A newly identified botnet, known as Eleven11bot, has reportedly amassed approximately 30,000 compromised webcams and video recorders, primarily concentrated in the United States. This network is believed to be responsible for one of the largest denial-of-service (DDoS) attacks in recorded history, as indicated by a security researcher from Nokia.
Eleven11bot first emerged in late February when analysts from Nokia’s Deepfield Emergency Response Team detected significant activity from multiple geographically diverse IP addresses engaged in what they termed “hyper-volumetric attacks.” These DDoS attacks focus on overwhelming targeted services by saturating their available bandwidth, distinguishing them from exhaustion attacks, which are aimed at depleting server computing resources. Hypervolumetric attacks, in particular, deliver a vast amount of data, often measured in terabits per second.
The scale of Eleven11bot is noteworthy, with its 30,000 devices forming a formidable and expansive network, although the existence of even larger botnets has been documented. Researchers, including Nokia’s Jérôme Meyer, noted that many of the involved IP addresses had previously shown no activity related to DDoS attacks, highlighting the sudden emergence of this threat.
Notably, Eleven11bot has set a record for data volume in DDoS attacks. The most significant incident recorded occurred on February 27, with peak traffic reaching around 6.5 terabits per second, surpassing the previous record of 5.6 terabits per second reported earlier that year. The diversity of sectors targeted by Eleven11bot includes communications service providers and gaming hosting infrastructure, employing a range of attack vectors. While some attacks aim to overwhelm networks with sheer volume, others focus on sending an excessive number of data packets, which can fluctuate between several hundred thousand to hundreds of millions per second.
The operational duration of some attacks has led to service degradation lasting multiple days, with instances still ongoing at the time of reporting. This prolonged impact poses a significant risk to businesses, underscoring the importance of robust cybersecurity measures.
From a technical perspective, the tactics employed by Eleven11bot may align with the MITRE ATT&CK framework. Initial access could have been achieved through the compromise of IoT devices like webcams, while persistence might be maintained through various means embedded within the devices. Elevation of privileges could be a factor, as attackers often exploit vulnerabilities within these devices to gain greater control. Business owners should be aware of such tactics when assessing their cybersecurity posture, particularly concerning devices and networks that may be less secure.
In conclusion, the Eleven11bot botnet represents a serious emerging threat, and its significant scale and impact emphasize the urgent need for vigilance and preparedness in the face of evolving cyber risks. As attacks become more sophisticated, understanding the underlying tactics can help organizations better defend against potential breaches.
