What is a botnet?

How a botnet works

Botnets work by leveraging the computing power of many interconnected devices. On their own, bots are relatively harmless and weak. However, gathered under a command and control system, these network security threats can swarm targets and cause massive damage.

Attackers gain control of compromised computers by exploiting security vulnerabilities. Threat actors research targets, design attacks, and deploy botnet malware. Attack methods include phishing emails, fake websites, infected hardware, or drive-by downloads to spread. All have the same result: linking together devices for use by the bot herder.

Following malware infection, the bot herder controls a network of devices to use as they wish. This attack model has several advantages that make it hard to neutralize and detect:

• Resilience. A botnet attack does not end when victims remove malware from a single device. Attackers use many command and control servers, while communication channels adapt as bots come online or leave the network.
• Versatility. Botnets can achieve many goals. Criminals can use botnets to gather confidential information, compromise networks, or just cause a nuisance.
• Persistence. Completely removing botnets is difficult. Bot activity is often low-level and hard to detect via conventional scanning tools.
• Intelligence. Infecting many connected devices gives attackers visibility. They can use this privileged position to defend botnets with extra backdoors or explore networks to mount additional attacks.

There are two main types of botnet: client-server and peer-to-peer models.

Client-server

In the client-server model, attackers use their botnet to connect compromised computers to a centralized server. This server acts as the command and control center, sending instructions to every bot on the network.

Most client-server implementations use a star network architecture, multi-server topology, or hierarchical server topology.

Star networks use a spoke and hub design. Data passes through a central server, creating a single point of failure or detection. This security weakness makes star models less attractive when designing modern botnets.

Multi-server botnets use many servers to process data and issue instructions. This technique adds redundancy and makes a botnet attack more resilient.

In a hierarchical model, the client-server sits at the top of the botnet hierarchy. The server issues instructions to layers of bots. Each layer sends and receives data from the layer beneath. This architecture separates the server and its bots, making attacks more robust.

Peer to peer

In peer-to-peer botnets, there is no centralized command and control hub. Devices act as servers and bots simultaneously—not unlike torrent networks.

The bot herder can control peer-to-peer networks by issuing instructions to compromised devices. Devices then communicate between themselves to share instructions and store data.

This topology is extremely hard to detect and remove, and the controlling influence is unclear. Victims must block or neutralize all agents connected to the botnet.

Example: From 2011-2014, a peer-to-peer agent called GameOverZeus inflicted losses of $100 million on financial sector targets. GameOverZeus combined P2P architecture with crypto locker ransomware and peaked with over 1 million infections worldwide.

What are botnets used for?

Botnets are a cybersecurity priority as they regularly feature in malicious attacks. For instance, in May 2024, the FBI took down an "army" of 19 million zombie devices. Investigators connected the giant network to bomb threats, financial fraud, identity theft, and many other criminal acts.

Understanding the uses and effects of botnet infections is critical. A bot herder may use their botnet in many ways. Common uses include:

• Gathering information. Botnet malware may include info-stealers or keyloggers designed to extract data from network traffic or data containers. Botnets may also scan many network endpoints to detect weaknesses and suggest new attack vectors.
• Distributed denial of service attacks (DDoS). In a DDoS attack, a botnet overwhelms its target by directing traffic to network bottlenecks. Distributed denial of service attacks consume bandwidth and impair performance. Severe cases can damage or destroy online infrastructure.
• Brute force attacks. Botnets can use collections of compromised computers or IoT devices to run many login queries. Eventually, threat actors find a legitimate set of credentials.
• Espionage and monitoring. States or companies may use botnets to spy on targets. Botnets suit this task as they remain in the background and are exceptionally resilient. For example, a manufacturing company may not know their IoT devices are compromised, exposing valuable industrial data.
• Sending spam. Bot networks send many of the spam emails we receive. Botnets automatically build contact lists and spread phishing content with minimal input from cyber attackers.
• Crypto-jacking. Botnets enable cryptocurrency mining by pooling the processors of compromised computers. A bot herder can execute complex mining operations without paying for their infrastructure or risking detection.
• Click fraud. Networks of bots simulate legitimate clicks on digital ads, raising revenue for the owners without any real-world basis.
• SEO poisoning. Botnets can also simulate search engine traffic, giving websites a higher ranking than they would otherwise deserve. High-ranking websites enable cybercriminals to divert traffic to fake websites, where they can deliver malware payloads to visitors.
• Social media manipulation. Many social media platforms are vulnerable to bot activity. A bot herder can create hundreds of seemingly independent accounts and spread disinformation, harass targets, or boost malicious content.
  
