All news with #ddos tag

🚨 CISA, the FBI, NSA, DOE, EPA, DOD’s DC3, and international partners issued a joint advisory alerting operators that pro‑Russia hacktivist groups are conducting opportunistic, low‑sophistication attacks against U.S. and global critical infrastructure. These actors exploit internet‑facing OT components (notably VNC and SCADA) and sometimes combine intrusions with DDoS. The advisory urges immediate mitigations: reduce OT exposure, improve asset management, and enforce robust authentication.

🛡️ This week's bulletin spotlights a critical React Server Components flaw, CVE-2025-55182 (React2Shell), that was widely exploited within hours of disclosure, triggering emergency mitigations. Researchers also disclosed 30+ vulnerabilities in AI-integrated IDEs (IDEsaster), while Cloudflare mitigated a record 29.7 Tbps DDoS attributed to the AISURU botnet. Additional activity includes espionage backdoors (BRICKSTORM), fake banking apps distributing Android RATs in Southeast Asia, USB-based miner campaigns, and new stealers and packer services. Defenders are urged to prioritize patching, monitor telemetry, and accelerate threat intelligence sharing.

🚨 Cloudflare reported it detected and mitigated a record 29.7 Tbps distributed denial-of-service attack attributed to the AISURU botnet. The UDP "carpet-bombing" assault, which randomized packet attributes and targeted an average of 15,000 destination ports per second, lasted 69 seconds. Cloudflare also mitigated a 14.1 Bpps event and said AISURU may comprise 1–4 million infected hosts, while blocking thousands of related hyper-volumetric attacks and noting significant quarterly increases in DDoS activity.

⚠️ In three months the Aisuru botnet has been linked to more than 1,300 DDoS attacks, including a record peak of 29.7 Tbps in Q3 2025 that Cloudflare mitigated. The botnet, offered as a rental service, leverages an estimated 1–4 million compromised routers and IoT devices exploited via known vulnerabilities and weak credentials. The record incident lasted 69 seconds and used UDP carpet‑bombing across roughly 15,000 destination ports per second; Cloudflare reports a sharp rise in hyper‑volumetric attacks that can disrupt ISPs and critical services.

📈 The 23rd edition of Cloudflare’s Quarterly DDoS Threat Report reviews Q3 2025 data and spotlights the unprecedented Aisuru botnet, estimated at 1–4 million infected hosts. Aisuru launched routine hyper-volumetric attacks exceeding 1 Tbps and 1 Bpps, peaking at 29.7 Tbps and 14.1 Bpps, while Cloudflare mitigated 8.3 million DDoS events in the quarter. Network-layer attacks dominated the mix, and the report warns that short, high-volume strikes often outpace manual defenses, underscoring the need for global, automated mitigation.

⚠️ Fortinet’s FortiGuard Labs identified a Mirai-based botnet called ShadowV2 that exploited known vulnerabilities in routers and other IoT devices from D-Link, TP-Link, DD-WRT and others during a major AWS outage, appearing active only for the outage window and possibly a test run. The malware is delivered via a downloader (binary.sh) that fetches payloads from 81[.]88[.]18[.]108 and uses XOR-encoded configuration and Mirai-style strings. ShadowV2 supports UDP, TCP and HTTP DDoS floods and receives commands from a C2 at 198[.]199[.]72[.]27. Fortinet published IoCs and emphasizes keeping firmware updated, noting many affected models are end-of-life and will not be patched.

⚠️ FortiGuard Labs observed a Mirai-derived botnet named ShadowV2 actively exploiting multiple known IoT firmware vulnerabilities to deliver a downloader and ELF payloads that enable remote takeover and DDoS operations. The activity, detected during a late‑October global AWS connectivity disruption, targeted a wide range of devices including D-Link, TP‑Link, DD‑WRT variants and DVR systems. ShadowV2 decodes a XOR-encoded configuration (key 0x22), contacts a hardcoded C2 (silverpath.shadowstresser.info / 81.88.18.108), and supports UDP, TCP and HTTP flood methods. Fortinet provides AV detections, IPS signatures for the exploited CVEs, and recommends firmware updates, network hardening, and continuous monitoring.

🛡️ Microsoft Azure said it blocked a record 15.72 Tbps DDoS attack tied to the Aisuru IoT botnet that surged to roughly 3.64 billion packets per second and targeted a single cloud endpoint in Australia. The attacker launched extremely high-rate UDP floods from over 500,000 source IPs with minimal spoofing and random source ports. Azure DDoS Protection automatically detected and mitigated the traffic without disrupting customer workloads, and Microsoft urged organizations to validate internet-facing protections ahead of peak periods, noting systemic IoT security gaps.

🛡 Microsoft automatically detected and mitigated a massive DDoS attack that peaked at 15.72 Tbps and roughly 3.64 billion packets per second against a single Australian endpoint. The traffic was attributed to a TurboMirai-class IoT botnet called AISURU, sourced from hundreds of thousands of compromised routers, cameras, and DVRs and launched from over 500,000 source IPs across multiple regions. Attackers used high-rate UDP floods with minimal source spoofing and random source ports, factors Microsoft said helped simplify traceback and provider enforcement. The incident underscores rising DDoS baselines as broadband speeds increase and IoT devices become more capable.

