Azure hit by 15 Tbps DDoS attack using 500k IP addresses
Mood
heated
Sentiment
negative
Category
tech
Key topics
DDoS attack
Azure security
IoT botnet
Microsoft Azure was hit by a record-breaking 15 Tbps DDoS attack using 500k IP addresses, sparking discussions on cloud security, IoT vulnerabilities, and the motivations behind such attacks.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
50m
Peak period
157
Day 1
Avg / period
80
Based on 160 loaded comments
Key moments
- 01Story posted
11/17/2025, 5:39:15 PM
2d ago
Step 01 - 02First comment
11/17/2025, 6:29:39 PM
50m after posting
Step 02 - 03Peak activity
157 comments in Day 1
Hottest window of the conversation
Step 03 - 04Latest activity
11/19/2025, 2:10:07 AM
17h ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
The Microsoft article reads like a corporate press release. The original link contained additional pertinent information and research which is good for discussion.
The principles here are clear: we prefer the best third-party article to corporate press releases (https://hn.algolia.com/?dateRange=all&page=0&prefix=true&sor...), but at the same time we don't want blogspam (i.e. ripoffs that don't add anything interesting).
You gotta draw the line in the sand somewhere, VPNs are already morally dubious, but if you ban the most shady of VPNs, residential proxies, then you can at least guarantee service providers the right to deny service to proxy users, while allowing proxy users to use the proxy everwhere they are welcome in.
The way it works is that these pwned IoT devices sell themselves to paying customers as proxies. So the pwners are not the ones actually running the DDoS service/Ransomware distribution/malicious activities. Rather it's an economy where each malicious actor offers their specific service.
In this case IoT device pwners pwn the device, install a VPN server and place their devices on a marketplace where they charge cents per hour using cryptocurrency. Then whoever needs an anonymous IP address pays for a couple of hours of 10k ip residential addresses, and sends their traffic wherever they need to.
So both are true: DDoSers (and malicious actors in general) use pwned devices, but they also use VPNs
At the moment, that's what Cloudflare is doing. They're just not obvious enough, leading to people on forums (and here) asking "why do I constantly need to fill out captchas to enter websites".
Until then... There's gonna be a bigger wave.
If the vendor can't even secure their update server; how long do you think it would be until some RCE on these 100k un-patchable routers gets exploited?
The only people to blame for this is the vendor, and they failed on multiple levels here. It's not hard to sign a firmware, or even just fetch checksums from a different site than you serve the files from...
relevant law here: EU Cyber Resilience Act (CRA).
Fine, but that is the real discussion to have. Not 'it has this risk and therefore is bad'.
> banning vendors that do not secure their devices
I think the goal is to encourage positive behavior, not try to monitor everyone and evaluate their updates.
> promotes them to include sloppy (insecure) implementations for pushing said updates just to do bare minimum to comply with the law
I imagine the law is more than just one clause ?
And the other option isn't that much better, because "don't do autoupdates because maybe the update server is compromised" leads to a bunch of unsecured devices everywhere.
The only "real" solution is also completely unrealistic: Every private person disables auto updates, then reads the change log, downloads updates manually, and checks them against some checksum.
The better solution would be to simply increase fines until morale improves.
The article makes it sound like the issue is largely compromised routers and cameras -- and presumably cameras are less likely to be publicly-accessible to get compromised in the first place.
ISPs are able to update firmware on the routers they own, so it's my guess that it's customer-owned routers that are the main issue here.
Only way is to secure your IoT devices/routers/cameras/etc.
It would be better to get the regulation set up before stronger gatekeepers are created
I'd rather these attacks continue, than they not exist at all, because the latter is only possible in a world without any freedom.
edit: grammar
That's the trick. A lot of countries bill calls to cell phones at 10 cents a minute; in the US, calling is near zero cost. The US makes a great market for scammers to target because of low operating costs, penetration of globally usable payment cards, minimal language diversity.
Of course, these scams are forbidden by law, but that doesn't change the economics. Very few scam shops get busted; especially when most of them run from outside the US. STIR/SHAKEN helps a bit, but not much... without a effective mechanism to report unwanted calls that leads to those callers being ejected from the network as well as ejecting providers that are unresponsive to reports, there's not really hope of progress.
Literally the same as economic sanctions. The internet is a network of peers “trading” bits and bytes after all.
North Korea doesn't care if you limit their internet they already allow people to go outside their own.
Just not enough economic or political incentive to pay for it.
