Hyper-volumetric IoT botnets have become a primary operational risk and new rules are required to maintain enterprise resilience.
Cloudflare data from the third quarter of 2025 indicates that the weaponisation of compromised connected devices has reached unprecedented levels, rendering traditional manual intervention and on-premise mitigation hardware obsolete.
The threat landscape is no longer defined merely by the sophistication of an attack, but by its sheer brute force. The third quarter was dominated by the emergence of the Aisuru botnet, a network comprising an estimated 1-4 million infected hosts globally.
Aisuru – with its massive consolidation of compromised endpoints, likely composed of unsecured IoT devices and residential routers – routinely unleashed attacks exceeding 1 terabit per second (Tbps) and 1 billion packets per second (Bpps).
Attacks peaked at a record-breaking 29.7 Tbps and 14.1 Bpps. To contextualise this volume: this is not traffic that can be filtered by a standard data centre firewall.
The record-breaking incident was a UDP carpet-bombing attack that bombarded an average of 15,000 destination ports per second. While it lasted only 69 seconds, such bursts are capable of saturating upstream internet links to effectively silence an organisation’s digital presence before internal security teams receive an alert.
The industrial IoT and geopolitical nexus
The targets of these hyper-volumetric IoT botnets reveal a troubling convergence of geopolitical tension and industrial sabotage. It is no longer primarily gaming servers or financial institutions in the crosshairs.
Escalating EU-China trade tensions over rare earth minerals coincided with a sharp rise in attacks against the mining, minerals, and metals industry. Similar tensions over EV tariffs also coincided with a rise in attacks against the automotive sector during Q3.
In fact, the automotive industry saw the largest surge, leaping 62 spots in the rankings to become the sixth most attacked industry globally. The mining, minerals, and metals sector climbed 24 spots.
This correlation suggests that Distributed Denial of Service (DDoS) capabilities are being deployed as asymmetric levers in trade disputes. For businesses, this underscores the reality that cyber enterprise resilience is now intrinsically linked to geopolitical risk.
Beyond industrial targets, the AI sector faces mounting pressure. Attack traffic against AI companies surged by as much as 347 percent month-over-month in September 2025. This spike aligns with growing public and regulatory scrutiny; for instance, the UK Law Commission launched a review into AI use in government during the same period.
For enterprises integrating generative AI into their products, this volatility presents a reliability concern. If the API providers underpinning these services are subject to constant hyper-volumetric bombardment, downstream availability for enterprise applications becomes fragile.
Traffic sources often correlate with regions experiencing rapid digital adoption but uneven security governance. Indonesia, for example, has been identified as the largest source of DDoS attacks for a full year.
Since late 2021, the percentage of HTTP attack requests originating from Indonesia has increased by 31,900 percent. This gargantuan statistic highlights the dangers of unsecured digital infrastructure in emerging markets, where vast fleets of IoT devices can be co-opted into botnets like Aisuru without the device owners’ knowledge.
Hyper-volumetric botnets: Small IoT devices, large disruption
The velocity of modern attacks creates the primary operational resilience challenge for enterprise IT leaders. Cloudflare data indicates that 89 percent of network-layer attacks and 71 percent of HTTP attacks conclude in under 10 minutes. In many cases, the attack duration is shorter than the time required for a human analyst to log into a dashboard.
This “hit-and-run” methodology is particularly damaging. A short attack may only last a few seconds, but the disruption it causes can be severe, and recovery takes far longer. Operational teams are frequently left with a complex multi-step process to restore systems, verify data consistency across distributed databases, and reassure customers to minimise reputational damage.
Legacy mitigation strategies, such as on-demand scrubbing centres or manual route injection, are ill-suited for this environment. By the time traffic is diverted to a scrubbing facility, the attack may already be over, having successfully disrupted the session state or backend processing. As Cloudflare notes, “that’s too fast for any human or on-demand service to react.”
The barrier to entry for launching these attacks remains low. “Chunks” of the Aisuru botnet are offered by distributors as botnets-for-hire. This allows malicious actors to inflict chaos on backbone networks and saturate internet links for a cost of merely a few hundred to a few thousand U.S. dollars.
This creates a stark economic asymmetry: an attacker spends three figures to launch a campaign that can cost a victim millions in lost revenue, reputation damage, and mitigation fees. The Aisuru botnet alone was responsible for 1,304 hyper-volumetric attacks in the third quarter, a 54 percent increase from the previous quarter.
Operationalising modern enterprise resilience
For enterprise leaders, the takeaway from this hyper-volumetric IoT botnets data is that resilience must move from reactive to autonomous. The sheer volume of the Aisuru attacks – randomising packet attributes to evade static rules – demands algorithmic mitigation.
Organisations relying on on-premise mitigation appliances may benefit from reviewing their defence posture given the current threat landscape. The physical limitations of on-premise hardware mean they cannot absorb a 29 Tbps spike. The traffic must be mitigated at the network edge, closer to the source, before it converges on the target’s infrastructure.
Nearly 70 percent of HTTP DDoS attacks originated from botnets already known to Cloudflare. This suggests that threat intelligence sharing and collective defence mechanisms are superior to isolated silos. When a botnet is identified attacking one node, that intelligence should propagate instantly to protect the entire network.
The geopolitical dimension also requires a closer alignment between physical security teams and cyber operations. When protests erupted in the Maldives regarding media freedom, the country saw the highest increase in attack traffic, leaping 125 spots in the global rankings.
Similarly, the “Block Everything” protests in France coincided with that nation jumping 65 spots to become the 18th most attacked country. Security leaders must now treat local civil unrest as a leading indicator for potential digital disruption.
With 8.3 million attacks mitigated in Q3 alone – an average of 3,780 per hour – DDoS is no longer an anomaly but a constant environmental condition. Enterprise resilience in 2026 and beyond requires automated defences capable of scaling instantly against such hyper-volumetric IoT botnets that are weaponising the very fabric of the connected world.
See also: Industrial AIoT adoption drives operational efficiency
Want to learn more about IoT from industry leaders? Check out IoT Tech Expo taking place in Amsterdam, California, and London. The comprehensive event is part of TechEx and is co-located with other leading technology events including the Cyber Security Expo. Click here for more information.
IoT News is powered by TechForge Media. Explore other upcoming enterprise technology events and webinars here.
