Loading...
SPEAK WITH A SPECIALIST
  • Services
  • Support

Loading...
SPEAK WITH A SPECIALIST

How Botnets Turned the World’s IoT Devices Into DDoS Weapons

Table of Contents

Summary

Botnets have transformed everyday IoT devices — cameras, routers, DVRs — into distributed attack infrastructure, and the threat has evolved significantly since Mirai set the template in 2016. The dominant botnet today is Aisuru/Kimwolf, estimated at one to four million compromised devices as of Q4 2025, with peak attack sizes up 262% year over year. Traditional signature-based defenses can’t keep pace — sub-second inline mitigation and behavioral detection are the only architectures fast enough to prevent damage.

How Botnets Turned the World’s IoT Devices Into DDoS Weapons 

Your security camera is probably fine. Your neighbor’s might be attacking a bank right now. 

That’s the nature of a botnet DDoS attack. The devices doing the damage don’t belong to the attacker. They belong to you, your employees, your vendors, and the millions of people who bought a $30 IoT device, plugged it in, and never changed the default password. Those devices are infrastructure now. Not yours, but the attacker’s. 

Understanding how botnets power DDoS attacks isn’t academic. It’s operational. It changes what you monitor, what you patch, and what you build your defenses around. 

 

How Botnets Are Used in DDoS Attacks 

A botnet is a network of compromised devices controlled by a threat actor through a command-and-control server, commonly called a C2. The individual devices, known as bots or zombies, receive instructions without their owners ever knowing. Those instructions can be anything: send spam, mine cryptocurrency, probe networks for vulnerabilities, or flood a target with traffic until it goes offline. 

In a botnet DDoS attack, the C2 issues a fire command to thousands or millions of bots simultaneously. Each device sends a stream of traffic toward the target. Individually, no single device does meaningful damage. Combined, they generate terabits per second of junk traffic, enough to saturate any unprotected network in seconds. That’s what makes botnet-driven DDoS so hard to stop: the attack is genuinely distributed. It doesn’t come from one place. It comes from everywhere at once. 

The target can’t just block the bots by IP address. There are too many of them, spread across too many countries, and many are real consumer devices generating traffic that looks legitimate. That’s the point. The volume is the weapon, and the distribution is the camouflage. 

The Mirai Moment and Why It Changed Everything 

Before 2016, botnets were built mostly from infected PCs and servers. The pool was limited, and taking down individual nodes was manageable. Then Mirai changed the math. 

In September 2016, a botnet hit the security blog of journalist Brian Krebs with over 620 Gbps of traffic, one of the largest recorded DDoS attacks at that time. The same month, the same botnet hit French web host OVH, peaking close to 1 Tbps using roughly 145,000 compromised devices. The attack wasn’t coming from infected laptops. It was coming from IP cameras, home routers, and DVRs. 

In October of that year, Mirai took down Dyn, a major DNS provider, cutting off access to Twitter, Netflix, PayPal, Reddit, Amazon, and GitHub for hours across North America and Europe. Over 14,000 internet platforms stopped using Dyn after the attack. That’s 8% of their customer base, gone. 

Here’s what made Mirai so significant beyond its immediate impact: the source code was published publicly a week after the Krebs attack. Anyone with a target and a grudge could now spin up their own variant. And they did. The FBI’s investigation eventually resulted in convictions for the three college students who built Mirai, but by then the code was out in the world. The criminal infrastructure they created outlasted their prosecution by years. 

We’ve covered Mirai’s mechanics and how it operates as an attack type in more depth here: What is the Mirai botnet? and Understanding the Mirai botnet attack type. This blog picks up where those leave off: what happened after Mirai, and what’s running now. 

What Is an IoT Botnet and Why Is It So Hard to Stop 

Mirai’s attack mechanism was embarrassingly simple. It scanned the internet for IoT devices, tried 62 common default username and password combinations, and if it got in, it owned the device. No zero-day. No sophisticated exploit chain. Just unchallenged defaults on millions of devices that nobody ever secured. 

IoT devices are the perfect botnet raw material. Most run stripped-down Linux variants, which Mirai and its successors can operate on easily. They’re always on. They have decent uptime and bandwidth. And critically, their owners rarely monitor them, patch them, or notice when they’ve been compromised. The device still works. It just has a second job now. 

CISA flagged the vulnerability explicitly during the 2016 wave: the affected devices were primarily home routers, network-enabled cameras, and digital video recorders. Those same device categories now number in the billions worldwide. Nothing structurally changed. The attack surface got bigger. 

The infection model that made Mirai effective is still the dominant model today. Default credentials. Unpatched firmware. No monitoring. Devices that owners forget they even have. As long as the security economics of IoT devices remain what they are, botnets will keep finding raw material. 

From Mirai to Aisuru: How Botnets Evolved 

Mirai was a turning point, not an endpoint. What happened next was a decade of iteration, each generation learning from the last. 

Mozi compromised MikroTik routers at scale. Meris weaponized those devices for high-packet-rate HTTP floods. Log4Shell opened a new infection vector targeting cloud infrastructure and software supply chains. Mozi, Meris, and dozens of Mirai variants proliferated precisely because the source code was public. Every attacker who wanted to improve on it could, and many did. 

Our 2026 Threat Intelligence Report covers the next chapter. The dominant botnet our SOC is tracking now is Aisuru/Kimwolf, estimated at one to four million compromised devices as of Q4 2025. Month-over-month growth averaged 12 to 18%. By Q4, peak attack sizes ran 40 to 50% above the first-half average of the year. 