For a few reasons (political, economical) there’s little will to enact them, these attacks are so few and far between and you can pay your way out of them in most cases, so the incentives aren’t there for ISPs (whom are a commodity judged primarily on price and bandwidth)
You detect the behaviour downstream and send a signal to the ISP that there is traffic that needs to he rate limited.
One mechanism for this is called RTBH (Remote Triggered BlackHole) which relies on community tagged prefixes of addresses exceeding rate limited to be blackholed from forwarding traffic further in to the internet.
There’s also things like flowspec but a lot of things rely on proper trust between ASNs.
But as the sibling mentioned, even with spoofing, you can still follow the packet trail from your border routers upstream. I think the main thing we are lacking is just responsibility on the ISP side, if someone reaches out complaining that half of your customers are sending ddos attacks, maybe you need to do something about it. Most of these huge attacks are compromised routers or IoT devices (remember Mirai Botnet?).
When I was running servers that would routinely attract DDoSed at ~ 10 Gbps, I ended up always running a low sample rate packet capture. Anytime I noticed a DDoS, I could go and look at the packets. If you've got connectivity to sink and measure 15 Tbps of DDoS, you can probably influence your providers to take some sampled packet captures and look at them too.
Even without clear information from packet captures, 15 Tbps is going to make an impact on traffic graphs, and you can figure out sources from those, although it might be a bit tricky because the attack duration was reported at only 40 seconds, so if someone only has hourly stats, it might be too small to be noticed; but once a minute stats are pretty common.
There's layer upon layer of relays now, and meshed C2C networks.
Lots of DNS fastflux too
I'd say a putative UN NetWatch would suffer from the same issues of funding and corruption and politics, but still we might have something better than this wild west lawlessness.
Careful what you wish for. Before you know it you can't have an IP without your ID.
But who will suppress attempts to go beyond the blackwall then?
They've never been expected to "stamp out" those things, any more than a city police department is expected to stamp out all crime and doctors are expected to stamp out all illness. Their mission is to reduce those things:
For warfare, they have been extremely successful relative to human history. War has actually become taboo and illegal, and very few happen. Look at history before the UN - it's a miracle. Think of the vision and confidence of people who, looking at 10,000 years of human history, immediately after two world wars, thought it was even possible, came up with effective strategy, did the hard work, and accomplished it.
I don't know the details of the other fields.
> I'd say a putative UN NetWatch would suffer from the same issues of funding and corruption and politics, but still we might have something better than this wild west lawlessness.
Politics and funding, and corruption, come with every human institution over a certain size, and especially with governments which can't exclude undesireable people: Democratic governments are the least corrupt, but if the people elect a corrupt representative or executive, then nobody can kick them out (unless they commit prosecutable crimes). And now imagine an association or confederation of governments, which is what the UN is.
So yes, the goal is to make something better. Otherwise, we might as well quit on everything.
Some sort of international clearing house for ISPs to help identify and sequester compromised customers might be nice, too; but that doesn't need law enforcement powers; and maybe it already exists?
They have a fundamentally different government and social model, basically a one person dictatorship that feels the need to micromanage and control their populace.
They absolutely love seeing democracy and businesses associated with it fail because it reinforces their perspective of the CCP model being superior and thus strengthens their perceived legitimacy of CCP control over China.
It is China's national interests to see a stable America that can continue to maintain the post WWII world order that benefited China so much for so long. Without the US, who is going to maintain peace in the middle east, Africa and other places? without such peace, how could China export its goods and services?
"West" != America.
Your claim also implies that China and Russia are operating on the same level. That is laughable at best - Russia is a failed rogue state with the economic size comparable only to a Chinese province, it is left behind in ALL modern techs and its military hardware are aging fast. It is the complete opposite of the path took by China.
But here we are in 2025 still running IPv4 with CGNAT, so we can't.
CGNATs reuse IPs so any IP block rule fairly quickly becomes somebody else's IP that you shouldn't be blocking.
If, however, you use IPv6, you don't need CGNAT and, while addresses may change, a blocked address won't suddenly get recycled to an unsuspecting user. In addition, if the allocation is static, you can block the whole network range and the problematic devices can't change their allocation sufficiently to escape the IP block.
Companies don't seem to have a tough time managing the blocks for all the various ranges of all the VPS providers to prevent you from using VPNs to access their services. Somehow, I don't think blocking 500,000 IPs is a technical problem.
I also suspect that once you start getting effective IP blocking, that 500,000 number will drop quite rapidly as it simply won't be so profitable to commandeer a device.
