Cyber Threats & Countermeasures

Botnet

About 4 min read

Last updated: 2026-04-22

What Is a Botnet

A botnet (a portmanteau of "robot" and "network") is a collection of internet-connected devices - computers, routers, cameras, and other IoT hardware - that have been infected with malware and placed under the remote control of an attacker. Each compromised device is called a "bot" or "zombie" and operates without its owner's knowledge.

Botnets can range from a few thousand to several million devices. Attackers harness this collective computing power to launch DDoS attacks, send massive volumes of spam, mine cryptocurrency, and steal personal data. For cybercriminals, a botnet functions as a rentable attack infrastructure that requires no hardware investment of their own.

C&C Servers and Command Architecture

At the core of every botnet is the C&C (Command and Control) infrastructure through which the attacker issues instructions to the infected devices.

Centralized (Client-Server)
One or a few C&C servers control all bots. Simple and responsive, but identifying and shutting down the C&C server neutralizes the entire botnet.
Decentralized (P2P)
Bots relay commands to each other through a peer-to-peer network. With no central server, takedown is extremely difficult. GameOver Zeus and Hajime used this model.
Domain Generation Algorithm (DGA)
Bots automatically generate random domain names based on the current date and probe them to find the C&C server. This makes it hard for researchers to pre-block domains. Conficker is a well-known example.

More recently, attackers have been observed using social media posts and encrypted messaging services as C&C channels, blending malicious traffic with legitimate communications to evade detection.

How Botnets Are Exploited

  • DDoS Attacks: Tens of thousands to millions of bots flood a target server with requests simultaneously, overwhelming it and causing service outages. In 2016, the Mirai botnet targeted DNS provider Dyn, knocking Twitter, Netflix, and Reddit offline for hours.
  • Spam and Phishing Campaigns: By rotating through bot IP addresses, attackers evade blacklists while delivering massive volumes of malicious email.
  • Credential Stuffing: Bots systematically test leaked username-password pairs across multiple services at scale.
  • Cryptojacking: Infected devices mine cryptocurrency using their CPU/GPU resources without the owner's consent. The victim bears the electricity costs and hardware degradation.

The Mirai Botnet - A Turning Point for IoT Security

Mirai, which emerged in 2016, became the defining example of botnet threats in the IoT era. Rather than targeting PCs, Mirai scanned for IoT devices - network cameras, routers, and DVRs - that still used factory-default passwords (admin/admin, root/root, etc.) via Telnet. With a list of just a few dozen common credentials, it infected hundreds of thousands of devices.

After Mirai's source code was publicly released, numerous variants appeared, and IoT-based botnet threats persist to this day. The incident demonstrated that IoT device security is directly tied to the stability of the internet as a whole.

How to Protect Against Botnet Infection

Preventing botnet infection requires layered defenses tailored to each type of device.

  • Keep OS and Firmware Updated: The most fundamental defense against vulnerability-based infection. Update not just PCs but also router and IoT device firmware regularly.
  • Change Default Passwords: The lesson of Mirai. Change the factory password on every network-connected device - routers, cameras, NAS units - to a strong, unique credential.
  • Close Unnecessary Ports: Disable Telnet (port 23), SSH (port 22), and other remote access services if they are not needed.
  • Configure Your Firewall: Detect and block suspicious outbound traffic (connections to C&C servers).
  • Monitor Network Traffic: Implement systems to detect anomalous patterns such as large volumes of traffic at unusual hours or periodic connections to unknown external IPs.

In enterprise environments, network segmentation to isolate IoT devices from the corporate network is also effective, limiting the blast radius if an infection occurs.

Common Misconceptions

Only PCs get infected by botnets
Since Mirai, IoT devices (routers, network cameras, smart appliances) have become primary botnet targets. These devices often lack timely security updates and can be more vulnerable than PCs. Smartphones have also been reported as botnet nodes through malicious apps.
You would notice immediately if your device were part of a botnet
Bots are designed to remain invisible. They keep CPU and bandwidth usage low and behave normally until they receive an attack command. Most infected devices appear to function perfectly under everyday use.
Antivirus software provides complete protection
While antivirus is valuable for PCs, most IoT devices cannot run security software at all. Firmware updates, password changes, and network-level defenses are essential for devices beyond traditional computers.
Share

Related Terms

DDoS Attack A Distributed Denial-of-Service attack that floods a target server or network wi… Malware Malware, short for malicious software, is an umbrella term for any software inte… Phishing An attack method that impersonates legitimate organizations, banks, or individua… Firewall A security mechanism placed at network boundaries that inspects and controls inc… Credential Stuffing An automated attack that takes leaked username and password combinations from pa… Bot A software program that performs automated tasks without human intervention. The…

Related Articles

What Is a DDoS Attack - Types, Botnets, and Defense Methods Learn about the three types of DDoS attacks (volumetric, protocol, application layer), how botnets w… What Is Malware - Differences Between Viruses, Worms, and Trojans Learn about malware types (viruses, worms, trojans, ransomware, spyware), how they spread, detection… IoT Device Security: Keeping Your Smart Home Safe Understand the security risks of smart speakers, cameras, and other IoT devices, and learn how to pr…
← Glossary