Skip to content(if available)orjump to list(if available)

Azure hit by 15 Tbps DDoS attack using 500k IP addresses

Azure hit by 15 Tbps DDoS attack using 500k IP addresses

88 comments

·November 17, 2025

https://www.bleepingcomputer.com/news/microsoft/microsoft-ai...

Visit

dang

Related. Others?

Cloudflare scrubs Aisuru botnet from top domains list - https://news.ycombinator.com/item?id=45857836 - Nov 2025 (34 comments)

Aisuru botnet shifts from DDoS to residential proxies - https://news.ycombinator.com/item?id=45741357 - Oct 2025 (59 comments)

DDoS Botnet Aisuru Blankets US ISPs in Record DDoS - https://news.ycombinator.com/item?id=45574393 - Oct 2025 (142 comments)

shoddydoordesk

> it suddenly ballooned in size in April 2025 after its operators breached a TotoLink router firmware update server and infected approximately 100,000 devices

This is scary. Everyone lauds open source projects like OpenWRT but... who is watching their servers?

I imagine you can't run an army of security people on donations and a shoestring budget. Does OpenWRT use digital signing to mitigate this?

nine_k

Why, OpenWRT firmware and packages are both signed, of course. You can manually and independently check the image signature before flashing an update.

The build infrastructure is, of course, a juicy target: infect the artifact after building but before signing, and pwn millions of boxes before this is detected.

This is why bit-perfect reproducible builds are so important. OpenWRT in particular have that: https://openwrt.org/docs/guide-developer/security#reproducib...

whatshisface

As always, hundreds watch the open repositories, maybe one watches a company's build servers, if they're lucky. :-)

TylerE

Hundreds watch, but how closely?

Plenty of stories of fairly major projects having evil commits snuck in that remain for months.

sam_lowry_

This is exactly why OpenWRT has no unattended updates by default )

shoddydoordesk

You are dismissing the seriousness of this. Their package manager is widely used. One would only need to compromise their build servers to wreak havoc.

Didn't they have a vulnerability in their firmware download tool like a minute ago?

The difference between OpenWRT and Linux distros is the amount of testing and visibility. OpenWRT is loaded on to residential devices and forgotten about, it doesn't have professional sysadmins babysitting it 24/7.

Remember the xz backdoor was only discovered because some autist at Microsoft noticed a microsecond difference in performance testing.

jacobgkau

I'm confused why you're so honed in on OpenWRT as a third-party open-source project here when the vulnerability you quoted (TotoLink) was the official firmware update server of a brand of devices.

Is it "scary" to think about OpenWRT potentially getting hacked? If you get scared by theoretical possibilities in software, sure. Is it relevant? Not exactly. Are companies' official servers more secure than an open-source project's servers? In this case, apparently not.

tempest_

I don't follow.

> run an army of security people

Do you think these private companies do this? They don't. They pay as little as humanly possible to cover their ass.

Botnets comprised of compromised routers is common and commercial/consumer routers are a far juicer target than openwrt.

immibis

Digital signing wouldn't defend you from a compromised build server.

mbilker

What in that act says OpenWrt would be made illegal? If anything, OpenWrt would roll out automated security updates for a supported branched release to comply with these regulations.

Also, if you actually read it, there are exceptions for open source software!

majorchord

OP claims almost daily that some benign thing is actually illegal but practically never provides any useful proof when asked.

(please prove me wrong, Alex)

averageRoyalty

> This attack lasted only 40 seconds but was roughly equivalent to streaming one million 4K videos simultaneously.

Who is this for? Is there anyone reading the article that can't grasp what a terrabit is but can somehow conceptualise one million 4k videos streaming simultaneously? I don't think anyone sits in that venn diagram.

perfmode

A DDoS attack is often used to distract a company's security team. While the security staff is scrambling to get the website back online, the attackers use the chaos to conduct a more serious, stealthy attack.

mihaaly

It was interesting to read that the record breaking attack caused no glitch whatsoever in the service MS provides. Which is so slow normally that I start to wonder if that is a strategy, having headroom for these kind of situations, no-one realizes slowdown when it is already slow. ;)

This is just a crazy thought, tangential to what are happening during an attack.

supportengineer

I will never understand why there isn’t an international law enforcement agency with teeth, which can get rid of the bad actors.

Y_Y

The international organisation for stopping wars, human trafficking, money laundering, drug distribution etc. however capable they might be, haven't managed to stamp out any of those things.

I'd say a putative UN NetWatch would suffer from the same issues of funding and corruption and politics, but still we might have something better than this wild west lawlessness.

halapro

> have something better than this wild west lawlessness.

Careful what you wish for. Before you know it you can't have an IP without your ID.

immibis

This is already the case in Germany and many other countries. Same for phone numbers. On the other hand, I get no spam calls, and I can't access the sites on https://cuiiliste.de/domains - censorship is amazing.

c0balt

> putative UN NetWatch

But who will suppress attempts to go beyond the blackwall then?

dingnuts

[dead]

Aurornis

International DDoS busts and arrests do happen all the time.

Law enforcement takes time. The perpetrators of these attacks aren't hanging out in the open with their full names shielded only by the hope that their country won't extradite for political favor.

By the time the perpetrators are identified and a case is built, getting them charged isn't bottlenecked on the lack of an international agency. Any international law enforcement agency would be beholden to each country's own political wills and ideals, meaning any "teeth" they had would be no more effective than what we currenly have for extraditing people or cooperating with foreign police organizations.

Thaxll

Because it's not technicaly possible, I mean we're on HN, we all know how internet works.

dijit

You should talk to a network engineer before making claims like this. There are mechanisms to curtail DDOS attacks at origin.

