Cloudflare disclosed on January 29, 2026, that it mitigated the largest DDoS attack ever publicly recorded: 31.4 Tbps and 200 million requests per second from the Aisuru botnet. The attack roughly tripled the previous public record of 10.5 Tbps and signals a step change in volumetric DDoS capability.
Attack overview
| Attribute | Value |
|---|
| Peak bandwidth | 31.4 Tbps |
| Peak request rate | 200 million rps |
| Previous record | 29.7 Tbps (Aisuru, September 2025) |
| Pre-2025 record | 10.5 Tbps |
| Attack date | December 19, 2025 |
| Targets | Telecom providers, IT organizations |
| Regions | Asia, Europe |
Putting 31.4 Tbps in perspective
| Comparison | Equivalence |
|---|
| Netflix 4K streams | 2.2 million simultaneous streams |
| Average home internet | ~625,000 connections saturated |
| Small country bandwidth | Could overwhelm national infrastructure |
| Previous record | 3x the 10.5 Tbps pre-2025 record |
The “Night Before Christmas” campaign
Cloudflare named the attack campaign “The Night Before Christmas” due to its timing—the holiday period when skeleton crews meant slower response times.
Campaign characteristics
| Attribute | Details |
|---|
| Campaign name | Night Before Christmas |
| Start date | December 19, 2025 |
| Targeting | Telecommunications and IT organizations |
| Strategy | Repeated short, intense bursts |
| Goal | Maximize impact during response delays |
Attack patterns
| Metric | Value |
|---|
| Attack type | Combined hyper-volumetric HTTP floods + Layer 4 |
| HTTP flood peak | 200+ million rps |
| Network layer peak | 31.4 Tbps |
| UDP technique | Carpet-bombing across 15,000 ports/second |
| Packet randomization | Randomized attributes to evade filtering |
| Sustained duration | Above 20 Tbps for 45+ minutes |
Duration distribution
| Duration | HTTP attacks | Network-layer attacks |
|---|
| Under 10 minutes | 71% | 89% |
The short duration was strategic—exploiting the window before manual response could engage.
Botnet infrastructure
Aisuru/Kimwolf relationship
| Attribute | Details |
|---|
| Aisuru | Primary botnet identity |
| Kimwolf | Android-focused variant |
| Relationship | Same hacker group, shared infrastructure |
| Botnet size | 2-3.5 million compromised devices (claimed) |
| Device types | Android TV boxes, smart TVs, set-top boxes, tablets |
Security firm QiAnXin XLab has tracked Kimwolf since late 2025 and confirmed the two botnets “propagated through the same infection scripts between September and November, coexisting in the same batch of devices.”
Operator attribution
Underground sources claim the botnets are controlled by operators known as “Dort” and “Snow”, who allegedly command 3.5 million infected devices across the combined Aisuru/Kimwolf infrastructure.
Kimwolf infection chain
| Phase | Method |
|---|
| 1. Scanning | Large-scale scanning for open ADB ports |
| 2. Proxy evasion | Routes through residential proxy networks (IPIDEA) |
| 3. NAT bypass | DNS manipulation to resolve to internal addresses |
| 4. Payload delivery | Netcat or telnet piping shell scripts |
| 5. Persistence | Embedded in device firmware |
Targeted ports
| Port | Service |
|---|
| 5555 | Android Debug Bridge (default) |
| 5858 | ADB alternate |
| 12108 | Custom ADB |
| 3222 | Custom ADB |
DNS NAT bypass technique
Kimwolf operators discovered they could bypass RFC 1918 controls by manipulating DNS records to resolve to internal addresses:
| Address | Effect |
|---|
| 192.168.0.1 | Local network access |
| 0.0.0.0 | Bind to all interfaces |
This enables access to devices behind NAT firewalls that would otherwise be unreachable.
Geographic distribution
Infected devices span 222 countries:
| Country | Percentage |
|---|
| Brazil | 14.6% |
| India | 12.7% |
| United States | 9.6% |
| Argentina | 7.2% |
| Other | 55.9% |
Technical indicators
| Indicator | Value |
|---|
| C2 port | 40860 |
| C2 server | 85.234.91[.]247:1337 |
| Downloader server | 93.95.112[.]59 |
| APK signature SHA1 | 182256bca46a5c02def26550a154561ec5b2b983 |
| DNS evasion | DoT on port 853 (8.8.8.8, 1.1.1.1) |
| C2 persistence | ENS domains via “EtherHiding” technique |
A script on the downloader server directly links Kimwolf (mreo31.apk) and Aisuru (meow217) binaries, confirming shared infrastructure.
