New botnet unleashes record-breaking DDoS attacks

Eleven11bot’s sudden appearance and the massive scale of its attacks have caused alarm

A new botnet dubbed "Eleven11bot" has emerged, delivering what security researchers believe are the largest distributed denial-of-service (DDoS) attacks ever recorded.

The botnet, primarily composed of compromised webcams and video recorders, has triggered widespread service disruptions and ignited a debate within the cybersecurity community about its true size.

Nokia's Deepfield Emergency Response Team first detected the botnet in late February, observing a surge of "hyper-volumetric attacks" originating from a geographically dispersed network of IP addresses.

Security researcher Jérôme Meyer from Nokia revealed that Eleven11bot has been consistently launching large-scale attacks, disrupting communications service providers and gaming hosting infrastructures.

The attacks, characterised by their sheer volume of data, have shattered previous records.

On 27th February 2025, Eleven11bot peaked at 6.5 terabits per second (Tbps), surpassing the previous record of 5.6 Tbps set in January 2025. These volumetric DDoS attacks flood targeted networks with data, consuming all available bandwidth.

In addition to the massive data volume, the botnet also launches packet flood attacks, sending hundreds of thousands to hundreds of millions of packets per second, further overwhelming targeted systems.

The botnet's sudden appearance and the massive scale of its attacks have caused alarm. Meyer noted, "This botnet is much larger than what we're used to seeing in DDoS attacks." He also pointed out that the vast majority of the participating IP addresses were previously uninvolved in DDoS activity, primarily belonging to security cameras.

However, the exact size of Eleven11bot remains a point of debate. Nokia initially estimated the botnet comprised approximately 30,000 devices, with a significant concentration in the United States (24.4%), followed by Taiwan (17.7%) and the UK (6.5%).

The Shadowserver Foundation revised this estimate to more than 86,000 devices.

But, security firm GreyNoise, using data from Censys, countered, suggested that the true number is likely fewer than 5,000.

The discrepancy stems from differing interpretations of device information. Meyer believes that information displayed on infected devices is replicated across all similar hardware, whether infected or not, which likely led to the inflated estimates.

Greynoise and Censys have yet to fully explain their significantly lower estimate. Meyer, however, maintains confidence in his 20,000-30,000 device range, based on consistent observations during attacks and thorough review of source IPs. He has shared his list of IP addresses with Censys and plans to do so with Shadowserver to reach a consensus.

GreyNoise said it observed 1,042 IPs actively hitting their sensors in the past one month, of which 61% IPs were traced to Iran.

Greynoise has identified Eleven11bot as a variant of the notorious Mirai malware, known for targeting Internet of Things (IoT) devices. This variant exploits a vulnerability in TVT-NVMS 9000 digital video recorders running on HiSilicon chips.

Mirai's open-source nature, with code released by its developers in 2016, has facilitated the proliferation of similar botnets.

To defend against Eleven11bot and similar cyber threats, GreyNoise recommends:

• Blocking traffic from known malicious IPs using real-time threat data.
• Monitoring network logs for unusual login attempts, particularly brute-force attacks on Telnet and SSH.
• Securing IoT devices by changing default passwords, updating firmware and disabling unnecessary remote access.
• Enabling DDoS protection and rate-limiting to mitigate high-intensity attacks.

Want to know more? Computing 's Cybersecurity Festival returns to London in May, where senior IT decision makers can learn about modern challenges, compare strategies with peers, and source solutions. Click here to register for free.