A recently uncovered botnet, dubbed Eleven11bot, has reportedly harnessed an estimated 30,000 compromised webcams and video recorders, achieving what could be the most significant denial-of-service (DoS) attack to date, as shared by a security researcher affiliated with Nokia. This botnet primarily targets entities across multiple sectors, with its largest concentration of attack sources based in the United States.
The emergence of Eleven11bot was first noted in late February by Nokia’s Deepfield Emergency Response Team, which documented a proliferation of geographically diverse IP addresses executing “hyper-volumetric attacks.” Since its detection, Eleven11bot has continued to launch large-scale assaults, utilizing strategies that consume vast quantities of bandwidth to disable targeted services. Unlike exhaustion-based DDoS attacks, which strain server resources, volumetric attacks overwhelm the available network bandwidth or the internet connection itself, resulting in service outages.
At a scale of 30,000 devices, Eleven11bot is already among the larger botnets observed, although some larger networks have previously exceeded 100,000 devices. According to Nokia researcher Jérôme Meyer, notably many of the participating IP addresses had not previously been involved in DDoS activities, revealing a concerning trend where ordinary consumer IoT devices become tools for malicious cyber activity.
A remarkable characteristic of Eleven11bot lies in the unprecedented data volume it generates directed at its targets. The largest recorded attack from this botnet occurred on February 27, reaching an astonishing peak of approximately 6.5 terabits per second (Tbps). This surpasses the prior record of 5.6 Tbps documented in January, underscoring a growing threat landscape for organizations reliant on internet services.
Target sectors for Eleven11bot include communications service providers and gaming infrastructure, employing a variety of attack vectors that leverage both volume and packet flooding techniques. In some instances, the attack packets surged into the hundreds of millions per second, causing significant service disruption that has, in some cases, persisted over several days.
Geolocation analysis indicates that roughly 24.4 percent of the botnet’s IP addresses are located in the United States, followed by Taiwan at 17.7 percent and the United Kingdom at 6.5 percent. Such a distribution points to an international dimension of the threat, necessitating a coordinated response among affected regions.
The appearance of Eleven11bot aligns with established MITRE ATT&CK tactics, particularly in the initial access and exploitation phases, where unsecured devices, such as cameras, were repurposed into a botnet due to vulnerabilities. The prevalence of security cameras, especially from specific manufacturers, amplifies the risk as these devices increasingly connect to broader networks without robust security measures.
In light of these developments, business owners and IT professionals must remain vigilant about the vulnerabilities present in IoT devices within their networks. Conducting thorough security assessments and implementing proactive measures is essential for mitigating risks associated with such botnets and safeguarding critical operations in a landscape where cyber threats continue to evolve rapidly.
