this post was submitted on 06 Mar 2025
279 points (98.9% liked)

Technology

65819 readers
5194 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
279
Massive botnet that appeared overnight is delivering record-size DDoSes (arstechnica.com)
submitted 4 days ago by arotrios@lemmy.world to c/technology@lemmy.world
33 comments fedilink hide all child comments
 

A newly discovered network botnet comprising an estimated 30,000 webcams and video recorders—with the largest concentration in the US—has been delivering what is likely to be the biggest denial-of-service attack ever seen, a security researcher inside Nokia said.

The botnet, tracked under the name Eleven11bot, first came to light in late February when researchers inside Nokia’s Deepfield Emergency Response Team observed large numbers of geographically dispersed IP addresses delivering “hyper-volumetric attacks.” Eleven11bot has been delivering large-scale attacks ever since.

Volumetric DDoSes shut down services by consuming all available bandwidth either inside the targeted network or its connection to the Internet. This approach works differently than exhaustion DDoSes, which over-exert the computing resources of a server. Hypervolumetric attacks are volumetric DDoses that deliver staggering amounts of data, typically measured in the terabits per second. Johnny-come-lately botnet sets a new record

At 30,000 devices, the Eleven11bot was already exceptionally large (although some botnets exceed well over 100,000 devices). Most of the IP addresses participating, Nokia researcher Jérôme Meyer told me, had never been seen engaging in DDoS attacks.

Besides a 30,000-node botnet seeming to appear overnight, another salient feature of Eleven11bot is the record-size volume of data it sends its targets. The largest one Nokia has seen from Eleven11bot so far occurred on February 27 and peaked at about 6.5 terabits per second. The previous record for a volumetric attack was reported in January at 5.6 Tbps.

"Eleven11bot has targeted diverse sectors, including communications service providers and gaming hosting infrastructure, leveraging a variety of attack vectors," Meyer wrote. While in some cases the attacks are based on the volume of data, others focus on flooding a connection with more data packets than a connection can handle, with numbers ranging from a "few hundred thousand to several hundred million packets per second." Service degradation caused in some attacks has lasted multiple days, with some remaining ongoing as of the time this post went live.

all 35 comments
sorted by: hot top controversial new old
[–] sundrei@lemmy.sdf.org 72 points 4 days ago (1 children)

"Exclusive: Hegseth orders Cyber Command to stand down on Russia planning." 🤔

[–] SlopppyEngineer@lemmy.world 29 points 4 days ago

It reads like the cyberpunk 2077 source material of the first corporate war, but with different names.

[–] Flagstaff@programming.dev 43 points 4 days ago (2 children)

Gosh, I hope these things don't start targeting Lemmy instances.

[–] arotrios@lemmy.world 58 points 4 days ago (1 children)

Looks like it was a practice run. It's relatively easy to take out webservers with a standard DDOS attack. This is considerably more sophisticated, and I think they were testing it on gaming networks in prep for a larger attack on financial and/or government IT infrastructure.

[–] Flagstaff@programming.dev 17 points 4 days ago (1 children)

I just hope that FOSS doesn't become a regular training ground for immoral capitalists to assault.

[–] cabbage@piefed.social 36 points 4 days ago (2 children)

We don't have money, so ransom attacks are unlikely.

If it's state actors and cyber warfare, which I think is fair to suspect, we're probably way under the radar. We're not quite critical infrastructure just yet. :)

For the lols attacks could happen anywhere, but this is not that.

[–] Flagstaff@programming.dev 3 points 4 days ago

Whew, good to know!

[–] Angelusz@lemmy.world 2 points 3 days ago (1 children)

But we do have information, and knowledge is power. Money is an intermediary.

[–] cabbage@piefed.social 1 points 3 days ago

Information here is public.

That said, there has been problems of people scraping random fediverse servers and causing a lot of traffic, in turn sending a huge bill to the owner of the instance.

