On October 24, 2025, Azure DDOS Protection automatically detected and mitigated a multi-vector DDoS attack measuring 15.72 Tbps and nearly 3.64 billion...
Read the original article
Comments
This is what I don't get
>The Aisuru DDoS botnet operates as a DDoS-for-hire service with restricted clientele; operators have reportedly implemented preventive measures to avoid attacking governmental, law enforcement, military, and other national security properties. Most observed Aisuru attacks to date appear to be related to online gaming.
https://www.netscout.com/blog/asert/asert-threat-summary-ais...
So why? Like why would someone pay to take a game down? I see this all over reddit with different games but I just don't get the point. What's the benefit of taking down an online game for a couple of hours.
Mad salt. Imagine a fully grown man having a toddler tantrum. "If I can't play/win/get my way, nobody can" type mentality. It's also a method of coercion. Give me mod status or I'll DDOS your server and destroy your community.
The other half comes from sever operators ddosing their competition. There is a lot of money to be made from paid cosmetics, ranks, moderator (demi-tyrant) status, etc on custom servers.
By redwall_hp 2025-11-181:171 reply "Game servers" also doesn't just mean Timmy's Minecraft server. It's big commercial games.
Final Fantasy XIV keeps getting hammered, likely Aisuru, off and on since at least September.
https://na.finalfantasyxiv.com/lodestone/news/detail/6b56814...
For some scale, Final Fantasy XIV makes about $65 million in annual revenue (and decreasing).
By UnlockedSecrets 2025-11-183:032 reply According to their latest financial earnings on page 11 of https://www.hd.square-enix.com/eng/ir/library/pdf/25q4slides... they made 55.5 billion yen or about $357 million. So quite a bit more revenue than $65 million
By hhh 2025-11-187:24 141m operating revenue for the mmo sector
>There is a lot of money to be made from paid cosmetics, ranks, moderator (demi-tyrant) status, etc on custom servers.
Anyone have any idea how much a 15 Tbps DDoS attack would cost?
Thousands of dollars? Tens of thousands?
Ballpark math says you could sustain it for half an hour on Hetzner for $5k-$6k (only from 1500 IPs though), at least if your account didn't get banned first and you're halfway decent at network programming. I have no idea what a proper botnet like this costs though or how large the profit margins are.
Isn't the idea behind botnets that no one is paying for the bandwidth, besides the unsuspecting random people who have fallen victim to malware?
I'd imagine the pricing is quite disconnected from the price of "legitimate" bandwidth. But I don't know in what direction.
By ocdtrekkie 2025-11-182:32 Yeah I assume there's the initial startup cost of successfully managing to infect a large network of devices, and then the cost for any given use is likely "what customers will pay for it". If they are selecting out big money targets and focusing on gaming, I'm guessing the price isn't that high, but they also presumably know interesting a state actor in taking them down either by changing targets or bringing in enough money is bad for business.
The idea is, the botnets are in control of someone else. Who "owns" them. And some of those will rent "their property" for money, like they would legitimately own them.
Ok, but that doesn’t change the fact that the price of renting them is completely disconnected from the price of bandwidth.
Depends. The more the owners use their bots, or let others use their botnets, the more attention there is to them and the less useful the botnet is (either blacklisted IPs or owners noticing).
And a little bit of malicious bandwidth is easy to hide, a lot not. So there is a price to bandwith to the criminal owner.
By anamexis 2025-11-1814:11 Sure, but there’s still no link between what the botnet operator charges and what ISPs charge for bandwidth, that’s the point I’m trying to make.
Because the botnet operator is not paying for the bandwidth, directly or indirectly.
By pixel_popping 2025-11-1813:35 it's not exactly, it depends on the provider, some services seem to display a cap in bandwidth usage.
back in '98 i got a 100mb per download limit for $100 on my cable connection. i recall getting DoS'd by someone cause i was a lpb barstard in quake tf. They were kind though, only DoS'd me 90mb as a warning.... Years later, TF2 is getting DoS'd into oblivion, an extorhted by DDoS for hire. Some things change, some things stay the same.
