Deepfield

Deepfield, part of Nokia since 2017, delivers advanced network analytics and real-time DDoS protection to secure global networks.

2025-06-30

Quick nod to the brilliant folks at @nicter_jp and @xlab_qax: their latest research shows #Eleven11bot is really the next #Rapperbot evolution, leveraging a brand‑new device family.

Teamwork in action 👉 blog.nicter.jp/2025/06/rapperb | blog.xlab.qianxin.com/rapperbo

Deepfield boosted:
Ars Technicaarstechnica
2025-03-06

Massive botnet that appeared overnight is delivering record-size DDoSes
Eleven11bot infects video recorders, with the largest concentration of them in the US.
arstechnica.com/security/2025/

Deepfield boosted:
2025-03-04

@shadowserver @deepfield Thanks for the additional analysis, this is great.

This lines up pretty well with what we’re seeing for bot counts (the deviation on Taiwan may be related to a slightly different device signature, looking into that now). Current count is approx 41k bots seen in attacks so far.

Deepfield boosted:
The Shadowserver Foundationshadowserver@infosec.exchange
2025-03-04

We started scanning for IoT devices compromised by the Eleven11bot DDoS botnet, with ~86.4K discovered on 2025-03-03. IP data is shared daily in our Compromised IoT report shadowserver.org/what-we-do/ne

Top affected: US (24.7K), UK (10.8K).

Dashboard map view: dashboard.shadowserver.org/sta

For background, please see Nokia Deepfield Emergency Response Team (ERT) @deepfield announcement: infosec.exchange/@deepfield/11

Dashboard breakdown by US state:

dashboard.shadowserver.org/sta

2025-03-01

We'd like to really thank the folks over at @greynoise and @censys for providing additional insights and context: greynoise.io/blog/new-ddos-bot

#threatintel #Eleven11bot

2025-03-01

In scenarios involving maximum bot activation, #Eleven11bot is capable of launching volumetric DDoS attacks exceeding several hundred million packets per second across certain vectors. Most observed attacks, however, involve fewer devices—typically between 3,000 and 5,000 bots—but still represent a substantial threat to network reliability and service continuity.

2025-03-01

Bots associated with this botnet can typically be recognized by distinctive hexadecimal banners featuring strings such as `head[...]1111` or `head[...]11111111`, predominantly appearing on TCP port 17000.

Since its initial detection, our ERT has closely monitored the activities and growth of #Eleven11bot . Early assessments indicate a large and geographically distributed botnet presence, spanning multiple countries such as the United States, Canada, Israel, Spain, the United Kingdom, Brazil, Taiwan, Romania, and Japan, among others.

2025-03-01

On 26 February 2025, the Nokia Deepfield Emergency Response Team (ERT) identified a significant new DDoS botnet, now tracked under #Eleven11bot

Primarily composed of compromised webcams and Network Video Recorders (NVRs), this botnet has rapidly grown to exceed 30,000 devices. Its size is exceptional among non-state actor botnets, making it one of the largest known DDoS botnet campaigns observed since the invasion of Ukraine in February 2022.

Eleven11bot has targeted diverse sectors, including communications service providers and gaming hosting infrastructure, leveraging a variety of attack vectors. Attack intensity has varied widely, ranging from a few hundred thousand to several hundred million packets per second (pps). Public forums report sustained attack campaigns causing service degradation lasting multiple days, some of which remain ongoing.

Client Info

Server: https://mastodon.social
Version: 2025.04
Repository: https://github.com/cyevgeniy/lmst