New Botnet Delivers Record-Size DDoS Attacks

New Botnet Delivers Record-Size DDoS Attacks
  • Newly discovered botnet Eleven11bot delivers record-size DDoS attacks
  • Comprises an estimated 30,000 webcams and video recorders
  • Largest concentration of IP addresses located in the US
  • Targets diverse sectors, including communications and gaming infrastructure
  • Leverages various attack vectors, including volume and packet-based attacks
  • Likely a variant of Mirai malware

Introduction to Eleven11bot

A newly discovered network botnet, comprising an estimated 30,000 webcams and video recorders—with the largest concentration in the US—has been delivering what is likely to be the biggest denial-of-service attack ever seen, a security researcher inside Nokia said.

The botnet, tracked under the name Eleven11bot, first came to light in late February when researchers inside Nokia’s Deepfield Emergency Response Team observed large numbers of geographically dispersed IP addresses delivering “hyper-volumetric attacks.” Eleven11bot has been delivering large-scale attacks ever since.

How Volumetric DDoSes Work

Volumetric DDoSes shut down services by consuming all available bandwidth either inside the targeted network or its connection to the Internet. This approach works differently than exhaustion DDoSes, which over-exert the computing resources of a server. Hypervolumetric attacks are volumetric DDoSes that deliver staggering amounts of data, typically measured in the terabits per second.

Record-Size Attacks

The largest one Nokia has seen from Eleven11bot so far occurred on February 27 and peaked at about 6.5 terabits per second. The previous record for a volumetric attack was reported in January at 5.6 Tbps.

Targets and Attack Vectors

Eleven11bot has targeted diverse sectors, including communications service providers and gaming hosting infrastructure, leveraging a variety of attack vectors. While in some cases the attacks are based on the volume of data, others focus on flooding a connection with more data packets than a connection can handle, with numbers ranging from a “few hundred thousand to several hundred million packets per second.”

Location of IP Addresses

A breakdown showed that the largest concentration of IP addresses, at 24.4 percent, was located in the US. Taiwan was next at 17.7 percent, and the UK at 6.5 percent.

Mirai-Based Botnet

According to a post updated on Wednesday from security firm Greynoise, Eleven11bot is most likely a variant of Mirai, a family of malware for infecting webcams and other Internet of Things devices. Mirai debuted in 2016, when tens of thousands of IoT devices infected by it delivered what at the time were record-setting DDoSes of about 1 Tbps and took down security news site KrebsOnSecurity for almost a week.