We absorb the attack. You stay online.
Every ESAGAMES service is filtered through our own multi-Tbps scrubbing network in Frankfurt and a custom in-house XDP mitigation layer — engineered to swallow modern IoT botnets like AISURU before a single malicious packet reaches your machine.
This is what an absorbed attack looks like
A simulated view of our edge: terabit-scale attack traffic slams the network (red) while only clean, legitimate traffic is delivered to your server (green). Always-on, no action from you.
Botnets like AISURU changed the game
DDoS attacks aren't what they were five years ago. A new generation of IoT botnets can flood your IP with terabit-scale traffic in seconds — and gaming is the #1 target.
Threat dossier — AISURU
Active botnetAISURU (also tracked as Airashi) is one of the most active and powerful botnets observed across 2025–2026. Built on a Mirai-style codebase, it spreads across compromised IoT devices — routers, cameras, DVRs and other poorly-secured hardware — and turns them into a distributed weapon capable of launching multi-hundred-Gbps to terabit-scale volumetric floods on demand.
What makes AISURU dangerous for game and hosting providers is its scale, speed and targeting: attacks ramp to full power in seconds, mix several vectors at once (UDP/TCP floods, reflection/amplification, application-layer requests) and specifically hammer game servers, voice servers and the panels around them — exactly the workloads our customers run.
If your provider can't absorb and filter that volume before it reaches your machine, your service goes down. That's the entire reason ESAGAMES built its own protection stack instead of relying on a single upstream.
Instant, terabit-scale
Modern botnets reach full power in seconds. Mitigation has to be always-on and automatic — there's no time to "switch it on" mid-attack.
Multi-vector
L3/L4 volumetric floods are combined with L7 application attacks and reflection/amplification to slip past single-layer filters.
Gaming-focused
Game servers, TeamSpeak and FiveM/Minecraft communities are prime targets — a single attack can knock an entire community offline.
What AISURU can actually do
- Terabit-scale volumetric floods — UDP, TCP and ICMP traffic measured in hundreds of Gbps up to multiple Tbps, enough to saturate an unprotected uplink instantly.
- Reflection & amplification — abuses open DNS, NTP, SSDP, CLDAP and Memcached servers to multiply attack volume tens of thousands of times.
- Protocol exhaustion — SYN/ACK and fragmented-packet floods that fill connection tables and exhaust firewalls and load balancers rather than bandwidth.
- Layer-7 application attacks — HTTP/S floods and game-query floods (Source A2S, Minecraft ping) aimed at panels, websites and the game protocol itself.
- Adaptive switching — it rotates between vectors mid-attack to slip past any single-layer filter that only watches one thing.
How it grows & why it matters to you
AISURU spreads by scanning the internet for poorly-secured IoT devices — home routers, IP cameras, DVRs and NAS boxes still running default passwords or unpatched firmware. Each infected device becomes a small "bot"; together, tens of thousands of them form a weapon that can be rented and pointed at any IP in seconds.
For a game or hosting customer this means an attack no longer needs a skilled adversary — anyone with a few dollars can rent botnet time and aim it at your server out of rivalry, revenge, extortion, or just to grief a community. The only durable defence is filtering capacity and detection that sits in front of your machine, always on. That is exactly what the ESAGAMES network provides.
Classic DDoS: a few hundred Mbps, single-vector. A decent firewall could cope.
Mirai turns IoT devices into botnets and breaks the 1 Tbps barrier for the first time — the blueprint AISURU is built on.
Mirai-derived botnets (Airashi / AISURU lineage) industrialise: rentable, multi-vector, adaptive, targeting gaming above all else.
AISURU is among the most active botnets in the world — terabit-class, 100k+ devices, hammering game and voice servers daily. Mitigation has to be measured in Tbps.
Attacks come from everywhere — they end in Frankfurt
Botnet traffic originates from tens of thousands of hijacked devices worldwide. It all converges on our filtering core, where it's scrubbed before it ever reaches you.