> What I'd love to see is a service where websites could report abuse to ISPs, who would then take the misbehaving customers offline, until their system or behavior is fixed.
IPv4 CGNAT is part of that problem, too. Because of CGNAT, the offending IPs get "tumbled" and are more difficult to identify from outside the ISP. Consequently, it makes it difficult to punish the ISPs. Without IPv4 CGNAT, those IPs are more stable over time and can be identified outside the ISP boundary. If ISPs start losing customers because everybody in the universe has blocked various ranges, the ISPs will start blocking devices at origin.
I was under the impression that these botnets still rely on vulnerable computers, which have a human that will be calling support asking for the issue to be resolved.
Then it needs an ISP to figure out the issue and ask the client to sort out their compromised computer, but unlikely the ISP will stop a paying customer from internet access especially if it's not clear why their original assigned IPv6 is blocked.
You'd also need to have every country not actively involved in these types of schemes yet we know some governments are directly benefiting from the scams/theft their citizens are perpetrating.
You'd also need to have every country think the things you want to police against are wrong. Again, we know that's just not true.
Your administration then made copyright law changes a central goal of many agreements - essentially a non-negotiable requirement for say a trade agreement to proceed.
Borders currently get in the way but we needn't have law enforcement on foreign soil to solve that. Exchanging information and reliably acting upon it could be all these agencies need to do in their respective countries. When this proves effective aside from crime states that have no interest in upholding even their own laws (since dual illegality would probably be a prerequisite for any of this), they may eventually find themselves increasingly cut off and distrusted until they, too, cooperate or self-isolate like NK
for at least 6 months
https://www.bbc.com/news/articles/c785n9pexjpo
https://www.justice.gov/archives/opa/pr/new-york-resident-pl...
Law enforcement takes time. The perpetrators of these attacks aren't hanging out in the open with their full names shielded only by the hope that their country won't extradite for political favor.
By the time the perpetrators are identified and a case is built, getting them charged isn't bottlenecked on the lack of an international agency. Any international law enforcement agency would be beholden to each country's own political wills and ideals, meaning any "teeth" they had would be no more effective than what we currenly have for extraditing people or cooperating with foreign police organizations.
You mean Team America, World Police?
Besides the fact that not much happens in the international public sector, law enforcement is more about deterrence than prevention. Criminals aren't deterred by law enforcement, so the bad actors never stop. Human nature's a bitch.
If they did focus on prevention instead, most of this could be... prevented. Create a treaty that mandates how critical infrastructure technology is created/sold. Consumer routers will stop being shit at security, and home devices are slowed-down in upstream spamming. That's a good chunk of the denial-of-service market gone, with no need to police the world.
...but the criminals are smart and intentionally avoid attacking the powerful, so nobody cares. Same reason organized crime still exists. It's poor people caught up in gang violence and crime, not rich people, so it persists.
but these bad actors are not possible to track down in the first place since internet is unfortunately decentralized and things as simple as transactions submitted to bitcoin or etherium blockchain can be used as c&c
Tangential: once I was targeted by a pretty primitive scam. More than 10 years ago (after someone I love was naive and inexperienced, having a medium amount stolen in a sensitive and stressful time of this person's life). I recognised fast and having time and will I sarted to play along, pretending I bite the bait. Collecting info while acting. In parallel trying to connect local and international authorities to report an ongoing scam effort. I believe I tried 4 organizations in 3 different countries apparently involved, I believe one was dedicated to online scams, also trying to warn Western Union, they are about to be used for scam. I even went personally to a police station locally to get some advice on how to assist catching the criminals. Since all I encountered insisted to report my damages, so they could start an investigation on an actual loss happened, I furiously gave up and decided whenever I will be having financial trouble I will invest my efforts in scamming others. No-one cares catching those in act! So the thugs can be incredibly bold and dumb, like the one I encountered, it is no effort doing better.
This is scary. Everyone lauds open source projects like OpenWRT but... who is watching their servers?
I imagine you can't run an army of security people on donations and a shoestring budget. Does OpenWRT use digital signing to mitigate this?
Didn't they have a vulnerability in their firmware download tool like a minute ago?
The difference between OpenWRT and Linux distros is the amount of testing and visibility. OpenWRT is loaded on to residential devices and forgotten about, it doesn't have professional sysadmins babysitting it 24/7.
Remember the xz backdoor was only discovered because some autist at Microsoft noticed a microsecond difference in performance testing.
Is it "scary?" If you get scared easily, sure. Is it relevant? Not exactly. Are companies' official servers more secure than an open-source project's servers? In this case, apparently not.
