A surge of traffic unprecedented to the public internet occurred in November 2025 for thirty five seconds. The acceleration was immediate and absolute, peaking at 31.4 terabits per second before dissipating nearly as quickly as it formed. As the result of the AISURU botnet, also known as Kimwolf, the event demonstrated the use of distributed infrastructure to achieve extreme bandwidth saturation over a short period of time.
Cloudflare has released findings indicating that the incident was the largest distributed denial of service attack disclosed to date as well as contributing to an overall rise in hyper volumetric HTTP DDoS activity observed during the year 2025. In contrast to being an isolated outlier, the November spike is associated with a sustained upward trend in both the scale and operational speed of large-scale DDoS campaigns.
Throughout the year, Cloudflare's telemetry indicated significant increases in attack frequency and intensity, culminating in a sharp increase in hypervolumetric incidents during the fourth quarter. There has been an increase in observed attack sizes by more than 700 percent since late 2024, reflecting a significant change in bandwidth resources and orchestration techniques available to contemporary botnet operators as compared to late 2024.
31.4 Tbps burst was attributed to AISURU Kimwolf infrastructure, which researchers have linked with multiple coordinated campaigns in 2025.
Automated traffic analysis and inline filtering systems helped spot and mitigate the November event, proving how relying on them is becoming more important to combat high speed volumetric floods.
This botnet was also involved in the operation that began on December 19, which has been referred to as The Night Before Christmas.
At the peak of that campaign, attack volumes were measured at approximately 3 billion packets per second, 4 Tbps of throughput, and 54 million HTTP requests per second.
The peak rates were 9 billion packets a second, 24 Tbps, and 205 million requests a second, which shows simultaneous exploitation of application and network layer vectors. These year-end metrics help you understand the operational environment that inspired these campaigns.
According to Cloudflare, DDoS activity increased by 121 percent during 2025, with defensive systems mitigating an average of 5,376 attacks per hour. The number of aggregated attacks exceeded 47.1 million, more than doubling that of the previous year.
It is estimated that 34.4 million network layer attacks took place in the fourth quarter, an increase from 11.4 million in 2024.
These attacks accounted for 78 percent of all DDoS activity. During the last quarter, DDoS incidents increased 31 percent, while year over year, they increased by 58 percent, suggesting a sustained expansion instead of episodic surges.
A distinctive component of that growth curve was hyper volumetric attacks. In the fourth quarter alone, 1,824 such incidents were recorded, as compared to 1,304 recorded in the previous quarter and 717 during the first quarter. As a result, attack volumes increased severalfold within a single annual cycle, and not only the frequency of attacks has increased, but the amplitude has also increased notably.
Combined, the data indicates that the threat landscape has been enhanced by compressed attack windows, increased packet rates, and unprecedented throughput levels, which reinforces concerns that record-breaking DDoS capacity is becoming an iterative benchmark rather than an exceptional event.
It was a calculated extension of the same operational doctrine in the December campaign, known as The Night Before Christmas.
As of December 19, 2025, Cloudflare's infrastructure and downstream customers have been subjected to sustained hypervolumetric traffic directed by the botnet, which blends record scale Layer 4 floods with HTTP surges exceeding 200 million requests per second at the application layer.
In September 2025, this operation exceeded the botnet's own previous benchmark of 29.7 Tbps, which marked a significant increase in bandwidth deployment and request augmentation.
Upon examining the campaign, investigators determined that millions of unofficial streaming boxes were conscripted into the campaign, which generated packets and requests rarely seen at such a high rate.
At its apex, 31.4 Tbps, the attack reached a magnitude that would have exceeded several major providers' publicly disclosed mitigation ceilings.
In purely theoretical terms, Akamai Prolexic's capacity of 20 Tbps, Netscout Arbor Cloud's capacity of 15 Tbps, and Imperva's capacity of 13 Tbps would have reached bandwidth utilization levels exceeding 150 to 240 percent under equivalent load based on stated capacities.
However, this comparison highlights the structural stress such volumes impose on conventional scrubbing architectures when comparing distributed absorption and traffic engineering strategies with real world resilience.
In contrast to a single monolithic flood, telemetry from this campaign revealed a pattern of distributed, highly coordinated bursts.
Thousands of discrete attack waves exhibited consistent scaling characteristics, each exhibiting a similar pattern. Ninety-three percent of events reached peak rates between one and five Tbps, while 5.5 percent reached peak rates between five and ten Tbps. There was only a fractional 0.1 percent of events exceeding 30 Tbps, demonstrating that the headline-breaking spike was not only rare, but deliberate from a statistical perspective.
According to packet rate analysis, 94.5 percent of attacks generated packets between one and five billion per second, while 4 percent peaked at five to ten billion, and 1.5 percent reached ten to fifteen billion packets per second. A number of attack waves were engineered as concentrated bursts rather than prolonged sieges, highlighting the tactical refinement of the operation.
There were 9.7 percent of attacks lasting less than 30 seconds, 27.1% lasting between 30 and 60 seconds, and 57.2% lasting 60 to 120 seconds. Only 6% exceeded the two-minute mark, suggesting a focus on high intensity volleys designed to strain defensive thresholds before adaptive mitigation can fully adjust.
In hyper volumetric incidents, 42.5 percent of incidents were targeted against gaming organizations, while 15.3 percent were targeting IT and services organizations. This distribution indicates that it is aimed at industries with high latency sensitives and infrastructure-dependent infrastructures where even brief disruptions can have a substantial impact on operational and financial performance.