By SJC_Hacker 2025-11-1815:581 reply I'm old enough to remember this site called kuro5hin, and how it folded a bit after it got DoS'd to death around 2000
By fsckboy 2025-11-225:32 for those not old enough to remember, that's pronounced "corrosion"
By asciii 2025-11-180:58 I'm wagering something cheap for individual with a lot of bitcoin or crypto laying around
By brunoarueira 2025-11-189:51 On my childhood I had a colleague were when him lose a match against me or my brother, him got mad and fire the joystick to the ground.
By baxtr 2025-11-182:02 Games continue beyond the Games themselves...
By duxup 2025-11-190:44 When I moderated a busy gaming forum long ago my most horrifying discovery was how many users I thought were children ... were very much "adults" by age.
By sabatonfan 2025-11-180:581 reply What you are saying fits perfectly well in minecraft communities.
Are you mentioning the minecraft community by your message or any other gaming communities too
By rasz 2025-11-188:36 https://en.wikipedia.org/wiki/Mirai_(malware) came from Minecraft community.
By JTbane 2025-11-1816:07 Also just peacocking, being that skid on the forums that took down PlayStation on Christmas will get you cred.
By Onawa 2025-11-1722:12 It depends on the game, but for those with some kind of marketplace or transferable currency, I'm guessing market manipulation is one possible reason.
For other games, maybe trying to interrupt some time limited event or tournament. Going all the way down the rabbit hole, if you're not already familiar take a look at how crazy things get in a game like EVE: Online.
Then of course there are the bored trolls and/or people who feel wronged by the game's developers or other players.
> What's the benefit of taking down an online game for a couple of hours.
Competitive MMO. Imagine some event is setup to start at some time and your guild or alliance knows they're gonna lose it and the resource it gives: DDOS the server so it's down during the event so it does not run. Enjoy the fact you kept the asset linked to said event and sell the resources you get for real money.
If you've never played those kind of games you cannot fathom how cutthroat they can become. I'm part of a guild which has a specific intelligence branch with spies embedded in many other guilds and that's playing nice because we're not selling anything.
EVE Online had to put their foot down when people were talking about what could easily be considered terrorism.
By littlestymaar 2025-11-1810:271 reply Please tell us more, I need to hear the story!
By razakel 2025-11-1811:58 The story goes that they were talking about figuring our where someone lived and cutting the power to their house so their ship would be defenceless.
You might be taking a game a bit too seriously if the FBI show up to have a chat.
By Shocka1 2025-11-1917:10 My online gaming days are basically non-existent the last decade, but seeing stuff like this makes me want to make my comeback. The funny and bizarre stories I have from WoW...
By manquer 2025-11-1722:09 Probably it has to do with all the gambling sites associated with gaming not the games itself.
Taking a competitor offline for a few hours is a lot of money in a market business I expect.
there seems to be lot of weird stuff going on with gaming casinos the recent CoffeeZilla episode comes to mind, so wouldn’t be surprised if botnets are used
By iknowstuff 2025-11-1722:101 reply They get banned for trolling, griefing, cheating, breaking rules etc. and want revenge. Every game operator has to deal with idiots like this
By AmbroseBierce 2025-11-1722:173 reply [flagged]
By iknowstuff 2025-11-1722:191 reply yeah bud if the person ends up ddosing I'm 100% certain their ban was justified lol
By AmbroseBierce 2025-11-1722:221 reply [flagged]
By iknowstuff 2025-11-1722:25 yes I've banned countless such assholes
By water-your-self 2025-11-1722:42 At the end of the day, at least for silly private servers, you are always welcome to build it yourself. Theres much to learn in doing that.
the ddos market has been somewhat centered around gaming for a while now, mainly to take down game server competition, or as an attempt to sell big players on "ddos protection" services.
well, gaming and Krebs's blog: https://krebsonsecurity.com/2025/05/krebsonsecurity-hit-with...
Yep, Minecraft servers get DDoSed so often that Cloudflare actually offers turnkey protection for them specifically.
https://www.cloudflare.com/en-gb/application-services/produc...
$1 per gig overage?
I'd be using someone else's credit card for that...
By kachapopopow 2025-11-1816:20 during release one of the servers peaked at around 8gbps which is around 1000MiB/s which is $1/s which comes out to a - spits out coffee - 2.6million a month, seems perfectly reasonable?
By c420 2025-11-1723:28 I'm surprised no one has mentioned duping. Selling items and currency for real world money is big bucks and IME, server crashes reliably enable duping exploits.
