New Eleven11bot Compromises 86,000 IP Cameras for Massive DDoS Attack

Researchers have uncovered a new botnet dubbed “Eleven11bot,” which has successfully commandeered over 86,000 vulnerable IP cameras to orchestrate one of the largest multi-vector DDoS attacks seen in 2025.

Security analysts report that the botnet leverages a sophisticated blend of volumetric and application-layer vectors, allowing attackers to overwhelm not only target servers but also the underlying network infrastructure that supports essential digital services.

Botnet Surge Escalates Threat

Throughout Q1 2025, security operation centers noticed a marked intensification in carpet bombing attacks a DDoS technique wherein attackers distribute malicious traffic across large swathes of IP ranges, deliberately keeping the volume per IP low enough to evade traditional detection thresholds.

The Eleven11bot exploited this very method, launching floods via UDP, TCP, and HTTP protocols to maximize disruption while remaining under the radar of legacy mitigation tools.

The scale and efficacy of the attacks are attributed to the botnet’s rapid propagation through exposed IP cameras devices often left unpatched or configured with default credentials.

Once compromised, these endpoints serve as amplification nodes, distributing attack traffic globally and making source tracing exceedingly difficult.

The deployment of Eleven11bot underscores a larger trend: internet of things (IoT) devices are increasingly the vector of choice for cybercriminals, given their abundance and chronic lack of effective security hardening.

Evolving Tactics Challenge Traditional DDoS Defenses

Recent data from regional scrubbing centers indicate that carpet bombing campaigns in APAC grew by 96% year-on-year, with multi-destination DDoS attacks now accounting for nearly a third of all incidents.

Notably, the telecommunications and government sectors have become the preferred targets, suffering sustained assaults that at times peaked above 2.3 Tbps, with attack durations stretching up to 11 consecutive days.

Meanwhile, industries reliant on low-latency connectivity such as gaming, streaming, and transport—have experienced service outages and latency spikes, highlighting the broader societal impact of such attacks.

In addition to volumetric floods, Eleven11bot has demonstrated the ability to orchestrate Layer 7 (L7) and API-level attacks a tactic that surged by 74% this quarter.

According to StormWall Report, these application-targeted vectors mimic legitimate user traffic and exhaust backend resources by exploiting resource-intensive endpoints including authentication and search APIs.

Security experts note that such attacks are particularly insidious, as they bypass conventional IP-blocking and rate-limiting solutions, forcing defenders to adopt advanced behavioral analysis and deep packet inspection capabilities.

A key concern outlined by investigators is the apparent gap in security posture among organizations operating critical infrastructure.

Analysts warn that the legacy “one-size-fits-all” approach to DDoS mitigation is no longer viable.

Instead, a robust, multi-layered defense strategy incorporating both network- and application-layer protections, frequent patching of IoT endpoints, and AI-driven anomaly detection is now essential to repel modern botnets like Eleven11bot.

The emergence of this mega-botnet has also prompted warnings of elevated risk for future attacks, particularly as geopolitical tensions continue to rise in the APAC region.

With attackers refining their tactics and targeting new verticals, stakeholders are urged to reassess their exposure and reinforce incident response protocols.

The battle for digital resilience, experts conclude, will increasingly be won or lost on the ability to adapt and respond to the evolving botnet ecosystem.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates