Botnet Definition: What Is a Botnet and How Does It Work?

By definition, botnets are networks of hijacked computers and internet-connected devices that are infected by malware (i.e., malicious software). The malware runs bots on the compromised devices without the knowledge of device users. Botnets—a combination of the words “robot” and “network”—are usually controlled by a botmaster or bot herder. The bot herder essentially turns these hijacked computer devices into remote-controlled “zombie” computers. By linking compromised devices in large numbers, it becomes possible to create botnets that can be leveraged against various targets to carry out distributed denial of service (DDoS) attacks, account takeover, data theft and several other types of attacks.

How a Botnet Works

How Do Botnets Work?

Bot herders create botnets by spreading malware to infect PCs, smartphones and internet of things (IoT) devices including security cameras, smoke detectors, digital video recorders and many other smart devices. This is achieved through various means such as social engineering, website and application vulnerabilities, and exploit kits and Trojan software which infect targeted devices without alerting their owners. Exploit kits can be purchased on the dark web or created by hackers and are often concealed in seemingly legitimate downloadable files, including free software, music, or video content. Malware can even be of the self-installing “drive-by” type that is widespread on shady websites. These don’t even need to be clicked on to infect a device. After the bot software is installed on compromised zombie computers, they are ready to receive commands from their bot herders to execute actions based on the intentions of their controller. The controller of a botnet can direct its activities through communication channels based on network protocols such as IRC and HTTP, both as peer-to-peer networks or directed by a central command and control (C&C) device.

What Does a Botnet Do?

Botnets can perform the same functions as individual bots, but on a far larger scale. They're able to carry out often overwhelming attacks on their targets. Though most conventional bots are based on scripts and web browsers, botnets can also be built on malicious software that is designed for rapid infestation across many vulnerable devices. Once installed, the botnet software can often function with administrative privileges on the infected device. This gives bot herders virtually unhindered access to the device’s memory, processor, data storage and allows the botnet controller to remotely execute any actions that the device user is capable of performing.

Botnets are capable of:

  • Reading and writing system data
  • Gathering personal data from infected devices
  • Sending files and other data
  • Monitoring users’ activities
  • Searching for vulnerabilities in other devices
  • Installing and running any applications

Botnet Actions Include:

Email spam: Botnets have often been used to widely distribute email spam. This allows for drive-by downloads triggered without user intervention, phishing links that fool unsuspecting users into clicking and automatically installing malware, and various other malicious acts.

DDoS attacks: Botnets have been responsible for some of the most large-scale distributed denial of service (DDoS) attacks. Through their sheer volume, these attacks can slow down unprotected networks and servers, and disrupt the normal functioning of websites, mobile applications, and APIs. DDoS attacks have often been linked to criminal networks and nation states with the intention of crippling or even bringing down their adversaries’ networks. They can affect the normal functioning of public goods such as power, water, sanitation systems, financial institutions, marketplaces and other types of targets that can cause inconvenience, disruption, or frustration to their users.

Financial breaches: Botnets are known to have infiltrated financial institutions including banks and payment processors to exfiltrate confidential consumer and business data, which can be further used to carry out other forms of fraud.

Targeted intrusions: Botnets can be used to execute credential stuffing attacks, in which lists of breached and stolen username and password pairs are rapidly entered to gain access to devices and user accounts, both on devices and websites or applications. In a similar manner, botnets can also be used for credential cracking attacks, in which random passwords are generated and entered in the hope of eventually guessing the correct password.

Crypto-currency mining and fraud: Botnets can leverage the processing power of thousands or even millions of infected devices to mine crypto-currencies and steal access to coin lockers or wallets.

Information theft: Malicious actors have used botnets to cast a wide net to steal personal and organizational data which can be further abused to carry out fraud, impersonation, blackmail and financial crimes.

Ad fraud: Botnets have been used to execute ad fraud, in which legitimate ads and their embedded links are replaced by fraudulent ads with embedded links that bring traffic (and potentially, revenue) to websites controlled by the bot herder. Botnets are also used to generate fake clicks on ads to generate false impressions and game the ad-tech ecosystem for profit.

How is a botnet controlled?

Command and Control (C&C) of botnets are generally carried out by two methods:

  • Centralized: The Client-Server Botnet Model
    The first known botnets initially used to be exclusively controlled using client-server models in which a domain, website, or Internet Relay Chat channel controlled by the bot herder is contacted by the bot software on infected devices to both receive orders and transmit data back to the controller. This centralized command model is rarely used anymore as various global law enforcement and security agencies have tracked and shut down their central servers in recent years, thus crippling botnets that were based on this model.
  • Decentralized: The Peer-to-Peer Botnet Model
    Due to aggressive action by security agencies in cracking down on centralized C&C botnet servers around the world, the decentralized P2P model is now almost universally used to control botnets. This eliminates centralized control which has a single point of failure that is vulnerable to being shut down by law enforcement agencies and replaces it with decentralized peer-to-peer control. P2P botnets find other infected devices by scanning random IP addresses to establish contact. If a machine is infected, it conveys its list of installed bots to the infected machine that contacted it, which can then relay updates and commands from the botnet controller to herd the new additions to the botnet to execute commands.

Decentralized P2P

Examples of botnet attacks

As bot technology and the sophistication of botnets grow increasingly more capable and powerful, new, record-setting botnets are uncovered every few months that eclipse the size and attack potential of previous botnets. Three of the largest, most damaging botnets in the recent past are:

Mirai Botnet
The Mirai botnet was uncovered in 2016 and was responsible for massive 1 Terabit/second DDoS attacks on OVH, a French web hosting firm. Dyn, a DNS service provider, was also attacked by Mirai, which took some of the most prominent websites around the world offline, including Netflix, Twitter, Reddit and Github.

3ve Botnet
3ve was a botnet used to carry out ad fraud using nearly 2 million PCs and over a million compromised IP addresses. It clicked on ads on over 10,000 fake websites and raked in an estimated $30 million in fraudulent gains before it was taken down by the FBI.

Mantis Botnet
In 2022, a small but incredibly powerful botnet named “Mantis” infected a relatively small number of about 5000 servers and launched an unprecedented 26 million RPS (requests-per-second) DDoS attack using the HTTPS protocol against ISP, media, telecommunications, finance, and gaming websites. Using powerful servers rather than far less powerful IoT and desktop PCs allowed the Mantis botnet to carry out HTTPS attacks that require far more computational resources to execute.

How to Protect Organizations from Botnets

Protecting an organization’s website, mobile application and APIs from botnet attacks require a combination of security measures that can work in concert to secure against malicious attacks such as DDoS, account takeover (ATO), data theft, spam and other types of attacks.

Bot Mitigation
The most crucial security defense against botnets is a solution such as Radware Bot Manager. Our solution leverages a combination of Radware’s patented intent-based deep behavioral analysis, collective bot intelligence, semi-supervised machine learning, device and browser fingerprinting, and anomaly detection based on variance from normal user flows.

DDoS Protection
In addition to bot detection and mitigation, solutions such as Radware’s Cloud DDoS Protection Service and DefensePro are an essential component to prevent DDoS attacks, which are one of the hallmark applications of malicious botnets.

Radware’s Bad Bot Analyzer

Are Your Web Applications Secure Against Bad Bots? Find Out Now

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program

Get Social

Connect with experts and join the conversation about Radware technologies.

Security Research Center