Not saying that's the case in this particular incident though.
By wnevets 2025-11-184:23 > So why? Like why would someone pay to take a game down?
esports gambling and winning tournaments is big business.
> During the Fortnite Championship Series finals, a pair of pro players may have utilized denial of service attacks to disadvantage contesters [1]
[1] https://fortnitetracker.com/article/1087/ddos-scandal-from-c...
By Levitating 2025-11-1723:23 The results are very public, it's the same way IRC is often targeted. They're easy targets, thousands of users are affected and the results are immediately noticeable.
By ZeWaka 2025-11-1723:43 A game I work with got hit by ~10Tbps earlier this year. It's likely because someone got mad they were banned.
A satisfying theory for a lot of DDoS would be extortion or protection rackets. Pay up or we will DDoS you, or pay up or 'someone else' will DDoS you.
That's enough to explain it. But if you wanted to go more full shadowy conspiracy theory, someone arranged for a protection service that just so happens to work by giving some entity cleartext surveillance over much of the internet. Perhaps as a response to HTTPS everywhere being annoying.
I'm not suggesting that's the situation, but that it's the kind of possibility to keep in mind, intellectually, and it would be consistent with history.
By DANmode 2025-11-195:45 I like the “some entity” bit.
By ddtaylor 2025-11-1722:52 > So why? Like why would someone pay to take a game down? I see this all over reddit with different games but I just don't get the point. What's the benefit of taking down an online game for a couple of hours.
Most of the time crime groups are running extortion campaigns, amplification campaigns, etc. For example, if a competitor can benefit from them being down you may be able to sell that. Eventually we will probably see the invention of crowd-funded randsomware, where everyone must submit one verification can of crypto to unlock the hacked game servers.
By Hnrobert42 2025-11-1723:011 reply Extortion. You got a nice little game server there. Would be a shame if anything happened to it.
By diath 2025-11-184:55 I'm not sure why you're being downvoted, this is literally what keeps happening to me. I run a couple private MMO servers, I regularly get hit with DDoS attacks and clowns like this guy DMing me to demand money to stop attacking my servers:
By andrecarini 2025-11-1820:06 You have a Minecraft server. You generate money from it (selling VIP packages, et cetera). You could generate more money if you had more players. You can have more players if you consistently DDoS other more popular servers; the experience for these players will be horrible and they might give your server a chance.
What is even more interesting why attack Azure? It's not possible to extort anything from Microsoft, so what's the rationale?
By baby_souffle 2025-11-1723:38 Misdirection. If I knock _you_ offline, its not going to be that difficult for you to put together a probable suspects list with me on it.
If it's going to cost me about the same in terms of resources to target you and a bunch of other people colocated with you, it's a bit less obvious who launched it and why.
By RajT88 2025-11-181:00 > targeting a specific public IP address
They weren't targeting Azure itself, per se, but some service which was hosted on Azure.
The IP address in question wasn't mentioned, so we're left to speculate what this was about.
> It's not possible to extort anything from Microsoft
lul wut?
https://www.businessinsider.com/trump-white-house-ballroom-d...
https://www.cnbc.com/2025/01/09/microsoft-contributes-1-mill...
By adventured 2025-11-184:231 reply It's the exact opposite of extortion. They're thrilled to spend money to buy political favor whenever possible. It's not even a drop in the bucket.
"Boeing, Microsoft and Amazon among big donors to Biden’s inauguration"
https://www.seattletimes.com/seattle-news/politics/boeing-mi...
By SJC_Hacker 2025-11-1816:10 > They're thrilled to spend money to buy political favor whenever possible.
"Pay up or you'll have problems with the FCC/DOJ/etc."
Not saying its unique to this admin
By fortran77 2025-11-181:16 Microsoft has succumbed to extortion recently.
By vintermann 2025-11-1813:28 It may be for market manipulation. It may be extortion against the owning company. It may even be to take down a rival online game for a while.
I don't expect the big publisher games like PUBG to attack each other with DDoS attacks, but casino games? Or even sleazy Minecraft servers? I can totally see it.
By giancarlostoro 2025-11-1723:18 Uh I used to get DDoSed by “booter” services whenever I would login to one of my Skype accounts. The script kiddie scene is that petty. In the private server scene one guy would DDoS competing servers that way everyone would funnel to his own.
