What Is a Botnet?

A botnet is a distributed network consisting of many compromised internet-connected devices, which are controlled by a centralized botmaster, and are utilized to perform synchronized tasks. Each infected machine is called a bot, and together their power is used to carry out various attacks. Botnets are usually created via malware infections, which gain persistence on the machines and “recruit” them to the botnet. Some of these malware variants can even self-propagate through networks, infecting many devices via one network entry point. The bandwidth amount “taken” from each bot is relatively small, so that the victim will not realize that their device is being exploited, but when thousands or even millions of machines are simultaneously instructed to perform a joint, targeted attack, the damage can be immense.

Although we are used to thinking of botnets as a collection of computers, these networks can be comprised of various types of devices – personal computers, laptops, mobile devices, smart watches, security cameras, and smart house appliances.


Botnet Architecture

Two distinct architectures characterize most botnets.

The “classic” botnet infrastructure is based on a client-server approach, which involves a Control and Command server that has centralized control over the bots. The C&C server sends automated commands throughout the botnet using a common communications protocol, usually IRC or HTTP. Using this type of communication, the botmaster can create dedicated channels between the bots and the C&C, as well as subgroup communications throughout the bot army. Botnets featuring client-server architecture are easier to set up, boast a well-known infrastructure with many guides and models to learn from, and allow the botmaster to directly communicate with all bots in a simple two-way session. On the other hand, this architecture is dependent on centralized C&C servers, which make the botnet easier to take down once discovered. Furthermore, the protocols used to form two-way communication create more traffic, making the exploitation of victim devices easier to detect.

A more modern approach to botnets completely retires the use of C&C servers, using a decentralized peer-to-peer (P2P) architecture instead. In this model, each bot serves as both client and server. This way, the bots are able to relay information between different devices in the network. While a botnet’s C&C server must possess a list of all the bots in its network, in a P2P model, each peer only possesses a list of its neighboring peers. Using this architecture, botnet traffic is harder to distinguish from legitimate traffic, the bots are harder to find, and the networks are harder to take down as there is no centralized power in the network.


Types of Botnet Attacks

The collective power that botnets create can be used for a variety of purposes and attacks.

DDoS Attacks: One of the most well-known cyber attacks, Distributed Denial of Service attacks are easily deployed by botnets. DDoS attacks usually target web servers, though they can be used against any device or service connected to the internet. During a DDoS attack, the botnet floods its target, using up all its computational resources or bandwidth, thus causing its service to fail. DDoS attacks can be performed both at the network layer (UDP/Syn floods, NTP/DNS/SSDP amplification), and at the application layer (for ex. HTTP floods).

Phishing and Identity Theft: Since botnets can perform a lot of actions at once, they can be used to perform large-scale identity theft. This is done by sending out massive amounts of spam emails, which direct victims to fake websites that harvest credentials, credit card details, bank account information and more.

Spam: Botnets are often used as a tool to reroute spam traffic. Since spammers are quite easily caught and blacklisted, they will pass their traffic through the compromised bots so that even if they do get uncovered, the bot’s IP will be blacklisted and not theirs. This way, they can easily switch between bots and make sure they always have an available IP for their spam activity.

Pay-per-click Abuse: Attackers have found a way to speed up monetization from Google’s AdSense program using botnets. Since Google pays website owners per-click on the advertisements that they display on their website, some utilize the immense power and automation of botnets to generate many advertisement clicks.

Crypto mining: These botnets utilize their distributed computing power for cryptocurrency mining. While using a single computer for crypto mining may cost more in electrical bills than the profit it rakes in, threat actors can mine for cryptocurrency using a bit of power from each of the bots in their botnet. Since the computational power is 100% the victims’, the miners do not have to pay anything to mine, and can sit back and relax while the botnet mines for them.


Botnets are a serious, prominent threat, and most victims don’t even know that their device has been recruited into a malicious botnet. ThreatSTOP integrates many threat intelligence sources into our systems that specialize in botnet infrastructure and indicators of compromise, protecting our users from botnet threats.

Not a ThreatSTOP customer yet? Want to see ThreatSTOP instantly eliminate attacks on your network?

Get a Demo