Security researchers have spotted one of the largest Distributed Denial of Service (DDoS) botnets in recent years. The new botnet, named Eleven11bot, was first detected by Nokia’s Deepfield Emergency Response Team, which observed hyper-volumetric DDoS attacks carried out by the botnet’s operators.
In February, Nokia reported that Eleven11bot had already compromised approximately 30,000 devices, mainly targeting security cameras and network video recorder (NVR) devices. However, a subsequent report from the non-profit cybersecurity organization Shadowserver Foundation revealed that its own scanning identified 86,400 Internet of Things (IoT) devices compromised by the botnet.
The affected devices are scattered across the globe, with the largest number in the United States, where 25,000 devices have been infected. Other impacted countries include the United Kingdom (10,000), Canada (4,000), and Australia (3,000).
“Its size is exceptional among non-state actor botnets, making it one of the largest DDoS botnet campaigns observed since the invasion of Ukraine in February 2022,” said security researcher at Nokia Jerome Meyer.
Eleven11bot has been linked to a series of highly disruptive DDoS attacks across several sectors, including gaming and communications. Some of these attacks have lasted for days, crippling online services and networks. According to Meyer, the intensity of the attacks has fluctuated widely, ranging from several hundred thousand to several hundred million packets per second (pps), often overwhelming targeted systems.
In addition to Nokia, other cybersecurity firms are now tracking Eleven11bot closely. Attack surface management company Censys has identified over 1,400 IP addresses linked to the botnet, based on endpoint device configurations and banners. Threat intelligence firm GreyNoise has detected more than 1,000 IP addresses targeting its honeypots.
Notably, GreyNoise has reported that 61% of the IPs they observed appear to be originating from Iran. While the company has refrained from making definitive statements regarding attribution, it did note the significant timing of these increased botnet activities, which came just two days after the U.S. government imposed new economic sanctions on Iran as part of its "maximum pressure" campaign.
Eleven11bot primarily spreads through brute-force attacks, exploiting weak or default IoT device passwords, and targeting exposed SSH and Telnet ports through network scans.