Its just toxic behavior.
By dahcryn 2025-11-189:59 Speculation online as to the why in this case, it's pure advertisement of their capabilities.
By hobs 2025-11-1722:18 Most of the time its just blackmail/extortion - pay us or we do the thing.
By wnevets 2025-11-184:21 > So why? Like why would someone pay to take a game down?
esports gambling is big business
By jay_kyburz 2025-11-1723:34 I've always imagined somebody will get pissed-off at me one day for banning them for bad behavior, or because I said something wrong online.
By Andrex 2025-11-181:23 Gamers, am I right?
By mattwad 2025-11-181:52 competitors might want to drive users to move away if they think a platform is broken
By zaphirplane 2025-11-1722:17 Depends on How much does it cost to hire it
By begueradj 2025-11-1819:12 You are questioning the human nature.
By dang 2025-11-1718:45 Related. Others?
Cloudflare scrubs Aisuru botnet from top domains list - https://news.ycombinator.com/item?id=45857836 - Nov 2025 (34 comments)
Aisuru botnet shifts from DDoS to residential proxies - https://news.ycombinator.com/item?id=45741357 - Oct 2025 (59 comments)
DDoS Botnet Aisuru Blankets US ISPs in Record DDoS - https://news.ycombinator.com/item?id=45574393 - Oct 2025 (142 comments)
By shoddydoordesk 2025-11-1719:237 reply > it suddenly ballooned in size in April 2025 after its operators breached a TotoLink router firmware update server and infected approximately 100,000 devices
This is scary. Everyone lauds open source projects like OpenWRT but... who is watching their servers?
I imagine you can't run an army of security people on donations and a shoestring budget. Does OpenWRT use digital signing to mitigate this?
Why, OpenWRT firmware and packages are both signed, of course. You can manually and independently check the image signature before flashing an update.
The build infrastructure is, of course, a juicy target: infect the artifact after building but before signing, and pwn millions of boxes before this is detected.
This is why bit-perfect reproducible builds are so important. OpenWRT in particular have that: https://openwrt.org/docs/guide-developer/security#reproducib...
By contravariant 2025-11-1723:552 reply This exchange is somewhat hilarious. Oh how on earth do we keep things safe and secure if everyone can see the code and verify what it does! Who would keep us safe if we turn our backs to unverifiable, unvetted, unprofitable security fixes, by for-profit companies!
By teitoklien 2025-11-1812:19 The biggest joke is most of the proprietary routers both consumer and enterprise grade often are running some old outdated version of custom tuned openwrt lol, this goes for tp-link, and everyone else almost.
By fc417fc802 2025-11-180:353 reply > how on earth do we keep things safe and secure if everyone can see the code and verify what it does!
That's not always the silver bullet you seem to think it is. Have you ever tried to build something like Chromium, Firefox, or LLVM yourself? It's not realistic to do that on a mid tier let alone low end device.
Even when you go to the trouble of getting a local build set up, more often than not the build system immediately attempts to download opaque binary blobs of uncertain provenance. Try building some common pieces of software in a network isolated environment and you will likely be surprised at how poorly it goes.
If projects actually took this stuff seriously then you'd be able to bootstrap from a sectorlisp and pure human readable source code without any binary blobs or network access involved. Instead we have the abomination that is npm.
By pabs3 2025-11-182:07 Debian manages to build Chromium, Firefox, and LLVM on servers of multiple architectures, including quite slow riscv64 machines, without any network access to the builds for any architecture.
https://buildd.debian.org/status/package.php?p=firefox-esr
See Bootstrappable Builds for starting from almost nothing, so far only GNU Guix and StageX have worked out how to start from the BB work to get a full distro. Should be fairly trivial for other distros too if they cared.
https://bootstrappable.org/ https://guix.gnu.org/blog/2023/the-full-source-bootstrap-bui... https://stagex.tools/
By Etheryte 2025-11-188:07 For context, I once found a bug in Chromium and fixed it, the initial build took a few days on and off on my development laptop that was pretty beefy for the time. I say on and off because I had to interrupt the build if I wanted to do anything else computationally taxing. They have incremental builds and caches all properly set up so you can just continue where you left off after the fact. After the initial build it's pretty fast, 5 minutes or so per build for me. On a low end device you're easily looking at a build time of a week or more if you're starting from scratch.
