Botnets may be old news, but their ability to harness legions of vulnerable IoT devices for DDoS attacks constitutes a clear and present danger. Although other vectors have emerged, botnets have traditionally been major contributors to the DDoS landscape. To understand the DDoS landscape, you need a deeper sense of the botnets behind the action.

Well-known IoT botnets, such as Gafgyt and Mirai, continue to pose a serious threat, contributing to more than half of the total number of DDoS attacks we saw in the 1H 2021. Our honeypot networks report some big numbers when it comes to vulnerable IoT devices being subsumed into botnets, and we wanted to get a clearer picture of botnet origins to educate and inform the world about their usage and distribution. By using our unique visibility of the DDoS attack landscape to identify botnets actively attacking customers, we can provide more granular detail about attack origins—and ultimately, help companies shut down DDoS botnet activity.

Botnet Exposé

The NETSCOUT honeypot network combines low- and medium-interactivity nodes with a global network of passive listeners. Leveraging data from NETSCOUT and a new sharing partner, GreyNoise, we collected observations on more than 1 million botted nodes worldwide. (A botted node consists of devices/systems that have been compromised by malicious bot software.) We then correlated the list of nodes with our global DDoS attack telemetry to identify bots actively contributing to DDoS attacks. Over the course of six months, we found approximately 200,000 botted nodes that participated in roughly 2.8 million DDoS attacks globally.

In the first six months of 2021, the honeypot networks observed more than a million unique IP addresses across 202 countries. Leveraging only the IPs also observed in DDoS attacks, we took a closer look at the three countries with the most DDoS botnet nodes: China, India, and Vietnam.

The goal of this research is to help network operators and security professionals understand the flow of internet traffic from botted nodes in country origins as well as how bots in these countries propagate, so they can better defend and protect networks and devices. In addition to looking at the total dispersion of all bots geographically, we also dive into the top three, showcasing how bots propagate and where the botted nodes are concentrated down to how many classless interdomain routing (CIDR) addresses the bulk of the DDoS attack traffic emerged from in 1H 2021.

globe with China red circle focus


Honeypot Observations 1H 2021


Unique Credential Sets


Top Botnet


Autonomous System Numbers (ASN)
• 56.72 percent botted nodes reside inside of two ASNs

• One ASN had three IP addresses that contributed to 36.53 percent of all observed botted node traffic

• 54.88 percent of that ASN’s traffic originated from 23 IP addresses in a /16 CIDR block

globe with India blue circle focus


Honeypot Observations 1H 2021


Unique Credential Sets


Top Botnet


Autonomous System Numbers (ASN)
• 20.37 percent botted nodes reside inside of three ASNs

• One ASN had one IP addresses that contributed to 36.53 percent of all observed botted node traffic

• 62.93 percent of all botted node traffic from one ASN came from a single IP addresses

globe with Vietnam green circle focus


Honeypot Observations 1H 2021


Unique Credential Sets


Top Botnet

Emerging Botnet
MikroTik router username and password combination

• MikroTik-related passwords accounted for 12.56 percent of all user:pass observations from Vietnam

• Suggest targeting of a profiled set of devices

Autonomous System Numbers (ASN)

• 89.18 percent botted nodes reside inside of four ASNs

• Top two ASNs contribute to 59.45 percent of all tracked botted nodes

• In one ASN, three IP addresses contributed to 26.46 percent of all botted node traffic

MikroTik user/pass observations

  • MikroTik:
  • MikroTik:1
  • MikroTik:11
  • MikroTik:1122
  • MikroTik:123
  • MikroTik:1234
  • MikroTik:12345
  • MikroTik:123456
  • MikroTik:1234567
  • MikroTik:12345678
  • MikroTik:123456789
  • MikroTik:admin
  • MikroTik:admin1
  • MikroTik:admin123
  • MikroTik:password
  • MikroTik:qwerty
  • MikroTik:test

Source Device Operating System Profiles

The botnets we track typically have a common device profile; from that profile, we see the following operating systems on the bots attempting to propagate. The top three operating system profiles were Windows 7/8, Linux 2.2-3x, and Linux 2.4x. Users and network operators can employ this information to determine what kind of devices are resident on their network and match those devices against commonly used username and password combinations to ensure they aren’t susceptible to brute-forcing attempts.

Source Network Provider Classifications

In addition to understanding the device profile and operating system type, we were able to break down the network types to better show where these botted nodes reside. Note the low percentage of observations from business or education networks. This is probably due to more stringent control over what devices are allowed on the network in these institutions. The top three source network profiles were ISP, mobile, and hosting, where device control is nearly nonexistent. That lack of control means that those ISP and mobile numbers really represent compromised subscribers.

Botnet Propagation

Botnets propagate via a variety of methods, including brute-forcing, exploitation, and lateral network movement. Based on data from GreyNoise, the top five exploitation behaviors observed on these botted nodes, which also contributed to DDoS attacks, were the following.