TI News Feed · Threat Intelligence Guides
View live threat intel feed →
TI News FeedThreat Intelligence Guides & ResourcesView Live Feed →
Attacks

What Is a Botnet? How Botnets Work & How to Defend Against Them

A botnet is an army of infected computers and devices controlled remotely by an attacker. Here's how botnets are built, what they're used for, and how to detect and dismantle them.

By TI News Feed Editorial Team8 min readPublished Updated

Reviewed & fact-checked against primary sources by the TI News Feed Editorial Team. See our editorial & corrections policy.

A botnet (short for "robot network") is a collection of internet-connected devices — computers, servers, routers, cameras, and other Internet of Things (IoT) gadgets — that have been infected with malware and are secretly controlled by a single operator. Each compromised device is called a "bot" or "zombie," and the person running the network is the "bot herder" or botmaster. Together, these devices form a distributed platform that an attacker can rent out or weaponize at scale.

In short: a botnet turns thousands or millions of hijacked devices into one remotely controlled army — and the owners of those devices usually have no idea they're part of it.

How a botnet works

Every botnet has two essential ingredients: a way to infect devices, and a way to control them.

Infection

Devices are recruited the same way most systems are compromised: phishing emails with malicious attachments, drive-by downloads from compromised websites, exploitation of unpatched vulnerabilities, or — especially for IoT devices — automated scanning for default or weak credentials. Once the malware runs, the device quietly "phones home" and waits for instructions.

Command and control (C2)

The botmaster issues orders through command-and-control (C2) infrastructure. Two common architectures exist:

  • Centralized (client-server): Bots connect to a central server (often over IRC, HTTP, or HTTPS). Simple and fast, but if defenders find and take down the server, the whole botnet collapses.
  • Peer-to-peer (P2P): Bots relay commands to each other with no single server. Far more resilient and harder to dismantle, because there's no single point of failure.

Detecting that C2 "beaconing" — the regular check-ins between a bot and its controller — is one of the most reliable ways to spot a botnet infection, and a frequent focus of threat hunting.

What botnets are used for

A botnet is essentially rentable, distributed compute and bandwidth that the operator doesn't pay for. That makes it useful for a wide range of attacks:

  • DDoS attacks. The classic use. Thousands of bots flood a target simultaneously in a distributed denial-of-service attack.
  • Spam and phishing campaigns. Botnets send vast volumes of email from many addresses, evading per-sender blocklists.
  • Credential stuffing and brute forcing. Distributing login attempts across many IPs defeats simple rate limits and IP bans.
  • Click fraud and ad fraud. Bots generate fake clicks and impressions to drain advertising budgets or inflate revenue.
  • Cryptojacking. The collective processing power of the botnet is used to mine cryptocurrency at the victims' expense.
  • Proxy and anonymization services. Compromised devices are sold as "residential proxies" to route other criminals' traffic.
  • Mass data theft. Some botnets harvest credentials, banking details, and other sensitive data from infected hosts.

Notable botnets

A few examples illustrate how botnets have evolved:

  • Mirai infected hundreds of thousands of IoT devices using default credentials and launched some of the largest DDoS attacks ever recorded. Its source code was publicly released, spawning countless variants.
  • Emotet began as a banking trojan and became a "malware delivery" botnet, renting access to infected machines to other criminal groups — a model that links botnets directly to ransomware operations.
  • TrickBot and similar modular botnets combined data theft, lateral movement, and ransomware deployment, showing how a single infection can escalate into a full enterprise compromise.

How to detect a botnet infection

Individual infected devices often show subtle signs. At the network and endpoint level, defenders look for:

  • Beaconing traffic: regular, automated connections to unfamiliar domains or IP addresses — a strong indicator of compromise.
  • Connections to known C2 infrastructure matched against threat intelligence feeds.
  • Unexplained outbound spikes in email, DNS queries, or bandwidth.
  • Performance degradation on otherwise idle devices (often a sign of cryptojacking).
  • Behavioral anomalies flagged by endpoint detection and response (EDR) tools.

This is where the Pyramid of Pain matters: blocking individual bot IP addresses is easy for the attacker to work around, but identifying and disrupting their C2 infrastructure and tooling causes them real pain.

How to defend against botnets

Defense operates on two fronts: stopping your own devices from being recruited, and protecting against attacks launched by botnets.

  • Patch and update everything. Most recruitment exploits known, unpatched flaws. A disciplined vulnerability management program closes the door.
  • Change default credentials. Especially on routers, cameras, and IoT devices — the favorite targets of botnets like Mirai.
  • Use endpoint protection and EDR to detect and quarantine bot malware before it establishes persistence.
  • Segment your network so a single infected device can't easily spread or reach critical systems.
  • Block known C2 infrastructure using up-to-date threat intelligence.
  • Monitor outbound traffic. Botnets must communicate with their controller — outbound monitoring often catches infections that inbound defenses miss.

Botnet takedowns

Because botnets are global criminal infrastructure, dismantling them often requires coordinated action between law enforcement, security vendors, and internet providers. Takedowns typically target the C2 infrastructure — seizing servers, sinkholing the domains bots connect to, and pushing remediation guidance to affected owners. Centralized botnets are far easier to take down than resilient peer-to-peer ones, which is exactly why modern operators favor decentralized designs.

Why IoT made botnets bigger

The explosive growth of botnets tracks directly with the spread of Internet of Things devices. The reasons are structural: there are billions of them, they're online 24/7, and security is often an afterthought. Many ship with hard-coded or default credentials, rarely receive firmware updates, and have no antivirus or user interface that would reveal an infection. To their owners they're invisible appliances; to an attacker they're an always-on, unmonitored foothold. A single vulnerability in a popular camera or router model can yield hundreds of thousands of recruits. This is why botnets like Mirai grew so fast, and why securing IoT — changing defaults, segmenting these devices onto their own network, and keeping firmware current — is now a core part of defending against botnets, not a niche concern.

The bottom line

A botnet is a remotely controlled army of infected devices, powering everything from massive DDoS attacks to spam, fraud, and ransomware delivery. The defining feature is command-and-control: the link between bots and their operator is both the botnet's strength and its weakness — disrupt the C2 and you disrupt the network. Defending against botnets means keeping systems patched, securing credentials, monitoring outbound traffic, and blocking known infrastructure. Because attacker infrastructure shifts constantly, current intelligence is essential: our live threat intelligence feed tracks active botnets, malware campaigns, and C2 infrastructure reported by dozens of authoritative sources.

Frequently asked questions

What is a botnet in simple terms?

A botnet is a network of internet-connected devices infected with malware and controlled remotely by an attacker. Each device — a 'bot' or 'zombie' — follows the operator's commands, often without its owner knowing, and the combined network is used to launch attacks at scale.

What are botnets used for?

Botnets power DDoS attacks, spam and phishing campaigns, credential stuffing, click and ad fraud, cryptojacking, residential-proxy services, and mass data theft. They give attackers free, distributed computing power and bandwidth.

How do botnets work?

Attackers infect devices through phishing, drive-by downloads, unpatched vulnerabilities, or weak default credentials. Infected devices then connect to command-and-control (C2) infrastructure — either a central server or a peer-to-peer network — and wait for the operator's instructions.

How do you detect a botnet infection?

Look for C2 'beaconing' (regular automated connections to unfamiliar hosts), connections to known malicious infrastructure, unexplained outbound traffic spikes, performance degradation from cryptojacking, and behavioral anomalies flagged by EDR tools.

How can I protect my devices from joining a botnet?

Patch and update software promptly, change default passwords on routers and IoT devices, run endpoint protection or EDR, segment your network, and monitor outbound traffic for signs of command-and-control communication.

Primary sources & further reading

This guide is reviewed and fact-checked against authoritative primary sources:

Related threat intel guides

AttacksWhat Is a DDoS Attack? Types, Examples & How to Stop ItAttacksWhat Is Malware? The Main Types ExplainedThreat ActorsWhat Is a Threat Actor? The Main Types ExplainedDetectionIndicators of Compromise (IOCs): The Complete Guide