Botnet-for-hire model
Cloudflare warned that chunks of Aisuru are offered by distributors as botnets-for-hire:
“Anyone can potentially inflict chaos on entire nations… all at a cost of a few hundred to a few thousand U.S. dollars.”
2025 attack statistics
| Metric | Value |
|---|
| Total Aisuru attacks mitigated | 2,867 |
| Hyper-volumetric incidents (Q3) | 1,304 |
| Q3 vs Q2 increase | 54% |
| 2025 vs 2024 DDoS increase | 121% |
| Total 2025 DDoS incidents | 47.1 million |
Device vulnerability
Primary targets
| Device type | Vulnerability |
|---|
| Cheap Android TV boxes | ADB enabled by default on port 5555 |
| Unbranded “fully loaded” devices | Often pre-infected at factory |
| Smart TVs | ADB accessible |
| Set-top boxes | Minimal security |
Why these devices?
| Factor | Impact |
|---|
| No security updates | Permanent vulnerability |
| Always-on connection | Continuous availability |
| High bandwidth | Capable attack traffic |
| User unawareness | Never detected or removed |
| Factory compromise | Infected before sale |
Mitigation recommendations
For organizations
| Priority | Action |
|---|
| Critical | Review DDoS protection capacity (30+ Tbps) |
| High | Implement BCP38/BCP84 source address validation |
| High | Work with upstream providers on scrubbing capacity |
| Ongoing | Monitor for Aisuru attack patterns |
For consumers
| Priority | Action |
|---|
| High | Disable ADB Debugging in Developer Options |
| High | Avoid unbranded Android TV boxes |
| High | Only use Google Play Protect certified devices |
| If infected | ”Wipe or destroy” per XLab researchers |
For enterprises
| Priority | Action |
|---|
| High | Audit Android TV and IoT devices on network |
| High | Block ports 5555, 5858, 12108, 3222 at perimeter |
| Medium | Implement IoT network segmentation |
| Ongoing | Monitor for botnet C2 traffic |
Defender capacity concerns
A 3x jump in peak DDoS bandwidth means many scrubbing services may be undersized:
| Consideration | Action |
|---|
| Current capacity | Verify provider can handle 30+ Tbps |
| Contract terms | Review burst capacity allowances |
| Failover | Ensure multi-provider redundancy |
| Response time | Test alerting and escalation |
Context
The continued growth of IoT botnets like Aisuru/Kimwolf demonstrates that the consumer electronics supply chain remains a significant security liability.
Root causes
| Issue | Impact |
|---|
| Insecure defaults | ADB enabled out of box |
| No update mechanism | Permanent vulnerability |
| Race to bottom pricing | Security not prioritized |
| Factory compromise | Pre-installed malware |
| Consumer awareness | Users don’t know devices are infected |
Until device manufacturers ship products with secure defaults—ADB disabled, authentication required, automatic updates enabled—the botnet arms race will continue to escalate. The attack that was record-breaking in 2025 will be baseline in 2027.
Cloudflare’s automated response
Despite the scale of these hyper-volumetric attacks, Cloudflare reports they were detected and mitigated automatically without triggering internal alerts. This suggests well-architected DDoS protection can handle even record-breaking attacks—but organizations without comparable infrastructure remain vulnerable.
Regional infection distribution (detailed)
| Country | Percentage | Estimated devices |
|---|
| Brazil | 14.6% | ~510,000 |
| India | 12.7% | ~445,000 |
| Vietnam | Significant | ~300,000+ |
| United States | 9.6% | ~336,000 |
| Argentina | 7.2% | ~252,000 |
| Saudi Arabia | Significant | ~200,000+ |
| Other (217 countries) | 55.9% | ~1.96 million |
The global distribution across 222 countries makes attribution and takedown efforts extremely challenging.
Supply chain responsibility
The Aisuru/Kimwolf situation highlights failures across the device supply chain:
| Actor | Failure |
|---|
| Manufacturers | Ship devices with ADB enabled by default |
| Retailers | Sell unbranded “fully loaded” devices |
| Consumers | Unaware of security implications |
| ISPs | Don’t detect or notify infected customers |
| Platform operators | Google can’t enforce security on non-certified devices |
Until multiple parties in this chain take responsibility, botnet recruitment from consumer IoT will continue to accelerate.