Clean traffic in, attacks absorbed out
Your traffic rides our own autonomous network (AS214918) and passes through multiple filtering stages before it ever reaches your server.
Routed via AS214918
All traffic enters through our own ASN, peered and upstreamed through Voxility & Dataforest in Frankfurt.
Detection
Flows are analysed continuously; anomalies and attack signatures are detected automatically within seconds.
Scrubbing + XDP
Malicious packets are dropped at the edge and at kernel line-rate by our in-house XDP filters.
Clean delivery
Only legitimate traffic reaches your server — low latency, no downtime, no action needed from you.
Every attack vector, dropped at the edge
A real attack is never just one thing. Our stack inspects and drops dozens of distinct vectors — volumetric, protocol, reflection/amplification and application-layer — before they ever cost you a packet.
Mitigation built by us, at kernel speed
Instead of relying only on generic upstream filtering, ESAGAMES runs its own XDP-based mitigation — tuned specifically for game and hosting traffic.
What is XDP and why it matters
XDP (eXpress Data Path) is a high-performance packet-processing technology in the Linux kernel. It lets us inspect and drop malicious packets the instant they hit the network card — before they consume CPU, memory or bandwidth on your server. That means filtering at line rate, with minimal added latency.
Because our XDP rules are written and tuned in-house, we can react to new attack patterns (like the multi-vector floods AISURU throws) far faster than a one-size-fits-all appliance — and we can shape protection around real game protocols instead of treating all traffic the same.
Line-rate filtering
Packets are dropped at the kernel/NIC level, so floods never reach your application or eat your resources.
Low latency
Filtering adds almost no overhead — your players keep a stable, low ping even while an attack is being mitigated.
Tuned for games
Rules are shaped around real game, voice and panel protocols, reducing false positives that generic filters cause.
Protection across every layer
Attacks hit different layers of the stack — so we defend all of them, from raw volume to application logic.
Volumetric & protocol floods
UDP/TCP floods, SYN floods and reflection/amplification are absorbed by our multi-Tbps scrubbing and dropped at the edge — the bulk of botnet traffic never gets close to you.
Application-layer attacks
HTTP floods and application abuse against panels and websites are filtered with Layer 7 mitigation, included by default on web hosting and available across our services.
Kernel-level edge filtering
Our custom in-house XDP layer drops malicious packets at line rate on the host itself — a fast, surgical last line of defense tuned for game traffic.
The edge never sleeps
A simulated stream of the kind of events our filtering edge handles around the clock — every line is an attack that was detected and dropped before it touched a customer.
What our protection covers
Anti-DDoS isn't an add-on you have to remember — it's part of the platform, on every service we host in Frankfurt.
Game servers
Minecraft, CS2, CS 1.6, Rust, FiveM, ARK and more — Layer 4 protection on every plan. View game hosting →
Networking & transit
Protected IP transit, GRE tunnels and extra IPs on our own ASN. View networking →
Types of DDoS attacks — and what each one does
"DDoS" is an umbrella term for very different techniques. Knowing which category you're facing is the first step to stopping it. These are the families we filter every day.
Volumetric floods
The brute-force category: UDP, ICMP and raw-packet floods that try to saturate your bandwidth. Measured in Gbps/Tbps — if the pipe fills, everything behind it drops: game, web and voice all at once.
Protocol / state attacks
SYN, ACK and fragmented-packet floods that exhaust connection tables on firewalls, load balancers and the OS — not the bandwidth. A "small" attack in Gbps can still take a box fully offline.
Reflection & amplification
The attacker spoofs your IP and queries open DNS/NTP/SSDP/Memcached/CLDAP servers, which all reply to you — multiplying volume 10×–50,000×. Massive bandwidth from a tiny botnet.
Application-layer (L7)
HTTP/S floods, slowloris and bot traffic that look like real users and exhaust your app, CPU or database rather than the network. Invisible without dedicated Layer-7 filtering.