What separates Aisuru from Mirai isn’t just scale. It’s capability. Aisuru runs bandwidth-heavy and packet-rate attacks simultaneously, TCP and UDP at the same time, and it’s growing on undisclosed zero-day vulnerabilities that haven’t been publicly identified or patched. Mirai variants are still active and still a real threat. But Aisuru has overtaken them in population and observed attack size. It’s the difference between a militia and a standing army. 

"With the naked eye it's almost impossible to tell which botnet is in play. The differences in traffic are subtle, it takes time and expertise to be able to decipher. The same compromised device which once belonged to a Mirai variant can be re-compromised by Aisuru. Essentially, it's not relevant which botnet, just whether the vector can be mitigated." 

Teressa Carlin, Threat Research Team Manager at Corero Network Security 

That last line is the most operationally important thing about modern botnet defense. Attributing the specific botnet is less valuable than stopping the traffic. The detection and mitigation challenge is the same regardless of which C2 server issued the fire command. 

What Our SOC Data Shows About Botnet DDoS Attacks Today 

Our 2025 SOC data makes the botnet evolution concrete. 

Peak attack sizes jumped 262% year over year. Every month in 2025 outpaced its 2024 counterpart. The average number of DDoS attacks per customer per day hit 12.3 in 2025, up 25% from where it sat in 2021. That’s not a spike. That’s a new floor. 

The attacks aren’t just bigger. They’re more complex. The August 2025 campaign our SOC tracked deployed over 50 unique vector combinations simultaneously: TCP SYN/ACK reflection, UDP floods, and protocol exploits all running in parallel within a single attack. The Aisuru botnet drove the largest events, but multi-vector campaigns became the norm across the board, not the exception. 

The pulse attack pattern added another layer of difficulty. Botnet attacks arriving in bursts as short as six seconds at terabit volumes saturate a 10 Gbps link multiple times over before most mitigation architectures have detected the traffic, let alone rerouted it. The mitigation window collapsed from minutes to seconds. For architectures that depend on rerouting to a scrubbing center, that math doesn’t work anymore. 

A February 2026 TCP SYN event peaked at 1.3 billion packets per second. That’s not a volumetric outlier. That’s where the baseline is heading. 

How to Detect and Block Botnet Traffic 

Botnet detection has to happen before damage is done, not after the link is saturated. What that requires is a different detection model than most organizations are running. 

Traditional signature-based detection doesn’t hold up against modern botnet traffic. Botnets generate traffic that deliberately mimics legitimate patterns because it often comes from legitimate devices. Traffic arrives from thousands of IPs across dozens of countries, with packet sizes and distribution designed to evade pattern matching. By the time a signature is written for a specific variant, that variant has already evolved. 

Behavioral detection is what actually works. SmartWall ONE™ identifies attack characteristics in real time. Not by matching signatures. Not by requiring a learned traffic baseline. Behavioral anomalies and access intelligence feeds identify attack traffic regardless of what the traffic environment looks like. That distinction matters because botnet attacks often begin before historical baselines exist to compare against. 

Source intelligence is another layer. Known botnet C2 infrastructure and compromised IP ranges can be flagged proactively, blocking attack nodes before traffic patterns alone trigger a response. Our DDoS Intelligence predictive protection feed provides this out of the box. 

For the volumetric end of botnet attacks, specifically the kind Aisuru is now generating at 2.7 Tbps, architecture matters as much as detection logic. Cloud scrubbing can serve as a secondary layer for truly hyper-volumetric events, but the math is unforgiving: at 2.5 Tbps, you need 99.96% mitigation accuracy just to keep a 1 Gbps customer link clear. At that scale, half a percent of residual traffic is a 12.5 Gbps flood. That’s a complete outage for most access links. 

Sub-second, inline mitigation is the architecture that keeps pace. Detecting and blocking attack traffic in milliseconds rather than minutes is the only approach that closes the window before damage accumulates. 

Speak to a Specialist

FAQ

How are botnets used in DDoS attacks?

How are botnets used in DDoS attacks? 

A botnet controller issues a command to thousands or millions of compromised devices simultaneously, each sending traffic toward the target. The combined volume overwhelms the target’s network capacity. Because the traffic originates from distributed real-world devices across many geographies, IP-based blocking alone can’t stop it. The attack pattern has to be identified and filtered directly. 

What is an IoT botnet?

An IoT botnet is a botnet built from compromised Internet of Things devices: home routers, cameras, DVRs, smart appliances, industrial sensors. These devices typically run minimal software, have limited security controls, and are rarely monitored by their owners, making them easy to compromise at scale. Mirai pioneered IoT botnets in 2016 by exploiting default credentials on millions of devices. Aisuru/Kimwolf has expanded the model further, reaching an estimated one to four million devices as of late 2025. 

How do you detect and block botnet traffic?

Effective botnet detection requires behavioral analysis rather than signature matching. The goal is identifying attack characteristics: rate anomalies, traffic distribution patterns, packet behavior, in real time, without relying on historical baselines. Source intelligence feeds add a proactive layer by flagging known botnet infrastructure before traffic patterns trigger a response. For blocking, inline mitigation with sub-second response times is the architecture that keeps pace with how fast modern botnet attacks move, especially pulse attacks that arrive and end in under 10 seconds. 

Share the Post:

Related Posts