Home
Trilogy AI CoE

The 15.7 Tbps DDoS That Should Scare AI Teams More Than Model Benchmarks
Botnets, bandwidth, and the illusion of AI reliability: what the Aisuru attack on Azure should change in how AI teams think about infrastructure.
The Attack Nobody Noticed
On October 24, Microsoft quietly absorbed a 15.7 Tbps DDoS attack against an Azure customer. Over 500,000 hijacked IoT devices tried to crush a single endpoint in Australia. Azure mitigated it automatically; most people never noticed.
The story ran as a security headline: Massive DDoS hits Microsoft's Azure, traced to Aisuru botnet.
But if you're building AI systems, this isn't just a security story. It's a reminder that your entire AI strategy is still downstream of very old, very boring infrastructure: routers, ISPs, cloud networking, and the control planes you don't control.
We talk about AI as if it lives in a clean, abstract layer of "intelligence." In reality, it's just another workload competing for bandwidth on someone else's pipes.
The Stack We Pretend Doesn't Exist
When teams talk about "AI reliability," they usually mean:
  • Model quality and evals
  • Latency and throughput
  • Cost per 1M tokens
  • Prompt / agent robustness
All of that is important. But it's not where your AI actually lives.
A more honest dependency stack for a typical AI application looks like this:
01
Consumer devices & IoT
Home routers, cameras, random boxes with default passwords. These are the raw material for botnets like Aisuru, which powered the 15.7 Tbps attack.
02
ISPs and backbone networks
The pipes that carry both your AI traffic and the attacker's traffic. They don't care which packets are "AI"; they just see congestion.
03
Cloud networking & DDoS protection
Azure, AWS, GCP edge and regional networking, load balancers, and scrubbing centers. This is where Microsoft filtered and redirected the Aisuru traffic.
04
Cloud control planes and regional services
The internal APIs and control surfaces that provision your VMs, containers, and managed services. If these get saturated or degraded, your AI stack doesn't even start.
05
Your AI workloads
Model endpoints, vector stores, orchestration layers, MCP-style tool routers, agents, UI. All of this assumes the lower layers are healthy and invisible.
The Aisuru attack never "hit AI" directly. It didn't need to. If Azure's mitigation had failed, a single endpoint in Australia could have been the domino that took down real workloads—some of them almost certainly AI-powered.

The lesson: AI reliability is a property of the whole stack, not just the model.
The Illusion of AI Reliability
Most AI roadmaps I see treat infrastructure as a solved problem:
  • "We'll use Azure OpenAI / Anthropic / [model X] in region Y."
  • "We'll put a gateway in front of it."
  • "We'll monitor latency and error rates."
Implicit assumption: the network is fine, the cloud is fine, and DDoS is someone else's problem.
The Aisuru numbers break that illusion:
15.7
Tbps of traffic
500K+
Devices participating
22
Tbps previous peaks
It used to be rare for DDoS attacks to exceed 1 Tbps. Now we're casually talking about 20+ Tbps as a demo.
Meanwhile, AI teams are debating which model has a slightly better MMLU score.
If your AI strategy doesn't include:
  • A clear understanding of which cloud regions and endpoints you depend on
  • A plan for what happens when they're degraded or unavailable
  • A way to degrade gracefully instead of just failing hard
…then you don't have an AI reliability strategy. You have a slide deck.
What an AI Reliability Standard Should Actually Include
If you run an AI Center of Excellence or anything like it, you probably have documents about:
  • Model selection
  • Prompting patterns
  • Evaluation and monitoring
  • Data governance and privacy
You probably don't have a section titled: "What happens when a 15 Tbps DDoS hits our cloud provider?"
You don't need to become a DDoS expert, but you do need to encode some basic infrastructure awareness into your AI standards.
Here are concrete elements that belong in an AI reliability standard.
1
AI Dependency Maps
For every critical AI system, document:
  • Which cloud provider(s) it depends on
  • Which regions / zones it runs in
  • Which managed services are in the critical path (API gateways, load balancers, DNS, vector DBs, model endpoints)
  • Which business processes break if those services degrade
This doesn't need to be pretty. A text diagram is enough. The point is to make the invisible dependencies visible.
2
Multi-Region or Multi-Zone by Default (for Critical Workloads)
Not every experiment needs this. But anything that touches:
  • Customer-facing experiences
  • Revenue-critical operations
  • Compliance-sensitive workflows
…should be designed to survive a regional incident.
That doesn't mean "we'll fail over manually if something happens." It means you've actually:
  • Deployed in multiple zones or regions
  • Tested failover paths
  • Verified that your DNS, routing, and configuration don't assume a single healthy region
Aisuru targeted a single endpoint in Australia. If that endpoint had been your only path to a critical AI service, your "AI strategy" would have been a single point of failure.
3
AI Brownout Modes
Most AI systems are built with a binary mindset:
  • The model is available → full experience
  • The model is down → error message
Reality is messier. Under heavy load or partial outages, you get:
  • Increased latency
  • Higher error rates
  • Throttling and timeouts
  • Partial failures in tool calls or vector lookups
Design brownout modes explicitly:
  • What does your application do if the AI call times out?
  • Can it fall back to cached answers or simpler heuristics?
  • Can it switch to a smaller, cheaper, or local model with degraded quality but higher availability?
  • Can it reduce features (e.g., summarize less, skip non-critical calls) instead of failing entirely?
Brownout modes turn infrastructure problems into graceful degradation instead of total failure.
4
Tabletop Exercises That Include Infrastructure Failure
Most AI risk exercises I see focus on:
  • Hallucinations
  • Jailbreaks and prompt injection
  • Data leakage
Those are real risks. But add at least one scenario like:
"A large DDoS attack is saturating our cloud provider's edge in one region. Latency is spiking, error rates are up, and some services are intermittently unavailable. What happens to our AI systems in the next 60 minutes?"
Then ask:
  • Who notices first?
  • What dashboards do they look at?
  • Do they know which AI systems are affected?
  • Is there a playbook, or do they improvise in Slack?
You don't need perfect answers. You need to discover the blind spots before a real botnet does it for you.
AI Strategy as Systems Strategy
The Aisuru botnet isn't "AI-powered" in any meaningful sense. It's a traditional botnet built from compromised routers and cameras.
That's precisely why this story matters for AI.
It shows that:
Attackers don't need AI to hurt AI.
They just need bandwidth.
AI systems are not special.
They're just another class of workloads running on shared infrastructure.
Reliability is holistic.
If your AI strategy ignores the lower layers of the stack, it's fragile by design.
We're entering a phase where organizations are comfortable saying:
"We're going all-in on AI."
If you're going all-in on AI, you're also going all-in on:
  • Your cloud provider's DDoS posture
  • Your network architecture
  • Your ability to operate under partial failure

You don't need to panic about every botnet headline. But you do need to stop pretending that AI lives in a clean, separate layer above the messy internet.
Your AI strategy still runs on someone else's router. The sooner you design for that reality, the less surprising the next 15 Tbps headline will be.