Game-query floods
Source A2S, Minecraft ping and FiveM query floods that abuse the game protocol itself — spiking your server's query handler and causing lag spikes, rubber-banding or full crashes.
Multi-vector (blended)
The modern norm: several of the above at once, rotating mid-attack to defeat any single-layer filter that only watches one thing. This is how AISURU-class botnets operate.
What an attack actually does to you: dropped players and rubber-banding, login/panel timeouts, voice cut-outs, websites returning 502/timeouts — and in unprotected setups a full nullroute of your IP by the upstream until the attack stops. The entire point of edge filtering is to make all of that a non-event.
When should you expect to get attacked?
DDoS attacks are rarely random. If any of these apply to you, treat strong Anti-DDoS as mandatory, not optional.
Launch & growth
A new server that suddenly gets popular draws attention — and competitors who'd rather you didn't grow.
Rivalry & competition
Competing communities, clans and networks attacking each other to steal players is the #1 motive in gaming.
Events & tournaments
Match days, wipes, drops and tournaments are prime time — knock you offline at the worst possible moment.
Angry users & ex-staff
A banned player or a former staff member with a grudge is a very common — and very predictable — trigger.
Extortion
"Pay us or we keep you offline." Ransom DDoS targets anything that loses money or members while it's down.
Going viral
A popular video, post or streamer shout-out brings real traffic — and paints a target on your IP for the wrong people.
Which services get attacked the most?
Some workloads are hit far more often than others. Across our network, these are the heaviest-targeted — and why.
Game servers
Minecraft, CS2 / CS 1.6, Rust, FiveM, ARK, SA-MP and similar — by far the most attacked workloads online. Competition, grudges and the ease of renting a botnet make them a daily target.
Voice servers (TeamSpeak / Discord bots)
Communities live in voice. Taking it down disrupts an entire group at once, so it's a favourite target during raids and rivalries.
Websites, panels & APIs
Store fronts, game panels and login APIs are hit with Layer-7 floods to break sales, logins and management exactly when you need them most.
VDS, dedicated & host nodes
Resellers and host nodes are attacked to hit many customers at once — which is exactly why our protection sits at the network edge, not on each individual box.
What if an attack gets past our protection?
No honest provider promises "100% unbreakable". Here's exactly what we do — and what you'll experience — in the rare event something slips through or exceeds normal limits.
What happens on our side
- Automatic tightening — filters detect the leak and apply stricter rules and rate-limits for the targeted IP within seconds.
- NOC escalation — sustained or unusual attacks are escalated to our 24/7 team, who tune mitigation by hand for your specific traffic.
- Upstream coordination — for genuinely extreme floods we work with Voxility & Dataforest to scrub further upstream.
- Last-resort isolation — in a true worst case a single IP may be briefly isolated to protect everyone else on the node, then restored once the flood subsides.
What you should do
If you notice downtime, lag or packet loss you think is an attack, don't reinstall or change everything in a panic. The fastest path to a fix is giving us the data to actually see the attack.
Open a ticket to our Anti-DDoS department with the diagnostics below. With a packet capture and a route trace we can usually identify the vector and tighten filtering quickly — often while the attack is still running.
Open an Anti-DDoS ticketUnder attack? Capture this before you open a ticket
Two pieces of data let our team diagnose almost any attack: a packet capture (tcpdump) from the server, and a route trace (WinMTR / MTR) from an affected client. Here's exactly how to get both.
On a Linux server — tcpdump
Run this on the attacked machine while it's happening. It saves ~2000 packets to a file you can attach to the ticket:
# capture to a file (replace eth0 with your interface) tcpdump -i eth0 -n -c 2000 -w /root/attack.pcap # quick live look at what's hitting you tcpdump -i eth0 -n -c 200
Attach /root/attack.pcap to the ticket. On Windows Server, capture with Wireshark and export a .pcap the same way.
