What Is a Botnet? Architecture, Lifecycle, Detection

In October 2016 a DNS provider called Dyn fell over, and with it went Twitter, Reddit, Netflix, Spotify, GitHub, and PayPal for much of the United States east coast. The traffic that took it down did not come from a server farm. It came from home routers, IP cameras, and DVRs, hundreds of thousands of them, devices whose owners never knew they were part of the attack. The malware running them was Mirai, and the thing it built out of those devices has a name every defender should be able to reason about: a botnet.

A botnet is a network of compromised hosts, each running the same malware, that a single operator controls remotely as one coordinated unit. The compromised hosts are the bots. The operator is the botmaster. The channel between them is command and control. That is the whole idea, and almost every large-scale internet abuse you will investigate runs on top of it: distributed denial of service, spam, credential stuffing, crypto mining, residential proxy fraud, and the bulk distribution of more malware. This guide covers what a botnet is, the architectures botmasters use to stay reachable and hidden, the lifecycle that turns one infected machine into a soldier, what botnets are actually used for, the documented cases worth knowing cold, and how defenders detect and dismantle them.

What is a botnet?

A botnet is a collection of internet-connected devices, each infected with the same bot malware, that report to and take orders from a central controller. Three roles define it.

The bots, sometimes called zombies, are the compromised devices. They can be anything that runs code and reaches the internet: Windows desktops, Linux servers, home routers, IP cameras, DVRs, and increasingly cloud virtual machines. The owner usually has no idea. The malware is built to stay quiet, survive reboots, and do nothing visible until told to.

The botmaster, or bot herder, is the human or group that controls the network. They do not touch the bots directly. They issue a command once, and the infrastructure fans it out to every bot at the same time. That fan-out is what makes a botnet dangerous: one instruction becomes a hundred thousand simultaneous actions.

The command and control channel is how the order travels. C2 is the spine of every botnet, and it is also its weakest point. A botnet that cannot reach its C2 is just a pile of idle infected machines, which is exactly why defenders attack the C2 first and why botmasters spend most of their engineering effort keeping it reachable and hidden. Understanding command and control is the prerequisite for understanding botnets, because the architecture of a botnet is mostly the architecture of its C2.

The scale is the point. A single compromised host is a nuisance. A hundred thousand of them, acting in unison on one command, is a weapon that can take a Fortune 500 service offline, drain credentials from millions of accounts, or mine cryptocurrency on someone else's electricity bill at industrial scale.

Botnet architectures: how the C2 is wired

Botmasters have a single hard problem: stay in contact with the bots while staying out of reach of defenders and takedowns. The architecture is the answer to that problem, and there are three broad approaches, each a trade against the others.

Centralized (client-server). Every bot connects back to one or a few C2 servers. The classic transport is IRC, where bots join a channel and the botmaster types commands into it. Modern centralized botnets favor HTTP or HTTPS, where bots poll a web server for instructions and blend into ordinary web traffic. Centralized control is simple to build and gives the botmaster instant, low-latency command of the whole fleet. Its weakness is the single point of failure: find the C2 server, seize or sinkhole it, and the entire botnet goes dark. Most early botnets, and many still, are centralized.

Peer-to-peer (P2P). To remove that single point of failure, P2P botnets drop the central server. Each bot is both client and server, relaying commands to its neighbors, so the network has no head to cut off. The botmaster injects a command into any node and it propagates across the mesh. P2P is far more resilient to takedown but harder to build, slower to propagate commands, and noisier on the network because bots constantly talk to each other. Botnets like Gameover Zeus and the later Conficker variants moved to P2P specifically to survive the takedowns that killed centralized predecessors.

Resilience layers: fast-flux and DGA. Both architectures bolt on techniques to keep the C2 rendezvous alive. Fast-flux rapidly rotates the IP addresses behind a single C2 domain, often every few minutes, hiding the real server behind a churn of compromised proxies so that blocking any one IP accomplishes nothing. A domain generation algorithm (DGA) goes further: instead of hard-coding a C2 address that defenders can blacklist, the bot algorithmically generates a large list of candidate domains each day and tries them until one answers. The botmaster only has to register one of those domains to regain control. Conficker.C generated 50,000 candidate domains a day and queried a subset of them, which forced defenders into the equally large job of pre-registering or blocking domains faster than the malware could rotate.

The table below is the practical comparison a defender uses to reason about which botnet is which and where its weak point is.

