Command and Control Server

"Command and Control" (C&C) servers are centralized machines that are able to send commands and receive outputs of machines part of a botnet. Anytime attackers who wish to launch a DDoS attack can send special commands to their botnet's C&C servers with instructions to perform an attack on a particular target, and any infected machines communicating with the contacted C&C server will comply by launching a coordinated attack.

Botnet C&C servers often exist in one of four structures each with pros and cons: star, multi-server, hierarchical, and random:

  • Star topology botnets rely on one central C&C server, which sends commands to every bot in the botnet. This configuration allows for reliable, low-latency communication, but renders the botnet fairly easy to disable, as there is only one C&C server to take offline before the botnet is inoperable.
  • Multi-server topology botnets are very similar to star topology botnets, except that the central "server" consists of a series of interconnected servers that allow for redundancy (preventing the single point of failure problem of star topology botnets); however, setting up multiple connected C&C servers may require more planning and overall be more difficult than just using a single server.
  • Hierarchical topology botnets (involving a series of C&C servers in a hierarchy) allow for botnet owners to more easily divide their botnet up into "separate" chunks for re-sale or renting, as well as prevent researchers from enumerating the location of all other C&C servers and bots within a network with only a few captured C&C servers due to the restricted visibility of the entire botnet from lower hierarchy certain servers.  Additionally, commands that have to travel through a large hierarchy of C&C servers in order to reach bots may add to latency.

Random topology botnets do not rely on any C&C servers; rather, all botnet commands are sent directly from one bot to another if they are deemed to be "signed" by some special means indicating that they have originated from the botnet owner or another authorized user.  Such botnets have very high latency, and will often allow for many bots within a botnet to be enumerated by a researcher with only one captured bot. Many times special forms of encrypted bot to bot communication over public peer-to-peer networks is used in conjunction with a more complex C&C server topology (such as in the TDL-4 botnet) in order to render such botnets that are particularly difficult to dismantle.

DDoSPedia Index