Massive IoT botnets have become a major operational risk, necessitating new rules to maintain enterprise resilience.
Cloudflare’s Q3 2025 data shows that the weaponization of compromised connected devices has reached unprecedented levels. This renders traditional human intervention and on-premises mitigation hardware obsolete.
The sheer power of attacks now shapes the threat landscape more than their sophistication. The Aisuru botnet dominated Q3, estimated to contain between 1 million and 4 million infected hosts globally.
Aisuru frequently launches attacks exceeding 1 terabits per second (Tbps) and 1 billion packets per second (Bpps). It does this by massively consolidating compromised endpoints, likely consisting of insecure IoT devices and home routers.
Peak attack volumes reached record 29.7 Tbps and 14.1 Bpps, respectively. To better understand this traffic scale: this is traffic that standard data center firewalls cannot filter.
This record-breaking incident was a UDP carpet bombing attack. It averaged 15,000 target ports per second. Although the attack lasted only 69 seconds, this sudden burst was enough to saturate upstream internet links. It effectively crippled an organization’s digital activities before internal security teams received alerts.
The Connection Between Industrial IoT and Geopolitics
The targets of these massive IoT botnets reveal a worrying intersection between geopolitical tensions and industrial disruption. Gaming servers or financial institutions are no longer primary targets.
The escalating trade tensions between the EU and China over rare earth minerals coincided with a sharp rise in attacks targeting the mining, minerals, and metals industries. In addition, similar tensions over electric vehicle tariffs coincided with a surge in attacks targeting the automotive industry in the third quarter.
In fact, the automotive industry saw the largest increase, jumping 62 places to become the sixth most attacked industry globally. The mining, minerals, and metals industry also rose 24 places.
This correlation suggests that actors are using distributed denial-of-service (DDoS) attack capabilities as an asymmetric tool in trade disputes. For businesses, this reality highlights how geopolitical risks now directly link to cybersecurity resilience.
Beyond the industrial sector, the artificial intelligence (AI) industry is also facing increasing pressure. In September 2025, attack traffic targeting AI companies surged by a staggering 347% month-over-month. This surge coincides with increasingly stringent scrutiny from the public and regulators. For example, the UK Law Commission launched a review of AI usage in government departments during the same period.
For companies integrating generative AI into their products, this volatility raises reliability concerns. If the API providers underpinning these services continue to suffer high-volume attacks, the downstream availability of enterprise applications will become extremely vulnerable.
Regions with rapid digitalization but inadequate security governance often generate these traffic sources. For example, researchers have identified Indonesia as the largest source of DDoS attacks. This designation has persisted throughout the year.
Since the end of 2021, the proportion of HTTP attack requests originating from Indonesia has increased by 31,900%. This alarming data highlights the dangers of security vulnerabilities in digital infrastructure in emerging markets. In these regions, attackers can incorporate vast numbers of IoT devices into botnets like Aisuru without the owners’ knowledge.owledge of their owners.
Massive Botnets: Small IoT Devices, Big Damage
The sheer speed of modern attacks presents a major challenge to enterprise IT leaders in terms of operational resilience. Cloudflare data shows that 89% of network layer attacks and 71% of HTTP attacks end within 10 minutes. In many cases, the attack lasts less than the time it takes a human analyst to log into their control panel.
This “hit-and-run” attack style is particularly destructive. A brief attack may last only a few seconds, but the damage it causes can be devastating. Recovery takes much longer. Operations teams typically need to perform complex, multi-step processes to restore systems. They must verify data consistency in distributed databases and reassure customers to minimize reputational damage.
Traditional mitigation strategies, such as on-demand scrubbing centers or manual route injection, are not suitable for this environment. By the time organizations redirect traffic to a scrubbing facility, the attack may have already ended. It may have successfully compromised session state or backend processing. As Cloudflare notes, “This speed is too fast for any human or on-demand service to react to.”
The barrier to launching such attacks remains low. Distributors offer fragments of the Aisuru botnet in the form of “botnet rentals.” This allows malicious actors to disrupt backbone networks and saturate internet links at a cost of only a few hundred to a few thousand dollars.
This creates a significant economic asymmetry. An attack campaign costing attackers thousands of dollars can result in millions of dollars in lost revenue, reputational damage, and mitigation costs for victims. The Aisuru botnet alone launched 1,304 hyperscale attacks in the third quarter. This marks a 54% increase from the previous quarter.
Achieving Modern Enterprise Resilience
For enterprise leaders, the conclusion drawn from this hyperscale IoT botnet data is that resilience must shift from reactive response to proactive defense. The sheer volume of Aisuru attacks, coupled with their ability to circumvent static rules by randomizing packet attributes, necessitates algorithmic mitigation measures.
Given the current threat landscape, organizations relying on locally deployed mitigation equipment may need to reassess their defense posture. The physical limitations of local hardware mean they cannot handle peak traffic of 29 Tbps. Organizations must mitigate traffic at the network edge, closer to the source, to prevent it from converging on the target infrastructure.
Nearly 70% of HTTP DDoS attacks originate from botnets known to Cloudflare. This demonstrates that threat intelligence sharing and collective defense mechanisms are superior to isolated defense systems. Once systems detect a botnet attack on a node, they should immediately disseminate the intelligence to protect the entire network.
Geopolitical factors also necessitate closer collaboration between physical security teams and cybersecurity operations teams. The Maldives experienced the largest increase in attack traffic following protests against media freedom. It jumped 125 places in the global rankings.
Similarly, France’s “shut everything” protests coincided with a jump of 65 places in the global rankings of cyberattack victims. This made it the 18th largest attacker nation. Security leaders must now view localized social unrest as a leading indicator of potential digital disruptions.
With 8.3 million attacks mitigated in the third quarter alone — an average of 3,780 attacks per hour — DDoS attacks are no longer an anomaly but a persistent environmental factor. Enterprise resilience in 2026 and beyond requires automated defense systems that can scale instantly. This is necessary to counter these massive IoT botnets that are weaponizing the structure of the interconnected world.