A new sophisticated DDoS botnet named Eleven11bot has emerged as a significant cybersecurity threat, successfully compromising more than 86,400 IoT devices worldwide. This large-scale infection represents one of the most substantial botnet deployments observed in recent years, raising serious concerns among cybersecurity experts about the vulnerability of connected devices. The threat was documented by the Shadowserver Foundation and Nokia’s Deepfield Emergency Response Team.
Global Impact and Distribution Analysis
The Shadowserver Foundation’s comprehensive analysis reveals a concentrated distribution of infected devices across major Western nations. The United States leads with approximately 25,000 compromised devices, followed by the United Kingdom (10,000), Canada (4,000), and Australia (3,000). Initial detection by Nokia Deepfield Emergency Response Team identified roughly 30,000 infected devices, highlighting the botnet’s rapid expansion capabilities.
Technical Infrastructure and Infection Mechanisms
Eleven11bot employs sophisticated infiltration techniques, primarily targeting surveillance cameras and Network Video Recorders (NVRs) with security vulnerabilities. The botnet’s infection strategy combines traditional brute-force attacks targeting weak passwords with aggressive network scanning for exposed SSH and Telnet ports. This multi-vector approach has proven particularly effective against inadequately secured IoT infrastructure.
Attack Capabilities and Impact Assessment
According to Nokia’s security expert Jerome Meyer, the botnet demonstrates remarkable attack capabilities, generating DDoS traffic volumes ranging from hundreds of thousands to hundreds of millions of packets per second. The attacks predominantly target gaming and communication sectors, with sustained campaigns lasting several days, causing significant operational disruptions to targeted organizations.
Strategic Context and Attribution Indicators
GreyNoise intelligence reports indicate that 61% of the attacking IP addresses originate from Iran, coinciding with renewed US economic sanctions against the country. While this temporal correlation is noteworthy, cybersecurity researchers emphasize that definitive attribution to specific threat actors remains unconfirmed, highlighting the complex nature of cyber attribution.
Who Is at Risk
Organizations and individuals most exposed to Eleven11bot include:
- Operators of internet-connected security cameras and NVRs using default or weak credentials
- Gaming companies, VoIP providers, and telecom operators — the botnet’s primary attack targets
- Small businesses and home users running unpatched IoT devices directly exposed to the internet
- Data centers hosting services without anti-DDoS scrubbing infrastructure
How to Protect Your IoT Devices
- Change all default usernames and passwords on cameras, NVRs, and routers immediately — use unique, complex credentials per device
- Disable Telnet and restrict SSH access; place IoT devices behind a firewall or on an isolated VLAN
- Apply firmware updates promptly — check your device manufacturer’s support page regularly
- Use network monitoring tools to detect unusual outbound traffic spikes that may indicate botnet activity
- If you operate public-facing services, engage a DDoS mitigation provider capable of handling volumetric attacks at multi-Gbps scale
