Askeal Logo

Botnet

A botnet is a network of compromised devices controlled by attackers to execute coordinated actions such as distributed attacks or mass phishing.

What is a botnet?How it typically works?Common techniques & variantsImpactFurther reading

What is a botnet?

A botnet is a collection of compromised hosts running agent code that receives commands from a central or distributed controller. Devices can include servers, desktops, Internet of things devices, and home routers. Attackers build botnets to amplify capacity for attacks like distributed denial of service, to send spam, or to distribute additional malware. Over time botnets have evolved from simple centrally controlled architectures to resilient peer to peer models and rented services. Mirai used insecure devices such as cameras to generate massive DDoS traffic. Emotet operated initially as a modular botnet distributing payloads to infected enterprises.

How it typically works?

  1. Infection: attackers deliver bot code via phishing, exploit kits, or infected downloads.
  2. Registration: the newly infected device registers with command infrastructure or peers.
  3. Command and control: operators send instructions to perform tasks such as scanning, spamming or flooding targets.
  4. Operation: bots execute commands, report status, and may fetch additional modules.
  5. Maintenance: botnets rotate infrastructure and update code to avoid takedown and remain effective.

Common techniques & variants

  • Centralized command and control: a small set of servers issues instructions, classic model seen in early botnets.
  • Peer to peer botnets: bots share commands among themselves for resilience, used by advanced families.
  • IoT botnets: leverage insecure Internet of things devices, Mirai is a prominent example.
  • Crime as a service botnets: operators rent botnet capacity for DDoS or spam campaigns.
  • Modular botnets: support plugins such as crypto mining, info stealing, or ransomware delivery; Emotet and TrickBot provided modules to other actors.

Impact

Botnets enable large scale abuse and are a major enabler of DDoS and mass spam. They lower the barrier to entry for attackers by providing rented capabilities. For SecOps teams, identifying botnet activity requires telemetry correlation across endpoints and network infrastructure. Infected devices often show unusual outbound connections, abnormal scanning, or high resource usage. Takedown efforts require coordination between responders, ISPs and law enforcement. The persistence and scale of modern botnets make them a long term operational and legal challenge.

Further reading

  • CISA: Botnet overview and defenses. Read more
  • Europol: Mirai disruption analyses. Read more
  • US CERT: Botnet threats and guidance. Read more
  • Netscout Arbor: Botnet threat intelligence. Read more
  • Microsoft Security Intelligence: Botnet reports. Read more

Related topics

DDoS AttackVolumetric Attack