CyberInsider

Reliable cybersecurity news and resources

General

Latest News

About

CyberInsider covers the latest news in the cybersecurity and data privacy world. In addition to news, we also publish in-depth guides and resources.
See our Mission >

Massive DDoS Botnet Eleven11bot Infects 30,000+ IoT Devices

By Leave a Comment

A newly discovered botnet, Eleven11bot, has infected over 30,000 internet-connected devices and is being actively used in DDoS attacks against telecom providers and gaming platforms, causing prolonged disruptions.

Identified by Nokia Deepfield’s Emergency Response Team (ERT), the botnet's attack activity has been traced primarily to Iran, although the compromised devices are distributed worldwide.

A growing global threat

First uncovered by Deepfield, Eleven11bot primarily compromises security cameras and network video recorders (NVRs) to fuel large-scale cyberattacks. Security researcher Jérôme Meyer has labeled it as one of the most significant DDoS botnets observed since early 2022. Attacks linked to Eleven11bot have lasted multiple days, overwhelming targeted services with sustained traffic.

Additional research from GreyNoise, which analyzed data from Censys — a cybersecurity search engine that maps internet-connected devices — has confirmed 1,042 active IPs associated with the botnet over a 30-day period spanning the end of January and the entirety of February. Notably, 61% of these IPs — 636 addresses — originate from Iran, with 96% classified as non-spoofable, meaning they stem from real, identifiable devices. GreyNoise has categorized 305 of these IPs as actively malicious.

Expansion through IoT vulnerabilities

Eleven11bot spreads by exploiting common security flaws in Internet-of-Things (IoT) devices, particularly security cameras. Key infection methods include:

  • Brute-force attacks targeting login credentials.
  • Exploiting weak and default passwords on IoT hardware.
  • Targeting specific brands, such as VStarcam, using hardcoded credentials.
  • Scanning networks for exposed Telnet and SSH ports left unprotected.

These tactics allow Eleven11bot to continuously expand its reach, integrating new compromised devices into its infrastructure and strengthening its attack capabilities.

Defensive measures against Eleven11bot

Organizations and individuals are encouraged to take immediate action to mitigate the risk posed by Eleven11bot. Recommended steps include:

  • Blocking traffic from malicious IPs: GreyNoise provides real-time tracking and blacklists to identify botnet-related activity.
  • Monitoring network logs: Unusual login attempts may indicate brute-force attack efforts.
  • Securing IoT devices: Changing default passwords, updating firmware, and disabling unnecessary remote access are critical defenses.
  • Implementing DDoS protection: Rate-limiting and filtering mechanisms help mitigate attack impact.

About Bill Mann

Bill specializes in explaining complex technical topics to a non-technical audience. In his 30+ year career, he has covered many of the technological advances that shape our lives. Today, Bill uses those skills to help people protect their privacy and security against the ever-growing assaults on both.

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *