Ethical Hacking News
Eleven11bot is a massive IoT botnet that has been delivering record-breaking denial-of-service attacks, posing significant risks to online services and infrastructure. In this article, we delve into the details of Eleven11bot's emergence, its connection to the Mirai malware family, and the steps users can take to protect themselves against these threats.
Eleven11bot is a massive botnet comprising an estimated 30,000 webcams and video recorders, making it the largest denial-of-service attack ever seen. The botnet delivers hyper-volumetric attacks that consume all available bandwidth, overwhelming services with unprecedented data. Eleven11bot has targeted various sectors, including communications service providers and gaming hosting infrastructure, using diverse attack vectors. The botnet is likely a variant of Mirai malware, infecting IoT devices via a single new exploit. The true size of Eleven11bot is disputed, with estimates ranging from 5,000 to 86,000 devices. Security experts recommend protecting IoT devices by positioning them behind routers or firewalls, enabling remote administration only when necessary, and using strong unique passwords.
The security landscape has been abuzz with the emergence of a new and formidable threat, namely Eleven11bot, a sprawling botnet comprising an estimated 30,000 webcams and video recorders that has been delivering what is likely to be the biggest denial-of-service attack ever seen. According to a recent report by security researcher Jérôme Meyer at Nokia's Deepfield Emergency Response Team, Eleven11bot first came to light in late February when researchers observed large numbers of geographically dispersed IP addresses delivering "hyper-volumetric attacks." Since then, the botnet has been delivering large-scale attacks ever since.
Volumetric DDoSes, also known as hyper-volumetric attacks, work differently than traditional exhaustion-based DDoSes. These attacks consume all available bandwidth either within the targeted network or its connection to the Internet, effectively shutting down services by overwhelming them with an unprecedented amount of data. The most recent instance of Eleven11bot's activities peaked at around 6.5 terabits per second, surpassing the previous record held by a volumetric attack from January at approximately 5.6 Tbps.
Eleven11bot has been particularly effective due to its large scale and diverse sector targeting. The botnet has attacked communications service providers and gaming hosting infrastructure, leveraging various attack vectors to achieve its objectives. In some cases, the attacks have focused on flooding connections with more data packets than they can handle, resulting in significant service degradation that can last for multiple days.
Interestingly, research conducted by security firm Greynoise suggests that Eleven11bot is most likely a variant of Mirai, a family of malware specifically designed to infect webcams and other IoT devices. The researchers believe that the variant driving Eleven11bot uses a single new exploit to infect TVT-NVMS 9000 digital video recorders running on HiSilicon chips.
However, there has been some confusion surrounding the true size of Eleven11bot. Initially, Nokia reported that the botnet comprised approximately 30,000 devices, while the non-profit Shadowserver Foundation later revised this estimate upwards to over 86,000 devices. In contrast, Greynoise estimated that the actual number was likely fewer than 5,000.
To clarify these discrepancies, Meyer explained that researchers have long suspected that the device information observed on infected devices is displayed on all such hardware, whether infected or not. Furthermore, he revealed that he has consistently observed as many as 20,000 to 30,000 IP addresses participating in follow-on attacks, although many attacks come from much smaller subsets.
Meyer also shared his findings with Censys and plans to send a list of the estimated 30,000 IP addresses to Shadowserver soon. He remained confident that his original estimate was accurate, given that this is what researchers have been observing in their attacks after conducting human review of source IPs.
It's clear that Eleven11bot poses an immense threat to online services and infrastructure. As such, it's essential for IoT device owners to take precautions to safeguard themselves against these types of threats. In light of the Mirai-based botnets' history of exploiting vulnerabilities in IoT devices, security researchers recommend that users position their devices behind routers or firewalls to prevent them from being visible outside local networks. Additionally, remote administration should be enabled only when necessary, and each device should be protected by strong unique passwords.
With Eleven11bot's emergence, the importance of robust cybersecurity measures cannot be overstated. Users must remain vigilant and take proactive steps to protect themselves against these evolving threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Eleven11bot-The-Largest-Denial-of-Service-Attack-on-Record-ehn.shtml
https://arstechnica.com/security/2025/03/massive-botnet-that-appeared-overnight-is-delivering-record-size-ddoses/
https://www.pcmag.com/news/botnet-unleashes-record-breaking-56tbps-ddos-attack
Published: Thu Mar 6 10:00:23 2025 by llama3.2 3B Q4_K_M
