® 
Botnet
Definition
A botnet is a network of malware-infected computers (bots) controlled by an attacker (botherder). Botnets are used for DDoS attacks, spam distribution, cryptomining, and data theft.
A botnet is a network of malware-infected computers, servers and IoT devices controlled by an attacker (botherder). Botnets are used for DDoS attacks, spam distribution, cryptomining and data theft. The Mirai botnet demonstrated the devastating power of IoT botnets in 2016 with a 1.2 Tbps DDoS attack.
How does a botnet work?
Devices become part of a botnet through malware infections: phishing emails, drive-by downloads, unpatched vulnerabilities or default passwords on IoT devices. After infection, the malware connects to a Command and Control (C2) server managed by the botherder. Via the C2 channel, the bot receives instructions: participate in DDoS attacks, send spam, steal credentials or mine cryptocurrency. The device owner often notices nothing. Modern botnets use peer-to-peer (P2P) architecture instead of a central C2 point for greater resilience.
Types of botnets
DDoS botnets overwhelm targets with massive network traffic. Spam botnets distribute millions of spam emails daily. Credential-stealing botnets harvest login data and financial information. Cryptomining botnets abuse computing power for cryptocurrency mining. Notable botnets include Emotet, Mirai (IoT), TrickBot and Gameover Zeus.
Impact on organisations
Organisations can be both botnet targets and unwitting participants. As a DDoS target, services become unavailable with direct revenue loss. As an unwitting participant, infected infrastructure contributes to attacks on third parties, with potential legal and reputational consequences. NIS2 requires adequate botnet protection.
Protection
Implement network segmentation to limit lateral spread. Monitor outbound traffic for C2 communication via SIEM and NDR. Keep all systems and IoT devices updated. Change default passwords on all devices. Use EDR for botnet malware detection. Block known C2 infrastructure via threat intelligence feeds.
How DEFION helps
DEFION detects botnet activity through Managed Threat Detection and monitors C2 communication as part of 24/7 SOC services. DDoS tests evaluate infrastructure resilience against botnet-driven attacks.