For the past week, domains associated with the massive Aisuru<\/strong> botnet have repeatedly usurped Amazon<\/strong>, Apple<\/strong>, Google<\/strong> and Microsoft<\/strong> in Cloudflare\u2019s public ranking of the most frequently requested websites. Cloudflare responded by redacting Aisuru domain names from their top websites list. The chief executive at Cloudflare says Aisuru\u2019s overlords are using the botnet to boost their malicious domain rankings, while simultaneously attacking the company\u2019s domain name system (DNS) service.<\/p>\n The #1 and #3 positions in this chart are Aisuru botnet controllers with their full domain names redacted. Source: radar.cloudflare.com.<\/p>\n<\/div>\n Aisuru is a rapidly growing botnet comprising hundreds of thousands of hacked Internet of Things (IoT) devices, such as poorly secured Internet routers and security cameras. The botnet has increased in size and firepower significantly since its debut in 2024<\/a>, demonstrating the ability to launch record distributed denial-of-service (DDoS) attacks<\/a> nearing 30 terabits of data per second.<\/p>\n Until recently, Aisuru\u2019s malicious code instructed all infected systems to use DNS servers from Google \u2014 specifically, the servers at 8.8.8.8. But in early October, Aisuru switched to invoking Cloudflare\u2019s main DNS server \u2014 1.1.1.1 \u2014 and over the past week domains used by Aisuru to control infected systems started populating Cloudflare\u2019s top domain rankings.<\/p>\n As screenshots of Aisuru domains claiming two of the Top 10 positions ping-ponged across social media, many feared this was yet another sign that an already untamable botnet was running completely amok. One Aisuru botnet domain that sat prominently for days at #1 on the list was someone\u2019s street address in Massachusetts followed by \u201c.com\u201d. Other Aisuru domains mimicked those belonging to major cloud providers.<\/p>\n Cloudflare tried to address these security, brand confusion and privacy concerns by partially redacting the malicious domains, and adding a warning at the top of its rankings:<\/p>\n \u201cNote that the top 100 domains and trending domains lists include domains with organic activity as well as domains with emerging malicious behavior.\u201d<\/p>\n Cloudflare CEO Matthew Prince<\/strong> told KrebsOnSecurity the company\u2019s domain ranking system is fairly simplistic, and that it merely measures the volume of DNS queries to 1.1.1.1.<\/p>\n \u201cThe attacker is just generating a ton of requests, maybe to influence the ranking but also to attack our DNS service,\u201d Prince said, adding that Cloudflare has heard reports of other large public DNS services seeing similar uptick in attacks. \u201cWe\u2019re fixing the ranking to make it smarter. And, in the meantime, redacting any sites we classify as malware.\u201d<\/span><\/p>\n Renee Burton<\/strong>, vice president of threat intel at the DNS security firm Infoblox<\/strong>, said many people erroneously assumed that the skewed Cloudflare domain rankings meant there were more bot-infected devices than there were regular devices querying sites like Google and Apple and Microsoft.<\/p>\n \u201cCloudflare\u2019s documentation is clear \u2014 they know that when it comes to ranking domains you have to make choices on how to normalize things,\u201d Burton wrote<\/a> on LinkedIn<\/strong>. \u201cThere are many aspects that are simply out of your control. Why is it hard? Because reasons. TTL values, caching, prefetching, architecture, load balancing. Things that have shared control between the domain owner and everything in between.\u201d<\/p>\n Alex Greenland<\/strong> is CEO of the anti-phishing and security firm Epi<\/strong>. Greenland said he understands the technical reason why Aisuru botnet domains are showing up in Cloudflare\u2019s rankings (those rankings are based on DNS query volume, not actual web visits). But he said they\u2019re still not meant to be there.<\/p>\n \u201cIt\u2019s a failure on Cloudflare\u2019s part, and reveals a compromise of the trust and integrity of their rankings,\u201d he said.<\/p>\n Greenland said Cloudflare planned for its Domain Rankings to list the most popular domains as used by human users, and it was never meant to be a raw calculation of query frequency or traffic volume going through their 1.1.1.1 DNS resolver.<\/p>\n \u201cThey spelled out how their popularity algorithm is designed to reflect real human use and exclude automated traffic (they said they\u2019re good at this),\u201d Greenland wrote<\/a> on LinkedIn. \u201cSo something has evidently gone wrong internally. We should have two rankings: one representing trust and real human use, and another derived from raw DNS volume.\u201d<\/p>\n Why might it be a good idea to wholly separate malicious domains from the list? Greenland notes that Cloudflare Domain Rankings see widespread use for trust and safety determination, by browsers, DNS resolvers, safe browsing APIs and things like TRANCO<\/a>.<\/p>\n \u201cTRANCO is a respected open source list of the top million domains, and Cloudflare Radar is one of their five data providers,\u201d he continued. \u201cSo there can be serious knock-on effects when a malicious domain features in Cloudflare\u2019s top 10\/100\/1000\/million. To many people and systems, the top 10 and 100 are naively considered safe and trusted, even though algorithmically-defined top-N lists will always be somewhat crude.\u201d<\/p>\n Over this past week, Cloudflare started redacting portions of the malicious Aisuru domains from its Top Domains list, leaving only their domain suffix visible. Sometime in the past 24 hours, Cloudflare appears to have begun hiding the malicious Aisuru domains entirely from the web version of that list. However, downloading a spreadsheet of the current Top 200 domains from Cloudflare Radar shows an Aisuru domain still at the very top.<\/p>\n According to Cloudflare\u2019s website, the majority of DNS queries to the top Aisuru domains \u2014 nearly 52 percent \u2014 originated from the United States. This tracks with my reporting from early October<\/a>, which found Aisuru was drawing most of its firepower from IoT devices hosted on U.S. Internet providers like AT&T<\/strong>, Comcast<\/strong> and Verizon<\/strong>.<\/p>\n Experts tracking Aisuru say the botnet relies on well more than a hundred control servers, and that for the moment at least most of those domains are registered in the .su top-level domain (TLD). Dot-su is the TLD assigned to the former Soviet Union (.su\u2019s Wikipedia page<\/a> says the TLD was created just 15 months before the fall of the Berlin wall).<\/p>\n A Cloudflare blog post from October 27<\/a> found that .su had the highest \u201cDNS magnitude\u201d of any TLD, referring to a metric estimating the popularity of a TLD based on the number of unique networks querying Cloudflare\u2019s 1.1.1.1 resolver. The report concluded that the top .su hostnames were associated with a popular online world-building game, and that more than half of the queries for that TLD came from the United States, Brazil and Germany [it\u2019s worth noting that servers for the world-building game Minecraft<\/strong>\u00a0were some of Aisuru\u2019s most frequent targets<\/a>].<\/p>\n A simple and crude way to detect Aisuru bot activity on a network may be to set an alert on any systems attempting to contact domains ending in .su. This TLD is frequently abused for cybercrime and by cybercrime forums and services, and blocking access to it entirely is unlikely to raise any legitimate complaints.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/11\/CFRadar-Aisuru-redacted.png?resize=747%2C529&ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/11\/cfradar-warning.png?resize=675%2C466&ssl=1\")
<\/p>\n