Azure hit by 15 Tbps DDoS attack using 500k IP addresses

Original Article ↗ Hacker News Discussion ↗

Article/source discussion

  • Some objected to using Microsoft’s own blog, viewing it as a corporate press release with little technical detail; preference expressed for independent reporting that adds research and context.
  • Others note the article is very short and light on data (no traffic samples, limited attack breakdown), which fuels skepticism about “record” framing and marketing motives.

Residential proxies, VPNs, and abuse

  • One line of discussion argues for banning commercial “residential proxy” businesses designed to evade blocks, while not outlawing personal VPN/home access.
  • Many push back hard: such bans are seen as unworkable, bad for privacy, and easily conflated with cracking down on legitimate VPN usage in an increasingly authoritarian world.
  • Clarification from some: many “residential proxy” services are actually built atop IoT/router botnets selling compromised devices as exit nodes.

IoT insecurity and auto-updates

  • Broad agreement that IoT (routers, cameras) is a major DDoS substrate; “wave after wave” of insecure devices.
  • A specific claim: compromise of a router vendor’s forced-update infrastructure (partly driven by EU “timely updates” requirements) added ~100k devices to Aisuru, showing the risk of centralized, mandatory update channels.
  • Debate whether such laws reduce overall risk (by forcing patching and penalizing vendors) or just centralize failure and incentivize sloppy remote-update mechanisms.

Responsibility: users, vendors, ISPs

  • Personal “secure your devices” is viewed as non-scalable; many argue manufacturers/distributors should be legally responsible for shipping and maintaining secure firmware.
  • Some want ISPs to quarantine infected customers, notify them, and/or block traffic. Others note ISPs have little economic incentive and would incur support costs and customer churn.
  • Examples are given of ISPs already quarantining compromised routers in some countries, but questions are raised about usability and fairness.

Mitigation mechanisms and network design

  • Network engineers in the thread reference RTBH, Flowspec, and anti-spoofing as existing but underused tools to squelch attacks near origin; political/economic will is seen as the bottleneck.
  • Source spoofing is discussed: Microsoft’s blog claims “minimal spoofing,” and some note modern anti-spoofing is widespread but still incomplete.
  • IPv4 + CGNAT complicates IP-based blocking and attribution. Advocates argue widespread IPv6 would allow more precise, persistent blocking of individual endpoints or prefixes; critics note managing hundreds of thousands of block entries and dynamic assignments remains challenging.

Open-source firmware and supply chain security

  • Concern is raised that open-source router firmware projects (e.g., OpenWRT) also have attractive update/build infrastructure that could be compromised.
  • Others counter that vendor servers are already being compromised, and open projects at least use signed firmware, reproducible builds, and more community scrutiny.
  • Discussion extends into build reproducibility, bootstrappable toolchains, and the difficulty of truly offline, verifiable builds even in open source.

Aisuru botnet, Azure impact, and Cloudflare

  • Aisuru is described as a Mirai-family IoT botnet, now also renting itself as “residential proxies.” The Azure attack used ~500k IPs, ~15 Tbps, and lasted ~40 seconds, targeting one Australian endpoint.
  • Some suspect the short, high-volume burst is essentially an advertisement: “look what our botnet can do” to future DDoS-for-hire customers.
  • Reported impact on Azure was negligible; some commenters joke that Azure is slow enough normally that extra load is unnoticed.
  • Multiple people note ironic contemporaneous outages at Cloudflare and difficulty reaching the article itself, reigniting concerns about Internet centralization around a few large DDoS “scrubbing” providers.

Motives and economics of DDoS

  • A large subthread explores why DDoS exists at all:
    • Extortion/protection rackets (“pay or we keep you down”).
    • Gaming-related pettiness and coercion (revenge for bans, sabotaging tournaments, forcing players from competitor servers).
    • Market manipulation: gaming economies, gambling/e-sports betting, private MMO servers, and paid cosmetics economies.
    • “Free trial” or marketing runs for DDoS-for-hire services (short, fixed-duration blasts).
  • Some note that massive, random attacks against cloud endpoints may serve to obscure more targeted operations by hiding signal in noise.

Law enforcement and global governance

  • Several ask why there isn’t an effective international cyber law-enforcement body that can “remove bad actors.”
  • Responses emphasize:
    • Jurisdictional limits and sovereignty: states won’t accept foreign agents arresting their citizens.
    • Political incentives: some states benefit from offensive cyber activity and won’t cooperate.
    • Analogy to existing bodies (UN, anti-trafficking, etc.): they mitigate but don’t eliminate crime and are constrained by funding, corruption, and politics.
  • Some fear any strong global cyber police would drift toward identity-linked IPs and censorship; others argue some coordinated mechanism to pressure ISPs and vendors is still better than today’s “wild west.”