  

These are all harmful activities, but botnets are not always used for criminal purposes. In the early days of the web, botnets police chatrooms without the need for human moderators. Researchers use distributed networks to gather data, while companies use botnets to monitor network status or carry out load testing.

Search engines also use bots to collect information about websites. Known as “web crawlers,” these bots index site hierarchies and allow parsers to connect search queries with relevant content.

Types of botnet attacks

There are many ways to organize and manage a botnet attack. Organizations need network security measures to prevent attacks related to their operations.

• Botmaster. In botmaster attacks, a controller uses remote code installation techniques to implant malware on target devices. Control software enables the botmaster to issue commands and protects access via authentication and encryption. Attackers may also use Tor to route commands via multiple servers, making their activities almost invisible to targets.
• Zombie attacks. “Zombies” are compromised devices that are no longer under the control of their owners. This can occur via direct control, but Trojan malware can have the same effect. When owners lose control, criminals usually gain it, using zombie devices to launch malicious attacks.
• Spyware. Spyware attacks use malware that automatically clicks on advertisements without the user's control. This method creates a consistent revenue stream until spyware bots are disabled. For example, the Kraken botnet once infected 10% of Fortune 500 corporations and included half a million devices.
• Spam. Spambots send malicious emails or web content to infected devices. Materials could include phishing emails encouraging recipients to download attachments or visit fake websites. But spam also includes pornography and disinformation.
• IoT attacks. Sophisticated botnet controllers can target vast collections of IoT devices, such as industrial sensors or home appliances. The threat surface for botnets now includes digital networks and real-life cyber threats, making them a more dangerous adversary.
• Botnet-as-a-service (BaaS). Botnet systems are now available on the Dark Web for use by any cybercriminal groups. Off-the-shelf marketing has led to new variants like Dridex, which spread via Word and Excel attachments to phishing emails.

How to prevent botnet attacks

Botnets are persistent, versatile, and damaging. Unfortunately, companies cannot reliably destroy botnets independently. However, organizations can limit the risk of infection and counter botnet threats with robust cybersecurity measures.

Best practices to defeat botnet malware include:

• Update security tools on all devices. Botnets exploit devices with weak security, which is one reason IoT attacks are becoming common. Only purchase devices with onboard security features and update firmware to keep pace with emerging threats.
• Train employees to avoid phishing attacks. Phishing emails are a common source of botnet infections. Train staff to identify suspicious emails, attachments, and embedded links. Instruct staff to avoid untrusted downloads without consulting security teams.
• Install cutting-edge scanning tools. Botnet is a form of malware, and up-to-date scanning tools can detect and remove most malware agents. Ensure you use tools with updated threat databases and patch antivirus tools regularly.
• Use network monitoring. Network monitoring tools go beyond malware scanning. They monitor activity patterns on your network, delivering alerts when they detect suspicious user requests or bandwidth usage. These alerts provide rapid evidence of DDoS attacks and other botnet threats.
• Enable MFA for account security. Botnets often spread using stolen credentials. Multi-factor authentication (MFA) adds extra protection by ensuring only verified users access your systems, reducing the risk of account compromise.
• Apply network segmentation. Zero Trust Network Access (ZTNA) uses micro-segmentation to isolate resources and restrict lateral movement. This limits a botnet’s ability to spread across devices and strengthens your defenses against internal threats.
  
  

NordLayer can help prevent botnet infections by applying ZTNA principles. Key features include Cloud Firewall, Device Posture Security, MFA, Download Protection, and Activity Monitoring. These tools reduce botnet risks and protect your network.

Our network security tools distrust every user by default. To access network resources, users must supply credentials. Authorization systems limit access to relevant resources, keeping everything else off-limits.

Meanwhile, threat monitoring systems and device posture checks screen devices and users. Access systems prevent access for insecure or untrusted devices. Proactive scanning uses the latest threat intelligence to detect and neutralize malware.