Benjamin,
It sounds like you recognize that this botnet exploits compromised devices on your customers’ networks, which are generating massive volumes of outbound DDoS traffic from your network. It’s thus your responsibility to address egress hygiene as a core operational standard and monitor and suppress malicious traffic leaving your network. One way to do this is via DDoS filtering services like Lumen’s Lotus Defender. These have been effective at disrupting the botnet's infrastructure by filtering the low-volume inbound control channel. Yes, such services are not free, but the problem on your network is due to your customers, not anybody else’s. It is your customers’ android IoT devices that are compromised. You could ask your complaining customers to shut off their android devices and see if their Internet improves, thus demonstrating the problem is with their IoT gear. As for mainstream media coverage, “big” ISPs can’t make them publish anything. But you can point your customers to this well-written piece by Krebs On Security that clearly identifies consumers as the problem before it goes into the technical details: <https://krebsonsecurity.com/2026/01/who-benefited-from-the-aisuru-and-kimwolf-botnets/> [pawsat-eth.png] Who Benefited from the Aisuru and Kimwolf Botnets?<https://krebsonsecurity.com/2026/01/who-benefited-from-the-aisuru-and-kimwolf-botnets/> krebsonsecurity.com<https://krebsonsecurity.com/2026/01/who-benefited-from-the-aisuru-and-kimwolf-botnets/> -mel beckman On Jan 16, 2026, at 7:16 AM, Benjamin Hatton via NANOG <[email protected]> wrote: As a smaller ISP, I think the biggest thing that would help us would be a 'mainstream' media outlet covering some of it so we have something to show customers who call in about their internet being bad, us telling them it is their android streaming box that is taking up their entire connection moving TBs of data a day, and them responding with "but I bought it from Walmart/Amazon" or "you are just trying to get me to sign up for your cable" and refusing to do anything about it because 'free TV'. Cybersecurity blogs are not on our typical customers reading list. On Fri, Jan 16, 2026 at 9:03 AM Josh Luthman via NANOG < [email protected]> wrote: How? On Fri, Jan 16, 2026 at 8:34 AM Corey Smith via NANOG < [email protected]> wrote: I would appreciate if any ISP Operators could help some of the smaller ISP like us in stopping the traffic from these new Malware infected customers that have devices with Aisiura/Kimwolf botnet, These are Residential Proxies for the most part, but hard to stop. Any help would be greatly appreciated. _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/SAWGTYD5FM22MEKO5WIQP2YTSASVV4P7/ _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/ZKPV5KFPLDHSHWJEILE6B472BLMA57EP/ _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/OCDKF3WFIVYLZ2QHZROTSHAQINNRZGZD/ _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/KJVO2YPEHQKX2RAMYBF55YI37IY4SVXD/
