Skip to main content
ThreatsSIEMXDRFirewall

What is Botnet?

A botnet is a network of internet-connected devices, PCs, servers, routers, IoT cameras, that have been compromised with malware and placed under the remote control of an attacker, known as a botmaster or bot herder, without their owners' knowledge. Individual compromised devices, called bots or zombies, receive instructions from command-and-control infrastructure and act in coordination to carry out large-scale attacks the attacker could never accomplish from a single machine.

Definition

Botnet
A botnet is a network of internet-connected devices, PCs, servers, routers, IoT cameras, that have been compromised with malware and placed under the remote control of an attacker, known as a botmaster or bot herder, without their owners' knowledge. Individual compromised devices, called bots or zombies, receive instructions from command-and-control infrastructure and act in coordination to carry out large-scale attacks the attacker could never accomplish from a single machine.

How Botnet Works

Botnets are built one infection at a time, usually through phishing attachments, drive-by exploit kits, or credential stuffing against internet-exposed services, but the fastest-growing source over the past decade has been consumer and industrial IoT devices shipped with default or hardcoded credentials. The Mirai botnet demonstrated this at scale in 2016, scanning the internet for devices still using factory-default Telnet logins and assembling hundreds of thousands of cameras and routers into a network capable of generating over a terabit per second of DDoS traffic. Once infected, a device checks in with command-and-control infrastructure to receive instructions, and botmasters use two broad architectures for that channel. Centralized C2 relies on a fixed set of servers, historically IRC channels, now more often HTTP or HTTPS endpoints mimicking normal web traffic, which is simpler to run but gives defenders a single point to take down. Decentralized or peer-to-peer botnets have bots relay commands to each other, so no single server's seizure kills the network, at the cost of more complex coordination logic.

A major evasion technique is the domain generation algorithm, where infected hosts compute a large list of pseudo-random domain names each day and try to resolve them until one matches a domain the botmaster has actually registered, so blocking a handful of known C2 domains does nothing since tomorrow's list is different. Fast-flux DNS compounds this by rotating the IP addresses behind a single C2 domain rapidly across many compromised hosts, making the infrastructure itself a moving target for takedown efforts.

Monetization drives what a botnet actually does once assembled. DDoS-for-hire is the most visible use, renting out bot capacity to flood a target with traffic. Spam and phishing campaigns route through bots to evade sender-reputation blocklists that would flag a single source firing millions of emails. Credential stuffing bots replay leaked username-password pairs against login pages at high volume, distributed across thousands of source IPs to defeat simple rate limiting. Cryptomining botnets hijack CPU and GPU cycles quietly in the background, and some botnets exist purely as a distribution channel, delivering ransomware or additional payloads to already-compromised machines for a fee.

Botnet in SOC Operations

Botnet activity usually surfaces to a SOC analyst as beaconing, periodic outbound connections from an internal host to an external address at regular or slightly jittered intervals, a pattern that stands out once you're used to looking for it in NetFlow or firewall logs. A host that phones home to the same handful of external IPs every sixty seconds, especially over an unusual port or with a small, consistent payload size, is a strong candidate for bot infection regardless of what the connection is labeled as. DNS logs are equally telling: a spike in queries for algorithmically-generated-looking domain names, long strings of consonants with uncommon TLDs, that mostly fail to resolve, is a signature of DGA-based malware probing for its C2 server, and most SIEMs can be tuned with entropy-scoring rules to flag exactly that pattern. When a suspected bot is found, the analyst's job is scoping and containment: pull the source IP's full connection history to see how long the beaconing has been running, check whether the same C2 indicators appear on any other internal hosts, and cross-reference the destination IP or domain against threat intelligence feeds to confirm it's a known botnet C2 rather than a legitimate but unusual service. Isolating the affected endpoint through EDR or XDR stops it from receiving further instructions or contributing to an outbound attack, and blocking the C2 domain or IP at the firewall or via DNS sinkholing prevents any other quietly infected hosts from completing their check-in. Because botnet infections often arrive through the same phishing or exploit vectors as other malware, a confirmed bot on one machine is also a prompt to check whether the initial infection vector is still open across the rest of the environment.

Free

Practice Botnet in a Real SOC

SOCSimulator provides hands-on training with realistic SIEM, XDR, and Firewall interfaces. Build real analyst skills investigating botnet scenarios with zero consequences, free.

More Threats Terms

Career Path

Threat Hunter Career Guide: Salary & Skills

Threat Hunters do not wait for alerts. You develop hypotheses based on threat intelligence and adversary behavior models…

Read more
Career Path

Incident Responder Career Guide: Salary & Skills

Incident Responders lead the technical response when confirmed breaches happen. You coordinate containment, run forensic…

Read more
Career Path

SOC Analyst (Tier 2) Career Guide: Salary & Skills

Tier 2 SOC Analysts handle the investigations that Tier 1 escalates. You dig into multi-stage attacks, coordinate contai…

Read more
Comparison

SOCSimulator vs Hack The Box: Comparison

Different tools for different career paths. SOCSimulator trains defensive analysts. Hack The Box trains offensive securi…

Read more
Tool

SIEM Training Console: SOCSimulator

The SIEM console in SOCSimulator replicates the workflow of enterprise platforms like Splunk Enterprise Security, Micros…

Read more
Tool

XDR Training Console: SOCSimulator

The XDR console in SOCSimulator replicates the investigation workflow of platforms like CrowdStrike Falcon, Microsoft De…

Read more
Tool

Firewall Training Console: SOCSimulator

The Firewall console in SOCSimulator replicates the log analysis experience of enterprise platforms like Palo Alto Netwo…

Read more
Technique

MITRE ATT&CK® Techniques: Detection Training Library

Browse all MITRE ATT&CK® techniques with detection strategies and example alerts.

Read more
Career Path

Cybersecurity Career Paths: 2026 Guide

Explore SOC analyst career paths with salary data, required skills, and certification roadmaps.

Read more
Playbook

SOC Investigation Playbooks: Step-by-Step Guides

Practitioner investigation playbooks with decision trees and real SIEM queries.

Read more
Feature

Shift Mode: Real-Time SOC Simulation

Practice alert triage under realistic time pressure with SLA timers and noise injection.

Read more
Feature

Operations: Guided Training Operations

Structured CTF-style investigation operations covering real-world attack scenarios.

Read more