What is a botnet?

Have you ever had a device that randomly began running slowly or became scorching hot even though you weren’t using it for anything abnormal? There’s a good chance it was infected and may have been used as part of a botnet!

A botnet is a group of compromised computers or Internet of Things devices (IoT) that are under the control of a hacker (also known as a “botmaster” or “bot herder”). They enable a botmaster to launch large-scale attacks via the pooled computational resources the botnet makes accessible. 

How are botnets created?

To create a botnet, botmasters first infect a network of devices they will leverage to carry out attacks. To infect devices, hackers enter via software exploits, firmware exploits, or malware downloads from a compromised link or file. Once a device is infected, the botmaster can use the combined computational resources to carry out their attacks, often without the device owner's knowledge. While there isn’t a set amount of infected devices needed to create a botnet, the more extensive the network of infected devices, the more significant the impact an attack can have. Once devices are infected, there are two models for controlling them.

Client-Server Model

Controlling the bots requires an infrastructure to enable communication between the server (the botmaster) and their clients (your infected computer or devices). The client-server model was the first established, and it works by creating a centralized server (command & control server or C&C for short) to deliver instructions. In other words, in the client-server model, the clients rely solely on instructions supplied by the botmaster’s C&C server. The dependency creates the model's largest drawback because if the C&C server is discovered and disabled, it renders the entire botnet inoperable.

P2P and Decentralized Command & Control

Peer-to-peer (P2P) and decentralized C&C models emerged to bypass the client-server model's centralized drawback. In this model, any client can operate as a server. Instead of instructions from one source, any client in the botnet can propagate them. While this model can slow the delivery of instructions, it makes dismantling this botnet nearly impossible.

What kind of attacks do botnets enable?

Botnets carry out any attack that one computer can, but the difference is in the attack’s scale. Attacks that are more powerful in volume, including DDoS, account takeover, and spam are where botnets strike most frequently.  Some popular botnet attacks include the Mirai botnet’s 2016 DDoS attacks that brought down popular websites like Twitter, Netflix, and Reddit, and the 3ve botnet’s usage of nearly 2 million PCs to commit click fraud valued at almost $30 million. 

The future of botnets

You’ll notice throughout this article we’ve used the term “device” instead of “computer”. While computers were the target for botmasters, we’ve seen in recent years that any IoT device has the potential to be exploited by these hackers: i.e., things like routers, smartphones, smartwatches, and anything else connected to the internet have the potential to be hacked and used in a botnet. That smart fridge in your kitchen? Yeah, that too could’ve been used to attack your favorite website. Unfortunately, many IoT devices were not initially developed with the capability to protect themselves from attack adequately. Luckily, because IoT devices are connected to the internet, software updates are often enough to protect your fridge from going rogue. Check out the history of bots to learn more about real bots and botnets throughout each decade.