Why trust Greenbot
A new botnet called Eleven11bot launched a record 6.5 terabit-per-second DDoS attack in February, but security experts can’t agree on its actual size.
Nokia’s research team first spotted the botnet in late February, counting about 30,000 infected devices. Shadowserver Foundation later claimed 86,400 compromised devices. Security firm GreyNoise then drastically lowered the estimate to fewer than 5,000.
“Its size is exceptional among non-state actor botnets, making it one of the largest known DDoS botnet campaigns,” said Nokia researcher Jérôme Meyer. He compared it only to a 60,000-device botnet seen after Russia’s 2022 Ukraine invasion.
The discrepancy in numbers stems from different detection methods. Meyer believes Shadowserver’s high count stems from a critical misidentification. The “unique device information” they used as infection markers appears on all such hardware, infected or not.
GreyNoise says that some researchers mistook normal security camera traffic for malware signals. Representatives from GreyNoise haven’t explained how they arrived at a much lower estimate.
Despite disagreement about its size, experts agree that Eleven11bot is likely a new version of the Mirai malware from 2016. The new variant exploits a vulnerability in TVT-NVMS9000 software running on HiSilicon-based devices.
The attacks have targeted telecommunication providers and gaming platforms with unprecedented force. Meyer noted attack strength “varied widely,” sometimes reaching “several hundred million packets per second” and causing multi-day disruptions.
Source: Nokia
Location data adds further questions. Shadowserver puts most infected devices in the US (24.4%), while GreyNoise traces 61% of malicious IP addresses to Iran.
The timing raised eyebrows when GreyNoise noted the surge in botnet activity occurred just two days after the Trump administration renewed “maximum pressure” sanctions against Iran.
Security experts recommend organizations protect against the threat by placing IoT devices behind firewalls, changing default passwords, updating firmware, and monitoring for suspicious login attempts. GreyNoise has published a list of botnet-linked IP addresses that defenders can add to blocklists.
Eleven11bot’s assault surpassed the previous record set just weeks earlier. In January, Cloudflare blocked a 5.6 Tbps attack launched by a separate Mirai-variant botnet using 13,000 compromised devices. Cloudflare also documented an alarming 53% increase in overall DDoS attacks last year, with their systems mitigating 21.3 million attacks.
The size debate shows how difficult it is to measure and counter new cyber threats effectively. Regardless of exact numbers, Eleven11bot’s record-breaking attack power confirms that it poses a serious threat to unprepared networks.
