Bill, I, too, lived in those days, and had similar NetFlow surveillance.
Alas, those days are over. You probably already know this, but in case others don’t, the problem with the AISURU is that home user’s infected devices don’t do scanning, so you can’t detect them. They simply send DDoS packets — which just look like normal traffic —against pre-defined targets communicated over the botnet C2 network. The botnet uses DNS-over-TLS (DoT) to hide C2 communication, preventing traditional network monitoring tools from seeing what the bots are doing. So the infected user’s outbound traffic is indistinguishable from, for example, ordinary web surfing. The DDoS filtering services are correlating attack traffic from the backbone to identify the target IPs, which they can then filter at the target’s border router. For a hefty fee, of course, using BGP redirect. But there’s nothing anybody can do on the source end without the customers’ intervention. That’s this problem in a nutshell. But there are many other DDoS attack modes, such as DNS amplification, UDP flood, SYN flood, etc. The sad truth is, if a DDoS hacker wants to put you out of business, you can’t really stop them without spending a ton of money. And it cost them nothing. That’s why fixing the vulnerable IOT devices is such a high priority. -mel via cell On Jan 17, 2026, at 9:10 PM, William Herrin via NANOG <[email protected]> wrote: On Fri, Jan 16, 2026 at 5:31 AM Corey Smith via NANOG <[email protected]> wrote: I would appreciate if any ISP Operators could help some of the smaller ISP like us in stopping the traffic from these new Malware infected customers that have devices with Aisiura/Kimwolf botnet, I don't know anything about the AISURU/Kimwolf botnet, but back in the day I'd point my default route at an IDS where I could monitor and log port scans sent from customers to unrouted IP address space. This worked because it was adjacent to a router with a full BGP table. This told me which customers had malware, and when contacted it let me say, "We recorded at least X hundred thousand unlawful network packets from your computers between date and date. If you're willing to turn things off one by one, we can help you identify which of your devices is at fault, but if you're unable to repair it yourself you'll have to seek assistance from a repair shop." And if it's equipment I sent the customers, I'd figure that out pretty quickly because it would have hit most of the customers I sent that equipment to. Regards, Bill Herrin -- For hire. https://bill.herrin.us/resume/ _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/6QXGVOHXDPYTBSSNHJPJHU2QOHEPRYLP/ _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/[email protected]/message/74MGY6WH62KS57SPFNJG3IF4TSE5DFI5/
