World’s Largest DDoS Attack Recorded: 31.4 Tbps Aisuru/Kimwolf Botnet Strikes

The cybersecurity landscape reached a historic milestone in December 2025 when the Aisuru/Kimwolf botnet launched the largest publicly disclosed distributed denial-of-service (DDoS) attack ever recorded. The attack peaked at an unprecedented 31.4 terabits per second (Tbps), setting a new global record for attack bandwidth.

The campaign, known as “The Night Before Christmas,” began on December 19, 2025, targeting Cloudflare’s infrastructure and its customers. It combined massive network-layer (Layer 4) floods with application-layer HTTP attacks, generating more than 200 million requests per second (RPS).

This event surpassed the previous record of 29.7 Tbps, which was also attributed to the Aisuru botnet earlier in 2025, highlighting the rapid escalation in both scale and sophistication of modern DDoS attacks.

Attack Infrastructure and Technique

The attack leveraged millions of compromised unofficial Android TV streaming devices, commonly low-cost Android boxes used worldwide. These infected devices were controlled through a distributed command-and-control (C2) infrastructure, enabling highly coordinated and synchronized attack waves.

At its peak, the 31.4 Tbps attack volume would have overwhelmed most DDoS mitigation providers. Several well-known mitigation platforms have publicly estimated capacities far below this level, meaning the attack could have exceeded their defenses by more than 200%.

Attack Patterns and Duration

Analysis of the campaign revealed that the attackers favored short, high-intensity bursts rather than prolonged attacks:

• Over 90% of attacks peaked between 1 and 5 Tbps

• Only a small fraction exceeded 30 Tbps

• Most attacks lasted between 60 and 120 seconds

This approach was likely designed to overwhelm defenses quickly before manual intervention could take place.

Targeted Industries and Regions

The campaign primarily targeted high-traffic and latency-sensitive industries:

• Gaming companies accounted for over 40% of the attacks

• IT and cloud service providers followed closely

• Telecommunications, ISPs, and online gambling platforms were also targeted

Geographically, the United States was the most affected country, followed by China, Hong Kong, Brazil, the United Kingdom, Germany, and India.

Aisuru/Kimwolf Botnet Evolution

The Kimwolf variant of the Aisuru botnet emerged in August 2025, focusing heavily on Android-based devices. Security researchers estimate that more than 2 million Android TV devices were infected, forming one of the most powerful DDoS botnets ever observed.

Despite ongoing disruption efforts by security organizations, including null-routing hundreds of C2 servers, the botnet has shown strong resilience by rapidly shifting its infrastructure across new networks and IP ranges.

Cloudflare’s Defense and Industry Impact

Cloudflare successfully mitigated the attack using its global infrastructure, which provides approximately 449 Tbps of total mitigation capacity across 330 points of presence worldwide. The record-breaking attack consumed only a small percentage of Cloudflare’s available capacity and was mitigated automatically without human intervention.

Conclusion

The “Night Before Christmas” DDoS campaign marks a critical turning point in the global threat landscape. As attack sizes continue to grow exponentially, organizations must rely on large-scale, automated, and globally distributed DDoS protection.

For businesses using providers with limited mitigation capacity, attacks of this magnitude pose serious operational and availability risks. The event serves as a clear warning that DDoS attacks are no longer theoretical threats but real-world, internet-scale weapons.