31 Tbps in 35 seconds: DDoS assault that turned millions of domestic devices into botnet weapons

In November 2025, a digital assault was detected that re-exposed the damage capacity of the large botnets: a swarm-driven DDoS attack known as AISURU or Kimwolf reached a traffic peak of more than 31 Tbps and, although its duration was short - just 35 seconds - it was enough to break records and force mitigation automatims to come into action.

It was not an isolated pulse but a series of increasingly volumetric and sophisticated campaigns.. According to Cloudflare's public report on activity in the fourth quarter of 2025, these types of incidents are part of a pattern: waves of HTTP requests and packages per second whose size and frequency have rapidly climbed in the last year. Cloudflare's own analysis documents attacks with average rates in some campaigns of the order of several billion packages per second and peaks of tens of terabits per second, figures that were previously seen as almost unimaginable. More information and data from the report are available on the Cloudflare blog: DDoS Threat Report Q4 2025.

The engine behind much of that gross force is not sophisticated server centers, but daily devices that have been hijacked: AISURU / Kimwolf has been able to incorporate more than two million mobile and Android-based devices into its network, with special impact on Android TV boxes of economic brands. Many of these teams acted as "residential nodes" that sent malicious traffic from domestic IP addresses, which complicates their detection and makes it easier for attacks to appear to come out of legitimate users.

The threat was amplified by an opaque commercial ecosystem. Research related to this phenomenon has pointed to residential proxies networks and companies that market exit services ("residential proxies") as facilitators: their SDKs and stranded applications allowed devices to be rolled up on a large scale without the consent of the owners. In the face of this, giants like Google intervened to disable parts of that infrastructure and to collaborate in technical and legal actions aimed at cutting communication between the controllers and the infected devices.

To understand the magnitude of the problem it is necessary to look at the aggregate numbers: 2025 was a year in which the DDoS activity was fired. Cloudflare accounted for tens of millions of attacks mitigated throughout the year, with annual growth that more than doubled the count over the previous year, and with a significant concentration of incidents in the last quarter. The report also shows that most of the attacks originated at the network level - so-called network layer attacks - and that sectors such as telecommunications, service providers and software were among the most hit. The trends and figures analysis on the radar and the Cloudflare report are available: Cloudflare Radar and the full report.

In parallel, specialized media have been telling concrete stories about how small household appliances become pieces of gigantic botnets. A review of the risk posed by Android streaming televisions and boxes can be read in a research piece published in KrebsOnSecurity, which documents how cheap and poorly managed devices are transformed into malicious traffic multipliers: Is your Android TV streaming box part of a botnet?.

What can and should organisations and users do? For companies and operators that depend on continuous availability, the lesson is clear: traditional defense in local boxes or on-demand purification centres may not be sufficient against hypervolumetric attacks measured in terabits and billions of packages per second. Cloud-based solutions and global distribution networks with automatic absorption and mitigation capacity have become a critical piece of the defensive puzzle. At the same time, at the end-user level, basic digital hygiene - avoid unverified application facilities, update firmware, and opt for hardware with reputed support - reduces the attack surface and the likelihood that a device will end up in a botnet.

In addition, operators and manufacturers must take proactive measures: apply verification mechanisms in software supply chains, restrict app privileges, provide simple updates and force security patches on equipment with network functions. Service providers that manage mass traffic should review their agreements, scaling capabilities and coordination with security partners to respond to sudden traffic peaks.

The 2025 picture shows that DDoS attacks are no longer mere episodes of discomfort and become instruments that can affect the digital economy on a large scale. The combination of unsafe devices, markets that monetize residential proxies and automated tools to generate malicious traffic has raised the threshold of what organisations should anticipate.. The response is to modernise defenses, public-private collaboration and improve the robustness of connected equipment in our homes.

If you want to deepen figures, mitigation techniques and specific recommendations for different types of organizations, the Cloudflare report is a good starting point and the KrebsOnSecurity article helps you understand how domestic devices feed these threats: Cloudflare Q4 2025 DDoS report and KrebsOnSecurity on Android TV and botnets.