intervention, highlighting the effectiveness of machine-learning-based protection mechanisms.
The marketing campaign underscores the important significance of massive-scale DDoS mitigation infrastructure as assault volumes proceed their exponential development trajectory.
Organizations counting on suppliers with restricted capability face existential dangers, because the assault would have theoretically exceeded the entire mitigation capability of a number of competing providers concurrently.
Comply with us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to characteristic your tales.