From an affected player — WinMTR
A route trace shows where packets are lost between the player and your server. Have an affected user run it for 2–3 minutes against your server IP:
1. Download WinMTR (free). 2. Host: your-server-ip → Start. 3. Let it run 2–3 min during the issue. 4. Copy to text → attach to ticket.
On Linux/macOS use mtr -rwzbc 100 your-server-ip and paste the output. Include the player's rough country / ISP too — it helps us correlate the attack path.
Capture DURING the attack. A tcpdump or WinMTR taken after everything is back to normal shows clean traffic and tells us nothing. The 2–3 minutes while it's actually broken are the ones we need.
How to open a ticket that gets solved fast
The more of this you include up front, the faster we can act. A good Anti-DDoS ticket has all of it in the very first message.
Pick the right department
Open the ticket under Anti-DDoS so it reaches the mitigation team directly instead of bouncing between queues.
Identify the service & IP
Give the exact server IP and port(s) affected and which service it is — e.g. "CS2 server on 1.2.3.4:27015". One IP per ticket is ideal.
Describe the symptom & timing
Lag, or fully offline? Since when, constant or in bursts? Note the exact times (with timezone) — we cross-check them against our edge logs.
Attach the evidence
Add the tcpdump .pcap from the server and the WinMTR / MTR output from an affected client. This is what turns a guess into a fix.
Say what you've already tried
Restarted? Changed port? Tested from another network? Tell us — it saves a round-trip and lets us skip what you've already ruled out.
Anti-DDoS, answered
Is Anti-DDoS protection included or extra?
It's included by default on our game, web, VDS, dedicated and TeamSpeak services — filtered through our own Frankfurt network. Higher application-layer (L7) and dedicated VPN protection are also available.
How big of an attack can you absorb?
Our filtered network provides 5 Tbps+ of capacity (Voxility + Dataforest) combined with custom in-house XDP filtering, which covers the vast majority of real-world attacks, including modern botnets like AISURU.
Do I need to enable anything during an attack?
No. Mitigation is always-on and automatic. Detection and scrubbing happen at the network edge within seconds — you don't have to do anything.
Will protection increase my ping?
Our XDP filtering runs at kernel line rate and our scrubbing sits in Frankfurt, one of Europe's best-connected hubs, so added latency is minimal — important for competitive gaming.
What vectors do you filter?
Volumetric floods (UDP/TCP/ICMP), protocol attacks (SYN/ACK, fragmentation), reflection/amplification (DNS, NTP, SSDP, Memcached, CLDAP), GRE floods, Layer 7 HTTP/S floods, slowloris, and game-specific query floods (Source A2S, Minecraft) — plus Mirai/AISURU botnet signatures.
Can you protect a server hosted elsewhere?
Yes — with our Anti-DDoS Protected VPN or GRE tunnel routing we can bring our shield in front of a box or network hosted somewhere else.
What should I do if my server is being attacked?
Don't panic-reinstall. Capture a tcpdump (tcpdump -i eth0 -n -c 2000 -w /root/attack.pcap) on the server and a WinMTR from an affected player, both during the attack, then open a ticket to our Anti-DDoS department with those files attached. With that data we can identify the vector and tighten filtering fast.
Which services get attacked the most?
Game servers (Minecraft, CS2/CS 1.6, Rust, FiveM, ARK) are by far the most targeted, followed by voice servers (TeamSpeak), then websites, panels and login APIs. Rivalry, grudges and the low cost of renting a botnet make gaming the #1 DDoS target.
What happens if an attack gets past your protection?
Our filters auto-tighten for the targeted IP within seconds, the attack is escalated to our 24/7 NOC for manual tuning, and for extreme floods we scrub further upstream with Voxility & Dataforest. In a true worst case a single IP may be briefly isolated to protect the rest of the node, then restored once the flood ends.
What information should I put in a DDoS ticket?
The exact server IP and port, which service it is, the symptom (lag vs fully offline) and exact times with timezone, plus the tcpdump .pcap and WinMTR/MTR output. The more you include in the first message, the faster we resolve it.
