| Website | https://www.nokia.com/ip-networks/deepfield/ |
We reached a point with #DDoS attacks are now affecting shared infrastructure — well beyond the intended targets.
Read on to learn about why networks need to address outbound DDoS traffic, and to build defenses as part of the network.
Nothing says "controlled chaos" like a live DDoS demo where the attacker literally has paperwork from the Ministry of Finance.
(And yes, this is in-line Layer 2 mitigation on a live network.)
Quick nod to the brilliant folks at @nicter_jp and @xlab_qax: their latest research shows #Eleven11bot is really the next #Rapperbot evolution, leveraging a brand‑new device family.
Teamwork in action 👉 https://blog.nicter.jp/2025/06/rapperbot_2025_2g/ | https://blog.xlab.qianxin.com/rapperbot-en/
@shadowserver @deepfield Thanks for the additional analysis, this is great.
This lines up pretty well with what we’re seeing for bot counts (the deviation on Taiwan may be related to a slightly different device signature, looking into that now). Current count is approx 41k bots seen in attacks so far.
We started scanning for IoT devices compromised by the Eleven11bot DDoS botnet, with ~86.4K discovered on 2025-03-03. IP data is shared daily in our Compromised IoT report https://www.shadowserver.org/what-we-do/network-reporting/compromised-iot-report/
Top affected: US (24.7K), UK (10.8K).
Dashboard map view: https://dashboard.shadowserver.org/statistics/combined/map/?map_type=std&day=2025-03-03&source=compromised_iot&tag=eleven11bot%2B&geo=all&data_set=count&scale=log
For background, please see Nokia Deepfield Emergency Response Team (ERT) @deepfield announcement: https://infosec.exchange/@deepfield/114086567369833954
Dashboard breakdown by US state:
DESCRIPTION LAST UPDATED: 2025-03-04 DEFAULT SEVERITY LEVEL: CRITICAL This report aggregates information about compromised IoT devices detected through other means than HTTP-based scan detection. It complements our Compromised Website report. The intention is to make the data about the compromised IoT devices more accessible, rather than being spread out over multiple non-HTTP based detections, as […]
We'd like to really thank the folks over at @greynoise and @censys for providing additional insights and context: https://www.greynoise.io/blog/new-ddos-botnet-discovered
Bots associated with this botnet can typically be recognized by distinctive hexadecimal banners featuring strings such as `head[...]1111` or `head[...]11111111`, predominantly appearing on TCP port 17000.
Since its initial detection, our ERT has closely monitored the activities and growth of #Eleven11bot . Early assessments indicate a large and geographically distributed botnet presence, spanning multiple countries such as the United States, Canada, Israel, Spain, the United Kingdom, Brazil, Taiwan, Romania, and Japan, among others.
On 26 February 2025, the Nokia Deepfield Emergency Response Team (ERT) identified a significant new DDoS botnet, now tracked under #Eleven11bot
Primarily composed of compromised webcams and Network Video Recorders (NVRs), this botnet has rapidly grown to exceed 30,000 devices. Its size is exceptional among non-state actor botnets, making it one of the largest known DDoS botnet campaigns observed since the invasion of Ukraine in February 2022.
Eleven11bot has targeted diverse sectors, including communications service providers and gaming hosting infrastructure, leveraging a variety of attack vectors. Attack intensity has varied widely, ranging from a few hundred thousand to several hundred million packets per second (pps). Public forums report sustained attack campaigns causing service degradation lasting multiple days, some of which remain ongoing.
Ars Technica
Jérôme Meyer
The Shadowserver Foundation