For a few reasons (political, economical) there’s little will to enact them, these attacks are so few and far between and you can pay your way out of them in most cases, so the incentives aren’t there for ISPs (whom are a commodity judged primarily on price and bandwidth)

m00x

How exactly would you keep the origin from sending a command to a botnet?

SirMaster

I heard it's a series of tubes.

sva_

Since this is a distributed attack, I'm not really sure how that enforcement would look like? Am I missing something, are all these bots/zombies easily selectable and blockable?

toast0

Investigative powers should be able to at least find and seize the command and control servers, and hopefully track down people operating the command and control servers.

Some sort of international clearing house for ISPs to help identify and sequester compromised customers might be nice, too; but that doesn't need law enforcement powers; and maybe it already exists?

zipy124

Because countries benefit from conducting cyber warfare, the most publicised of are north Korea and Russia which have large state sponsored hacking groups.

kachapopopow

the real reason why these are a problem in the first place is because of cgnat and transit providers not implementing flowspec.

but these bad actors are not possible to track down in the first place since internet is unfortunately decentralized and things as simple as transactions submitted to bitcoin or etherium blockchain can be used as c&c

poszlem

Perhaps because, in many cases, the very governments responsible for enforcing it include the bad actors themselves.

m00x

How would you even enforce this if the offending country doesn't agree?

dijit

Limit their upstream connection to the rest of the internet via allied countries.

Literally the same as economic sanctions. The internet is a network of peers “trading” bits and bytes after all.

m00x

This won't do anything. The attacks are not from the offending countries they're from botnets of compromised devices.

North Korea doesn't care if you limit their internet they already allow people to go outside their own.

immibis

America already limits its upstream to China and Russia through a private companies such as Cloudflare and Spamhaus. It's often the case that for Chinese users seeking to escape censorship, once they've worked their way through the Chinese Great Firewall, they find themselves in front of the American one.

Drunkfoowl

[dead]

alpb

Funny enough just got an error trying to reach to the blog

        Proxy Error
        The proxy server received an invalid response from an upstream server.
        The proxy server could not handle the request
        Reason: Error reading from remote server

bluedino

IoT is just wave after wave of unsecure devices. There's gotta be a better way.

rdtsc

The "S" in IoT stands for "security".

Razengan

Internet of Thingsecurity?

kachapopopow

fun fact, part of the reason this botnet exists is because europe required the ability to install security updates unattended that you cannot disable and they compromised one of the servers that had the capability to push these updates compromising hundreds of thousands of routers.

cyberpunk

That's really impressive finger pointing.

If the vendor can't even secure their update server; how long do you think it would be until some RCE on these 100k un-patchable routers gets exploited?

The only people to blame for this is the vendor, and they failed on multiple levels here. It's not hard to sign a firmware, or even just fetch checksums from a different site than you serve the files from...

Razengan

Wait when was this?? Did it fly under the news??

heresie-dabord

> There's gotta be a better way.

Until then... There's gonna be a bigger wave.

Y_Y

Cui bono?

There is a big (opportunity) cost to this kind of thing, How is this worthwhile for anyone? I assume that its's not just a competitor. Is it really worth <insert evil country>'s time to temporarily upset one of of three big cloud providers? Is there a ransom behind the scenes?

kachapopopow

nope, there's really no cost to it - they've been hitting with attacks double or even triple the size towards random minecraft hosts for months now.

imglorp

> it targeted a single endpoint in Australia.

It would really help to understand why attack one endpoint with "the largest DDoS attack ever observed in the cloud". If it was important, it would be redundant in its CDN. Who paid for this attack and what did they gain?

kachapopopow

we were getting hit with attacks like this daily at some point and were forced to use cloudflare magic transit it's pretty random and you shouldn't read too deep into it as nearly every anti-ddos solution, host and isp has been hit with this botnet by now.

estearum

but why? For fun?

toast0

I used to run servers for a very popular service. I'm 99% sure people DDoSed our www for lolz and also to kick the tires on DDoS as a service vendors. We would get DDoS on a pretty regular basis, for exactly 90 seconds, +/- a few nodes that had bad clock sync and were 2 seconds off; which was exactly what you get from a free trial at DDoS as a service. I feel like we got a ransom request like once; but I can't remember if it actually corresponded to an attack, if it did, I don't think it was consequential.

Thankfully, it was almost always targetted at our www servers, which were not important for our service. Very occasionally, we'd get hit on the machines that we actually ran our service on, but between the consistent DDoS on www, and our own self-inflicted DDoS from defects in the client code we wrote for our users, our service was well prepared... if the DDoS went over line rate for the server, our hosting provider would null route it [1], but otherwise, we could manage line rate of udp reflection or tcp syn floods and what have you. From what I could tell, most attackers didn't retarget to our other servers when one got null routed.

[1] They did try a DDoS scrubbing service, but having our servers behind the scrubber was way worse than just null routing. Maybe the scrubbing could have been tuned, but as it was, it was better for us to just have the attacked servers lose connectivity to the public network.

kachapopopow

yep, there's no consistency to their actions - basically hit a target and keep it down for as long as possible causing heavy business loss. to my knowledge none of the target servers have ever received a ransom request.

Razengan

Maybe someone insulted an AI?

sva_

I feel like posting the traffic output of the network might not be a great idea because they might do these attacks on purpose to market their network's capability.

kachapopopow

it's an open secret at that point and the attacks are far larger than that are causing congestion world-wide from the time they wake up to the time they go to sleep.

null_deref

I don’t mean to cast any doubt, but are those short articles the standard, or why was there almost no data provided?

null

[deleted]