🔒 AWS is introducing flat-rate pricing plans for CloudFront that bundle global CDN delivery with built-in security (WAF, DDoS protection), Route 53 DNS, CloudWatch Logs ingestion, serverless edge compute, and monthly S3 storage credits. Plans eliminate overage charges so traffic spikes or attacks won’t trigger surprise fees. Tiers include Free, Pro ($15), Business ($200) and Premium ($1,000), and pay-as-you-go remains an option.

⚠️ Microsoft reported that the Aisuru botnet launched a massive DDoS attack against a public Azure IP in Australia, peaking at 15.72 Tbps and nearly 3.64 billion packets per second. The traffic originated from over 500,000 IP addresses and consisted of extremely high-rate UDP floods with minimal source spoofing. Microsoft noted the bursts used random source ports, which aided traceback and provider enforcement. Azure's mitigations absorbed the attack without a reported widespread outage.

🛡️ ENISA's study of 586 public administration incidents found DDoS attacks made up roughly 60% of events, with 63% attributed to hacktivist groups. Central government incidents accounted for 69% of the total, while data breaches (17%) and ransomware (10%) caused disproportionate disruption. ENISA warns the sector's low maturity and recent inclusion in NIS2 increase risk and recommends CDNs/WAFs for DDoS mitigation, MFA/PAM/DLP for data protection, and EDR, segmentation and backups to combat ransomware.

🔍 This post investigates why Cloudflare returned ENHANCE_YOUR_CALM for internal HTTP/2 traffic and traces the issue to an easy-to-make Go client behavior. An incorrect pattern where a response is closed without being fully read caused the Go HTTP/2 library to emit RST_STREAM and PING frames in quick succession, triggering PING-flood mitigations. The fix: always drain response bodies (for example, io.Copy(io.Discard, resp.Body)) before calling Close().

🛡️ Hezi Rash is a Kurdish nationalist hacktivist collective formed in 2023 that has escalated to coordinated DDoS campaigns targeting entities perceived as hostile to Kurdish or Muslim communities. Their public rhetoric mixes nationalism, religion, and activism, and they have claimed attacks in response to symbolic provocations such as an anime scene depicting a burning Kurdish flag. Targets reported include anime platforms, media outlets, NGOs, and government services, causing intermittent service disruptions and demonstrating growing technical sophistication.

🔒 Cloudflare patched two QUIC ACK-handling vulnerabilities (CVE-2025-4820, CVE-2025-4821) affecting its open-source quiche library and services using it. The flaws—missing ACK range validation and an Optimistic ACK attack—could let a malicious peer inflate server send rates, driving CPU and network amplification. Cloudflare implemented ACK range enforcement and a dynamic, CWND-aware skip frequency; quiche versions prior to 0.24.4 were affected.

🛡️ Cloudflare assisted the Moldovan Central Election Commission (CEC) during the September 28, 2025 parliamentary vote, rapidly onboarding election sites and deploying mitigations under the Athenian Project. On election day Cloudflare mitigated over 898 million malicious requests across multiple DDoS waves, including a peak of 324,333 rps, keeping official result reporting and civic sites online. Automated defenses and coordination with STISC ensured no interruptions to public access and authoritative information.

🛡️ Aisuru, first identified in August 2024, has been retooled from launching record DDoS assaults to renting hundreds of thousands of compromised IoT devices as residential proxies. Researchers warn the change powers a massive proxy market that is being used to anonymize large-scale content scraping for AI training and other abuses. The botnet — roughly 700,000 devices strong — previously produced multi‑terabit attacks that disrupted ISPs and damaged router hardware. Industry and law enforcement are sharing blocklists and probing proxy reseller ecosystems tied to the infections.

🌐 In Q3 2025 Cloudflare observed a wide range of Internet disruptions affecting governments, carriers, and infrastructure worldwide. Incidents included government-directed shutdowns in Sudan, Syria, Iraq, Venezuela, and Afghanistan; submarine and terrestrial cable cuts; power outages; a major earthquake; a targeted cyberattack; and technical failures such as Great Firewall anomalies and Starlink outages. The post synthesizes observed traffic losses using Cloudflare Radar metrics.

🚀 AWS Global Accelerator now supports application endpoints in two additional AWS Regions — Asia Pacific (Thailand) and Asia Pacific (Taipei) — bringing total coverage to thirty-three Regions. The service offers static IP addresses, congestion-free AWS network routing, edge DDoS protections, and continuous health monitoring to enable deterministic multi-region failover without DNS dependencies. To use the new Regions, configure endpoints such as Application Load Balancers, Network Load Balancers, Amazon EC2 instances, or Elastic IPs and review the Global Accelerator documentation.

🛡️ The German federal procurement portal was rendered inaccessible for almost a week by a sustained DDoS campaign; the service was restored Tuesday afternoon. Security analysts attribute the disruption to the pro‑Russian hacker group NoName057(16), which has previously targeted critical infrastructure, authorities and companies in Western countries. The attacks, confirmed as DDoS by observers, overwhelmed servers with a flood of requests. The Federal Office for Information Security (BSI) said it was informed of the incident. The portal, dtvp.de, is a central nationwide platform for electronic Q&A and bid submissions in public tenders.