Cloudflare recently witnessed its public ranking of the most frequently requested websites hijacked by domains associated with the massive Aisuru botnet. The chief executive, Matthew Prince, stated that Aisuru’s overlords are using the botnet to boost malicious domain rankings while simultaneously attacking Cloudflare’s DNS service.
Aisuru is a rapidly growing botnet comprised of hundreds of thousands of hacked IoT devices, such as security cameras and routers. The botnet has demonstrated significant growth since its debut in 2024 and can launch record DDoS attacks nearing 30 terabits of data per second.
Cloudflare responded by partially redacting Aisuru domain names from their top websites list and added a warning at the top of its rankings. However, some experts believe that this approach may not be enough to address security concerns.
RenĂ©e Burton, vice president of threat intel at Infoblox, explained that Cloudflare’s ranking system is simplistic and measures the volume of DNS queries to 1.1.1.1. The attack is likely generating a ton of requests to influence rankings while also targeting the company’s DNS service.
Experts also noted that Aisuru’s domains are showing up in Cloudflare’s rankings because they are using Cloudflare’s main DNS server, and this may be attributed to the popularity algorithm not reflecting real human use but rather raw DNS volume. The CEO of Epi, Alex Greenland, suggested that Cloudflare should separate malicious domains from the list to avoid widespread misuse.
In response to the attacks, Cloudflare started redacting portions of the malicious Aisuru domains from its Top Domains list and hiding them entirely from the web version of the list. However, experts suggest running tests with honeypot servers to understand what the botnet is doing and how it can be countered.
The use of honeypot servers may seem counterintuitive, but it could provide valuable insights into Aisuru’s tactics, techniques, and procedures (TTPs). Mapping real-time changes in these TTPs would help improve defense strategies against the botnet.
Source: https://krebsonsecurity.com/2025/11/cloudflare-scrubs-aisuru-botnet-from-top-domains-list