How in the world do Death Star-sized botnets come about? Attackers don’t possess such immense power on their own; they must commandeer it. That means they’re perpetually on the hunt for vulnerable IoT devices that they can compromise.

F5 Labs and our data partner, Loryka¹, have been monitoring this hunt for over a year now. In our first report, DDoS’s Newest Minions: IoT Devices, we proved what many security experts had long suspected: IoT devices were not only vulnerable, they were already being heavily exploited to pull off large, distributed denial-of-service (DDoS) attacks.

Data collected throughout the remainder of 2016 shows an even steeper growth in “the hunt” than we had imagined. The annual growth rate was 1,473%, with a clear spike in Q4—1.5 times the combined volume in Q1 through Q3. This isn’t surprising, given the timing of the Mirai botnet. And while the number of participating networks in the second half of 2016 stayed relatively flat at 10%, the number of unique IP addresses participating within those networks grew at a rate of 74%. Clearly, threat actors within the same networks have increased their activity.