Eleven11bot infects thousands of IoT devices for DDoS attacks

A new malware called “Eleven11bot” has been identified as infecting over 86,000 IoT devices, mainly security cameras or network video recorders (NVRs), for use in DDoS attacks.
Security researchers from the Emergency Response Team (ERT) at Nokia Deepfield recently announced a new botnet network with over 30,000 infected devices. Named Eleven11bot, this botnet is primarily built from IoT devices like security cameras and network video recorders.
According to the report, Eleven11bot is used in distributed denial of service (DDoS) attacks, targeting telecommunications providers and gaming platforms with attacks lasting several days, causing large-scale disruptions. As of now, the number of devices infected by Eleven11bot, according to ShadowServer statistics, has reached over 86,000 devices worldwide.

Figure 1: Number of devices infected by Eleven11bot worldwide - Source: The Shadowserver Foundation
Following Nokia Deepfield's report, a list of IPs linked to Eleven11bot was also made public by GreyNoise and researched. Specifically, GreyNoise researchers concluded:
96% of the provided IPs are non-spoofable, meaning these IPs come from genuine and accessible devices.
61% of the provided IPs originate from Iran.
305 out of the total 1,042 IPs are classified as highly malicious.

Figure 2: Malicious IPs linked to Eleven11bot - Source: GreyNoise
The data collected by GreyNoise not only reveals the malicious activities of Eleven11bot but also shows how this botnet can expand. Specifically:
Brute-force attacks: Conduct brute-force attacks on IoT devices with weak security, where administrators use simple or common passwords for access and management.
Targeted attacks: Focus on exploiting security cameras using hard-coded login credentials, such as VStarcam.
Scanning Telnet and SSH ports: IoT devices often lack strong security measures on these ports, making them easy targets for hackers.
Recommendations
To combat the risk of Eleven11bot infection on IoT devices, GreyNoise provides several recommendations to help users protect themselves from this botnet and similar cybersecurity threats, including:
Block access to malicious IP addresses: Prevent traffic to IP addresses identified as highly malicious.
Monitor network logs to detect unusual access: Monitoring logs can reveal attempts to log in via SSH (port 22) or Telnet (port 23).
Secure IoT devices: Enhance security for IoT devices. Change the device's default password, update security patches, and disable remote access if not necessary.
Limit access speed and enable DDoS protection: Due to the high-intensity attacks required with a botnet, users can limit the access speed that a device can perform within a certain time frame. Additionally, DDoS protection should be enabled to prevent and mitigate the impact of DDoS attacks.
References
GreyNoise blog: https://www.greynoise.io/blog/new-ddos-botnet-discovered
The Shadowserver Dashboard: https://dashboard.shadowserver.org/statistics/combined/map/?map_type=std&day=2025-03-03&source=compromised_iot&tag=eleven11bot%2B&geo=all&data_set=count&scale=log
Bleeping Computer: https://www.bleepingcomputer.com/news/security/new-eleven11bot-botnet-infects-86-000-devices-for-ddos-attacks/