In the wake of the December offensive, a botnet has gradually evolved into one of the most significant distributed denial of service threats observed over the past few years. Through the compromise of consumer grade devices, the Aisuru operation, which split into an Android-focused Kimwolf variant in August 2025, expanded aggressively.
According to Synthient, Kimwolf infected more than two million unofficial Android TVs, making them into a global attack grid. They built layered command and control architectures using residential proxy networks to make origin infrastructure look bad and make takedown harder.
Botnet activity captured the attention of the public after it briefly pushed its own domain activity to the top of Cloudflare's global rankings, an outcome achieved as a consequence of artificial traffic amplification rather than organic traffic. Disruption efforts are ongoing.
Black Lotus Labs, a division of Lumen Technologies, began counter-operations in early October 2025, disrupting traffic to more than 550 command and control servers connected to Kimwolf and Aisuru.
Although the network displayed adaptive resilience, the endpoints were rapidly migrating to newly provisioned hosts, frequently using IP address space associated with Resi Rack LLC and recurring autonomous system numbers to reconstitute its control plane, and reconfiguring its control plane in a timely manner. This infrastructure rotation illustrates a trend in botnet engineering which emphasizes redundancy and rapid redeployment as part of operational design rather than as a contingency measure.
An accelerating level of DDoS activity was evident across the entire internet as the record-setting events unfolded. There will be 47.1 million DDoS incidents in the year 2025, which represents a 121 percent increase over 2024 and a 236 percent increase over 2023. In the past year, automated mitigation systems processed approximately 5,376 attacks per hour, which included approximately 3,925 network level events and 1,451 HTTP layer floods.
Most of the expansion has occurred at the network layer, with network layer attacks doubling from 11.4 million incidents to 34.4 million incidents year over year. In the fourth quarter alone, 8.5 million such attacks took place, reflecting 152 percent year-over-year growth and 43 percent quarter-over-quarter increase, with network layer vectors accounting for 78 percent of all DDoS activity in that quarter.
Indicators of scale and sophistication reveal an intensifying threat model. There was a 600 percent increase in network layer attacks exceeding 100 million packets per second over the previous quarter, while those surpassing 1 Tbps increased by 65 percent. Nearly 1 percent of network layer attacks exceeded the 1 million packet per second threshold, emphasizing the increasing use of high intensity traffic bursts designed to stress routing and filtering systems.
Most HTTP DDoS activity was caused by known botnets, accounting for 71.5 percent, anomalous HTTP attributes accounted for 18.8 percent, fake or headless browser signatures accounted for 5.8 percent, and generic flood techniques accounted for 1.8%. As indicated by the duration analysis, 78.9 percent of HTTP floods ended within ten minutes, suggesting a tactical preference for high impact, compressed attack cycles.
It has been estimated that roughly three out of each hundred HTTP events qualified as hyper volumetric at the application layer while 69.4 percent of HTTP events remain below 50,000 requests per second, whereas 2.8% exceed 1 million requests per second. More than half of HTTP DDoS attempts were automatically neutralized without human intervention through Cloudflare's real-time botnet detection systems, reflecting an increased reliance on machine learning-driven mitigation frameworks.
DDoS traffic observed in the fourth quarter exhibited notable changes in source distribution. Bangladesh emerged as the largest origin, replacing Indonesia, which fell to third place. In second place, Ecuador was ranked, while Argentina rose by twenty places to become the fourth largest source. Hong Kong, Ukraine, Vietnam, Taiwan, Singapore, and Peru also contributed significantly.
Analyzing data from autonomous systems indicates that adversaries disproportionately exploit cloud computing platforms and telecommunications infrastructure to gain an edge over their adversaries. In this report, Russia has lost five positions in the rankings, while the United States has lost four positions.
There were six cloud providers collectively represented in the top ten source networks, including DigitalOcean, Microsoft, Tencent, Oracle, and Hetzner, reflecting the misuse of rapidly deployable virtual machines to generate traffic. The remaining high volume infrastructure has been mainly provided by telecommunications carriers in Asia Pacific, primarily in Vietnam, China, Malaysia, and Taiwan.
With Cloudflare's globally distributed architecture, despite the extraordinary magnitude of the Night Before Christmas campaign, the load was contained within operational limits owing to Cloudflare's global distribution. The spike of 31.4 Tbps consumed approximately 7 percent of available bandwidth across 330 points of presence, leaving considerable residual bandwidth available for the next few months.
In this case, the attack was detected and contained autonomously, without triggering any emergency escalation protocols. This episode highlights the gap between the capabilities of adversarial traffic generators and those of smaller providers in terms of their defensive capabilities.
With volumetric ceilings on the rise and botnets adopting increasingly modular command frameworks, the sustainability of internet-facing services will depend on the availability of hyperscale mitigation infrastructure that can handle not only record-setting spikes in DDoS activity but also an accelerated baseline of global DDoS activity as it continues to grow. These events indicate a trajectory that has clear implications for enterprises, service providers, and infrastructure operators.
In a world where volumetric thresholds continue to grow and botnets continue to industrialize device compromises at scale, incremental upgrades and reactive control cannot be relied upon to maintain a defensive edge. Mitigation partners must be evaluated based on their demonstrated absorption capacity, architectural distribution, maturity in automated response, and transparency in telemetry.
Edge assets, IoT ecosystems, and cloud workloads must also be hardened in order to prevent them from becoming targets and unwitting launch platforms, as they are increasingly exploited.
In addition to indicating a structural shift in adversarial capability, the November and December campaigns serve not only as record setting anomalies. Defining resilience in this environment is less about preventing every attack and more about engineering networks that are capable of sustaining, absorbing, and recovering from traffic volumes that were once considered unimaginable.