Meanwhile, corporations are driven entirely by profit motive, so as long as it's more expensive to be vigilant about security than it is to be lax about it they will never improve.
Until companies which produce (and do not update) vulnerable equipment are penalized (e.g. charged with criminal negligence) for DDoS attacks using their hardware then the open-source projects are going to continue to be far more trustworthy and less vulnerable than corporations which mass-produce the cheapest hardware they can and then designating it as obsolete and unsupported as fast as possible to force more updates.
Plenty of stories of fairly major projects having evil commits snuck in that remain for months.
https://medium.com/@aleksamajkic/fake-sms-how-deep-does-the-...
https://blog.linuxmint.com/?p=2994
https://www.bleepingcomputer.com/news/linux/malicious-packag...
https://www.cnx-software.com/2021/04/22/phd-students-willful...
I could go on but I trust this is a sufficient number of examples.
Also, if you actually read it, there are exceptions for open source software!
(please prove me wrong, Alex)
> run an army of security people
Do you think these private companies do this? They don't. They pay as little as humanly possible to cover their ass.
Botnets comprised of compromised routers is common and commercial/consumer routers are a far juicer target than openwrt.
They probably spend more on the team who ends up writing the "We take your security very seriously" breach notification message than they do on "security people". At least until then get forced into brand-name external Cyber Security Consultants to "investigate" their breach and work out who they can plausibly blame it on that's not part of the C suite.
It’s probably helpful that open source teams aren’t hampered by standards and 20 year outdated audit processes either.
The build infrastructure is, of course, a juicy target: infect the artifact after building but before signing, and pwn millions of boxes before this is detected.
This is why bit-perfect reproducible builds are so important. OpenWRT in particular have that: https://openwrt.org/docs/guide-developer/security#reproducib...
I do see the Tor-Issue - a botnet or a well-supplied malicious actor could just flood it. And if you flip it - if you'd need agreement about the build output, it could also be poisoned with enough nodes to prevent releases for a critical security issue. I agree, I don't solve all supply chain issues in one comment :)
But that in turn could be helped with reputation. Maybe a node needs to supply 6 months of perfect builds - for testing as well - to become eligible. Which would be defeated by patience, but what isn't? It'd just have to be more annoying to breach the distributed build infrastructure than to plant a malicious developer.
This combination of reproducible, deterministic builds, tests across a number of probably-trustworthy sources is quite interesting, as it allows very heavy decentralization. I could just run an old laptop or two here to support. And then come compromise hundreds of these all across the world.
It really wouldn't. You don't even need a powerful build server since you can mirror whatever someone else built. You can also buy / hack nodes of existing trusted people.
I have yet to experience a straight shot install or build of anything in an air gapped environment. Always need to hack things to make it work.
That's not always the silver bullet you seem to think it is. Have you ever tried to build something like Chromium, Firefox, or LLVM yourself? It's not realistic to do that on a mid tier let alone low end device.
Even when you go to the trouble of getting a local build set up, more often than not the build system immediately attempts to download opaque binary blobs of uncertain provenance. Try building some common pieces of software in a network isolated environment and you will likely be surprised at how poorly it goes.
If projects actually took this stuff seriously then you'd be able to bootstrap from a sectorlisp and pure human readable source code without any binary blobs or network access involved. Instead we have the abomination that is npm.
Most importantly you need to pay attention to RAM usage, if necessary reducing parallelism so that it doesn't need to swap.
https://buildd.debian.org/status/package.php?p=firefox-esr
See Bootstrappable Builds for starting from almost nothing, so far only GNU Guix and StageX have worked out how to start from the BB work to get a full distro. Should be fairly trivial for other distros too if they cared.
https://bootstrappable.org/ https://guix.gnu.org/blog/2023/the-full-source-bootstrap-bui... https://stagex.tools/
Of course you can. You can also read the ToS before clicking accept, but who does that?
Cloudflare scrubs Aisuru botnet from top domains list - https://news.ycombinator.com/item?id=45857836 - Nov 2025 (34 comments)
Aisuru botnet shifts from DDoS to residential proxies - https://news.ycombinator.com/item?id=45741357 - Oct 2025 (59 comments)
DDoS Botnet Aisuru Blankets US ISPs in Record DDoS - https://news.ycombinator.com/item?id=45574393 - Oct 2025 (142 comments)
Proxy Error
The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request
Reason: Error reading from remote server137 more comments available on Hacker News
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.