my photo

John Z Black

Brunswick, ME • (207) 245-1010 • contact@johnzblack.com

31.4 Terabits in 35 Seconds: Cloudflare's New Threat Report Shows Attacks Have Gone Industrial

John Z Black Mar 29, 2026 Threat Intelligence #cloudflare #ddos #botnet #threat-report #aisuru #kimwolf #session-tokens #mfa-bypass #telecom #doj

31.4 terabits per second, sustained for 35 seconds, aimed at telecom companies last November. The campaign was called “Night Before Christmas.” It peaked at 200 million requests per second and nearly six times exceeded the largest DDoS attack recorded in all of 2024. That number comes from Cloudflare’s Cloudforce One 2026 annual threat report.

Four botnets sat at the center of it: Aisuru, Kimwolf, JackSkid, and Mossad. Together they controlled roughly 3 million compromised devices. The DoJ disrupted all four this week, working with international partners. Their lineage traces back to Mirai, the 2016 botnet that college students built to knock Minecraft servers offline. But calling them Mirai descendants undersells the evolution. These are professional DDoS-for-hire operations. That’s a different thing entirely.

The attacks were designed to outrun defenders, not overwhelm them. Most lasted under 10 minutes, which is faster than any human-led mitigation team can respond. Cloudforce One tracked 230 billion daily threats during the report period.

But the DDoS record isn’t the most important finding.

Buried in the same report: attackers have largely moved on from stealing passwords. They’ve found something better. When you log into a service, the system issues a session token, a small piece of data that proves you’re already authenticated. Steal that token and you don’t need the password. You don’t need to defeat MFA. You just are the user, as far as the system is concerned. 94% of bot-driven login attempts in the report bypassed MFA by reusing stolen session tokens. Not through attacking MFA infrastructure. Through simple token replay.

The catch: session tokens survive password resets. They survive MFA re-enrollment. If a user gets hit and you force a password change, an attacker holding a valid session token can keep walking around your environment until that specific token expires or gets explicitly revoked. Most organizations don’t have processes built around token revocation.

The four botnets the DoJ disrupted are gone. The infrastructure model isn’t. And the session token economy running underneath all of this continues regardless of botnet takedowns.

See what else Cloudflare’s 2026 threat report reveals about the shifting attack landscape