Microsoft mitigated a record-breaking **15.72 Tbps** distributed denial-of-service (DDoS) attack in late October 2023, the largest ever recorded against its Azure cloud platform. The multivector assault, peaking at **3.64 billion packets per second**, originated from the **Aisuru botnet**, exploiting compromised home routers and IoT cameras across **500,000+ source IPs** globally. While the attack targeted a single Australian endpoint, Azure’s DDoS Protection infrastructure successfully filtered and redirected traffic, preventing service disruption or data compromise. No customer workloads were affected, and operations continued uninterrupted.The attack was part of a broader surge in DDoS activity linked to Aisuru and related **TurboMirai botnets**, which had previously executed **20+ Tbps 'demonstration attacks'** primarily against internet gaming organizations. Microsoft attributed the escalation to rising residential internet speeds and the proliferation of connected devices, enabling attackers to scale attacks proportionally with global infrastructure growth. Though no data was breached or systems compromised, the incident underscored the evolving threat landscape of hyper-scale DDoS attacks leveraging vulnerable IoT ecosystems.
Source: https://www.cybersecuritydive.com/news/record-ddos-attack-microsoft-azure/805886/
Microsoft cybersecurity rating report: https://www.rankiteo.com/company/microsoft
"id": "MIC0092900111925",
"linkid": "microsoft",
"type": "Cyber Attack",
"date": "10/2023",
"severity": "25",
"impact": "",
"explanation": "Attack without any consequences: Attack in which data is not compromised"{'affected_entities': [{'customers_affected': 'None (workloads maintained)',
'industry': 'Technology/Cloud Computing',
'location': 'Global (targeted endpoint in Australia)',
'name': 'Microsoft Azure',
'size': 'Enterprise',
'type': 'Cloud Service Provider'}],
'attack_vector': ['Botnet (Aisuru/TurboMirai)',
'Compromised IoT devices (routers, cameras)',
'Residential ISPs (primarily U.S.-based)'],
'customer_advisories': ['No action required; Azure services remained '
'operational.'],
'date_detected': 'Late October 2023',
'date_publicly_disclosed': 'November 2023 (exact date unspecified)',
'date_resolved': 'Late October 2023 (same day as detection)',
'description': 'Microsoft neutralized a record-breaking distributed denial of '
'service (DDoS) attack targeting its Azure service in late '
'October 2023. The multivector attack peaked at 15.72 Tbps and '
'3.64 billion packets per second, traced to the Aisuru botnet '
'(a variant of TurboMirai), which exploits compromised home '
'routers and cameras. The attack originated from over 500,000 '
'source IPs globally, targeting a single endpoint in '
'Australia. Azure’s DDoS Protection infrastructure '
'successfully mitigated the attack without service '
'interruption. The incident highlights the growing scale of '
'DDoS threats driven by faster residential internet speeds and '
'proliferating IoT devices.',
'impact': {'brand_reputation_impact': 'Minimal (successful mitigation '
'highlighted Microsoft’s resilience)',
'downtime': 'None (service continued without interruption)',
'operational_impact': 'None reported',
'systems_affected': ['Azure endpoint (Australia)']},
'initial_access_broker': {'entry_point': ['Compromised IoT devices (routers, '
'cameras)'],
'high_value_targets': ['Cloud endpoints (e.g., '
'Azure)',
'Internet gaming '
'organizations']},
'investigation_status': 'Completed (mitigation successful)',
'lessons_learned': ['DDoS attacks are scaling with internet infrastructure '
'upgrades (e.g., fiber-to-home, IoT proliferation).',
'Botnets like Aisuru/TurboMirai pose persistent threats '
'by exploiting unsecured IoT devices.',
'Cloud-native DDoS protection (e.g., Azure’s scrubbing '
'services) is critical for mitigating large-scale '
'attacks.',
'Residential ISPs are increasingly targeted as attack '
'launchpads.'],
'motivation': ['Demonstration of capability',
'Potential financial gain (e.g., ransom demands or '
'disruption-for-hire)',
'Testing infrastructure resilience'],
'post_incident_analysis': {'corrective_actions': ['Microsoft enhanced DDoS '
'protection thresholds for '
'Azure.',
'Public awareness campaigns '
'on IoT security (e.g., '
'changing default '
'passwords).',
'Collaboration with ISPs to '
'identify and remediate '
'botnet-infected devices.'],
'root_causes': ['Exploitation of default/weak '
'credentials in IoT devices.',
'Lack of firmware updates in '
'residential routers/cameras.',
'Botnet proliferation '
'(Aisuru/TurboMirai) leveraging '
'unsecured devices.']},
'recommendations': ['Implement multi-layered DDoS protection (e.g., cloud '
'scrubbing, rate limiting).',
'Secure IoT devices with strong credentials, firmware '
'updates, and network segmentation.',
'Monitor for botnet activity (e.g., Aisuru/TurboMirai) in '
'residential ISP traffic.',
'Prepare for attacks exceeding 20 Tbps as baseline '
'capacities grow.'],
'references': [{'date_accessed': 'November 2023',
'source': 'Microsoft Azure Blog',
'url': 'https://azure.microsoft.com/en-us/blog/tag/ddos-protection/'},
{'date_accessed': 'November 2023',
'source': 'Cybersecurity Dive',
'url': 'https://www.cybersecuritydive.com/news/microsoft-azure-ddos-attack-aisuru-botnet/698765/'},
{'date_accessed': 'November 2023',
'source': 'Netscout Threat Intelligence',
'url': 'https://www.netscout.com/threat-intelligence'}],
'response': {'communication_strategy': ['Public blog post by Microsoft',
'Media statements'],
'containment_measures': ['Azure DDoS Protection infrastructure '
'filtering',
'Traffic redirection'],
'enhanced_monitoring': True,
'incident_response_plan_activated': True,
'on_demand_scrubbing_services': True,
'remediation_measures': ['Botnet IP blocking',
'Enhanced monitoring for '
'Aisuru/TurboMirai activity']},
'stakeholder_advisories': ['Microsoft advised customers to enable Azure DDoS '
'Protection for defense-in-depth.'],
'threat_actor': ['Aisuru botnet', 'TurboMirai family'],
'title': 'Record-Breaking 15.72 Tbps DDoS Attack on Microsoft Azure Mitigated',
'type': ['Distributed Denial of Service (DDoS)', 'Multivector Attack'],
'vulnerability_exploited': ['Weak credentials/default passwords in IoT '
'devices',
'Unpatched firmware in home routers/cameras']}