[–] Vent@lemm.ee 22 points 4 days ago (3 children)

Lol, and what would the ransom be for taking down someone's money-burning hobby project?

[–] Flagstaff@programming.dev 17 points 4 days ago

Well, there was an article I read elsewhere on Lemmy that said that FOSS is an enemy of capitalism by being a cheaper competitor, so capitalist dogs may try to attack FOSS developers' resources and willpower to keep going so they can funnel all of us users over to their paid products.

[–] modifier@lemmy.ca 12 points 4 days ago (1 children)

No ransom. This might be someone's hobby project but it is dangerous, or will be, to the handful of dweeby, fake-ripped broligarchs that want to control ALL of our conversations.

[–] balder1991@lemmy.world 4 points 4 days ago* (last edited 4 days ago)

For example, some conspiracy theories say that FOSS maintainers being trash talked and having their families threatened online might be state actors trying to get them to give up the project so that someone else can continue it and insert vulnerabilities (especially if it’s a dependency of many other projects).

[–] catloaf@lemm.ee 4 points 4 days ago

The lulz

[–] triptrapper@lemmy.world 12 points 4 days ago (2 children)

I'm naive. What's the motive for an attack like this?

[–] Maggoty@lemmy.world 35 points 4 days ago (2 children)

Best case? Some grey hat found a hole in security for Internet connected cameras and is just having fun. Worst case? Training runs by a state actor.

[–] Dasus@lemmy.world 4 points 4 days ago

Pretty succinct summary. Good job.

[–] MonkderVierte@lemmy.ml 4 points 4 days ago (1 children)

Or one of the professionalized cybercryme groups.

[–] Maggoty@lemmy.world 6 points 3 days ago (1 children)

They're all state actors these days because all the ones that didn't hook up with a country for protection either got their doors kicked in at 3 in the morning; or they kept to small enough operations to not be a real bother. I guess one of them could have forgotten the 2010's, but I doubt it. They tend to be smarter than other criminals.

[–] apostrofail@lemmy.world 1 points 2 days ago

forgotten the 2010s*

[–] surph_ninja@lemmy.world 3 points 4 days ago

My suspicion is a false flag by the intelligence agencies to push back against cuts or prove their value to the new admin. This is their style to protect or ask for larger budgets.

[–] jlh@lemmy.jlh.name 11 points 4 days ago

Codeberg got hit with a volumetric DDOS last month too

[–] surph_ninja@lemmy.world 11 points 4 days ago

Was just discussing with friends this morning that they should expect a digital false flag coming in. The crooks at the NSA or CIA were bound to retaliate to cuts, or create a problem to make themselves the heroes.

[–] FourThirteen@lemmy.world 6 points 4 days ago (2 children)

Nokia?

[–] Arkthos@pawb.social 18 points 4 days ago

Nokia is a mobile infrastructure giant. They are just mostly business to business, so like Texas Instruments they are rather easy to mistake for being small.

[–] fibojoly@sh.itjust.works 1 points 3 days ago

You may remember them from...

[–] moakley@lemmy.world 6 points 4 days ago

So what's the damage here? I can't find anything about the targets. Is this why my Xbox is having server issues?

[–] nullPointer@programming.dev 6 points 4 days ago (1 children)

webcams? like plugin web cameras? we talking ring cameras or something?

[–] peoplebeproblems@midwest.social 5 points 4 days ago (1 children)

IP cameras more likely. USB Webcams don't talk over IP.

[–] lka1988@lemmy.dbzer0.com 1 points 4 days ago (1 children)

Yeah, so Ring cameras?

[–] imvii@lemmy.ca 3 points 4 days ago (1 children)

There are a ton of really cheap Chinese IP cameras out there. Those are less secure then ring or wyze cameras.

[–] lka1988@lemmy.dbzer0.com 4 points 4 days ago

Oh I believe it.

[–] Maeve@kbin.earth 4 points 4 days ago

DOGE exploiting this?