By Karliss 2025-11-1815:40 LLVM isn't so bad compared to the browsers. Relatively standard CMake build with mostly self contained c++ codebase and few third party dependencies. You don't need a crazy thread ripper workstation to do a build in reasonable time. A somewhat modern 8-16 core desktop CPU should be able to do it in 10-20 minutes or faster. Based on compilation benchmarks I have seen even some of 15 year old 4 core CPUs or 5year old mid/low tier mobile CPUs do it under hour.
Most importantly you need to pay attention to RAM usage, if necessary reducing parallelism so that it doesn't need to swap.
> You can manually and independently check the image signature before flashing an update.
Of course you can. You can also read the ToS before clicking accept, but who does that?
Bit-Reproducible infrastructure could also result in some of the wildest build distribution architectures if you think about it. You could publish sources and have people register like in APT mirrors to provide builds, and at the end of the day, the build from the largest bit-equal group is published.
I do see the Tor-Issue - a botnet or a well-supplied malicious actor could just flood it. And if you flip it - if you'd need agreement about the build output, it could also be poisoned with enough nodes to prevent releases for a critical security issue. I agree, I don't solve all supply chain issues in one comment :)
But that in turn could be helped with reputation. Maybe a node needs to supply 6 months of perfect builds - for testing as well - to become eligible. Which would be defeated by patience, but what isn't? It'd just have to be more annoying to breach the distributed build infrastructure than to plant a malicious developer.
This combination of reproducible, deterministic builds, tests across a number of probably-trustworthy sources is quite interesting, as it allows very heavy decentralization. I could just run an old laptop or two here to support. And then come compromise hundreds of these all across the world.
The distribution system you're describing exists and has been in use for decades. You just distribute the build using bittorrent.
By cluckindan 2025-11-1723:181 reply And if someone invests in having >90% of the peers offer a malicious file and serve DHTs matching that file?
Torrent files are hashed, so it's exactly the same risk profile as the comment I was referring to. But generally hashing algorithms are collision-proof enough that what you're describing is basically impossible (requiring many years of compute time).
IIRC BitTorrent still uses SHA-1, which is becoming more problematic.
By vhcr 2025-11-1810:00 BitTorrent v2 uses SHA-256, but in any case SHA-1 is still second-preimage resistant. And the BitTorrent piece hashes are included in the .torrent file, so you would need to find a double collision.
By HumanOstrich 2025-11-1723:43 Sounds overly complex and completely unnecessary, like some kind of blockchain/defi scheme shoehorned onto distributed builds.
By pabs3 2025-11-182:09 Reproducible isn't quite enough, you also need bootstrap from almost-zero binaries.
By charcircuit 2025-11-1722:37 >It'd just have to be more annoying to breach the distributed build infrastructure than to plant a malicious developer.
It really wouldn't. You don't even need a powerful build server since you can mirror whatever someone else built. You can also buy / hack nodes of existing trusted people.
By nunez 2025-11-181:56 > Try building some common pieces of software in a network isolated environment and you will likely be surprised at how poorly it goes.
I have yet to experience a straight shot install or build of anything in an air gapped environment. Always need to hack things to make it work.
I don't follow.
> run an army of security people
Do you think these private companies do this? They don't. They pay as little as humanly possible to cover their ass.
Botnets comprised of compromised routers is common and commercial/consumer routers are a far juicer target than openwrt.
By bigiain 2025-11-1723:38 > They pay as little as humanly possible to cover their ass.
They probably spend more on the team who ends up writing the "We take your security very seriously" breach notification message than they do on "security people". At least until then get forced into brand-name external Cyber Security Consultants to "investigate" their breach and work out who they can plausibly blame it on that's not part of the C suite.
By Aeolun 2025-11-1723:59 > They pay as little as humanly possible to cover their ass.
It’s probably helpful that open source teams aren’t hampered by standards and 20 year outdated audit processes either.
By sam_lowry_ 2025-11-1719:291 reply This is exactly why OpenWRT has no unattended updates by default )
By shoddydoordesk 2025-11-1719:351 reply You are dismissing the seriousness of this. Their package manager is widely used. One would only need to compromise their build servers to wreak havoc.
Didn't they have a vulnerability in their firmware download tool like a minute ago?
The difference between OpenWRT and Linux distros is the amount of testing and visibility. OpenWRT is loaded on to residential devices and forgotten about, it doesn't have professional sysadmins babysitting it 24/7.
Remember the xz backdoor was only discovered because some autist at Microsoft noticed a microsecond difference in performance testing.
I'm confused why you're so honed in on OpenWRT as a third-party open-source project here when the vulnerability you quoted (TotoLink) was the official firmware update server of a brand of devices.
Is it "scary" to think about OpenWRT potentially getting hacked? If you get scared by theoretical possibilities in software, sure. Is it relevant? Not exactly. Are companies' official servers more secure than an open-source project's servers? In this case, apparently not.
What's scary is that OpenWRT is a project created by people who wanted a better solution than what was out there, and are therefore largely driven by a desire to create a good product.
Meanwhile, corporations are driven entirely by profit motive, so as long as it's more expensive to be vigilant about security than it is to be lax about it they will never improve.
Until companies which produce (and do not update) vulnerable equipment are penalized (e.g. charged with criminal negligence) for DDoS attacks using their hardware then the open-source projects are going to continue to be far more trustworthy and less vulnerable than corporations which mass-produce the cheapest hardware they can and then designating it as obsolete and unsupported as fast as possible to force more updates.
By AnthonyMouse 2025-11-180:40 The disappointing thing is that the companies don't just ship the open source firmware on their devices from the factory. They rarely if ever have any marketable features the open source firmware doesn't -- it's more often the other way around -- and then you don't have a zillion unpatched devices when they decide to stop caring because the community continues to maintain the code.
By sidewndr46 2025-11-1723:00 The post is nothing more than "but what about security" meant to deflect away from the discussion at hand and towards OpenWRT
By whatshisface 2025-11-1719:321 reply As always, hundreds watch the open repositories, maybe one watches a company's build servers, if they're lucky. :-)
Hundreds watch, but how closely?
Plenty of stories of fairly major projects having evil commits snuck in that remain for months.
https://en.wikipedia.org/wiki/XZ_Utils_backdoor
https://medium.com/@aleksamajkic/fake-sms-how-deep-does-the-...
https://blog.linuxmint.com/?p=2994
https://www.bleepingcomputer.com/news/linux/malicious-packag...
https://www.cnx-software.com/2021/04/22/phd-students-willful...
I could go on but I trust this is a sufficient number of examples.
By pona-a 2025-11-1814:46 Only two of these were actual malicious commits. Two others were malware inserted into the repositories (if Twitter could be thought of as a meta-repo), which is bad but not on the same scale.
By dxxvi 2025-11-194:25 I wonder why nowhere talked about who Jia Tan was. In my understanding, a few people already talked to that person. Now, does Jia Tan really vanish?
By Quothling 2025-11-186:13 I recently had some issues getting one of our embeded devices connect through passive ftp. Because the exact same device worked at a different site I knew it wasn't the device or it's settings. Long story short, it turned out the problematic site hadn't been updating its routers which meant they couldn't VPN passive FTP traffic. Anyway, we have literal thousands of those routers maintained by hundreds of different companies, who are mainly there to maintain the actual mechanical equipment and not the network. Turned out the site where the technicians updated things weren't in the majority.
I'm in the process of getting the business to implement better security, and it's going better than you might expect. If it wasn't because having a plan for how to update your OT security is required to meet EU compliance, however, I doubt we would've done anything beyond making sure we could do passive FTP when it was needed.
As an example, there is still no plans to deal with the OT which we know has build in hardware backdoors from the manufactures. Wnich is around 70% of our dataloggers, but the EU has no compliance rules on that...
Digital signing wouldn't defend you from a compromised build server.
What in that act says OpenWrt would be made illegal? If anything, OpenWrt would roll out automated security updates for a supported branched release to comply with these regulations.
Also, if you actually read it, there are exceptions for open source software!
By majorchord 2025-11-1720:37 OP claims almost daily that some benign thing is actually illegal but practically never provides any useful proof when asked.
(please prove me wrong, Alex)
By pabs3 2025-11-182:11 Reproducible Builds and multiple distributed builders would though.