The bot lifecycle: infect, rally, obey

A botnet grows one machine at a time, and every recruit follows the same three-stage path. Knowing the stages tells you where to look in an investigation and where to break the chain.

Infect. The malware lands on the device and executes. The vector is whatever works at scale: a phishing attachment, a drive-by download, an exploited unpatched service, or, for IoT botnets, a scan of the internet for devices still running default credentials. Mirai did exactly this, sweeping the internet for cameras and routers whose owners never changed the factory admin password and logging straight in. Once running, the malware establishes persistence so it survives a reboot.

Rally to C2. The fresh bot calls home. It resolves its hard-coded C2 address, its DGA domain, or its peer list, connects, and registers itself as available. This is the moment the device stops being merely infected and becomes a controllable asset. It is also the single most detectable event in the whole lifecycle: a host that was silent now makes a regular, scripted connection to an address it has never contacted before.

Receive commands and act. The bot now waits, beaconing back to C2 at intervals to ask for work. When the botmaster issues an order, the bot executes it: open a flood of traffic at a target, send a batch of spam, try a list of stolen credentials, relay someone else's web traffic, or download and run a second-stage payload. Between jobs it stays quiet. A well-built bot spends almost all of its life idle and beaconing, which is precisely the behavior that betrays it.

What botnets are used for

A botnet is rented infrastructure for crime. Once the botmaster has the fleet, the same network gets pointed at whatever pays. The common uses:

Distributed denial of service (DDoS). The signature botnet attack. Every bot sends traffic at one target at once, overwhelming its bandwidth or its application until legitimate users cannot get through. Botnet DDoS is what took down Dyn and Krebs, and it is the use case that makes raw bot count a marketable commodity.

Spam and phishing distribution. Bots send email from residential and business IP addresses that are not yet on spam blocklists, which is why botnet-sent spam lands in inboxes that would reject a known bulk sender. Many of the largest spam operations in history were botnet-driven.

Credential stuffing and brute force. Bots replay stolen username and password pairs against login pages, or hammer accounts with guesses, distributing the attempts across thousands of IPs so no single address trips a rate limiter. This is where botnets intersect directly with account takeover; spreading a brute force attack across a botnet is what defeats per-IP lockouts.

Cryptocurrency mining. Bots mine cryptocurrency using the victim's CPU and electricity. Individually negligible, across a large botnet it is free money paid for by other people's power bills and worn-out hardware.

Proxy and residential proxy services. Bots relay a paying customer's traffic, lending it the legitimacy of a real residential or mobile IP. This powers ad fraud, sneaker-bot purchasing, scraping, and the laundering of attack traffic through addresses that look like ordinary home users.

Malware distribution (loaders). Some botnets exist mainly to install more malware. The bot is a foothold the operator rents out or sells, dropping ransomware, banking trojans, or other payloads on command. Emotet and TrickBot built their reputations as exactly this: distribution platforms that delivered whatever the highest bidder wanted next.

Documented botnets worth knowing

Names matter here, because these are the cases that show up in incident reports, threat intel, and exam questions. The facts below are the ones to get right.

Mirai (2016). Mirai infected IoT devices, routers, IP cameras, and DVRs, by scanning the internet and logging in with a built-in list of default credentials, which CISA documented in its alert on the heightened DDoS threat posed by Mirai. At its peak in November 2016 it controlled on the order of 600,000 devices. In September 2016 it hit security journalist Brian Krebs's site with a DDoS that peaked around 620 Gbps, a record at the time. On October 21, 2016 a Mirai-based botnet attacked the DNS provider Dyn using an estimated 100,000 malicious endpoints, taking major services offline across the eastern United States. Around September 30, 2016 the author, using the handle "Anna-senpai," released the Mirai source code publicly on a hacking forum, which spawned a long lineage of copycat variants. Three men, Paras Jha, Josiah White, and Dalton Norman, pleaded guilty to creating and operating Mirai in December 2017.

Emotet. Emotet began as a banking trojan and became one of the most prolific malware-distribution botnets in the world, delivering other payloads on command. On January 27, 2021 a coordinated international operation led by Europol and Eurojust took down Emotet's infrastructure, seizing control of its servers from the inside. It did not stay dead. Around mid-November 2021 Emotet rebuilt, resurfacing through the TrickBot botnet that began dropping fresh Emotet loaders. Emotet is the clean example of why a takedown is a setback, not a kill, when the operators remain free.

Conficker (2008). Conficker, also called Downadup, first appeared in November 2008 and spread by exploiting the MS08-067 Windows vulnerability along with weak passwords and removable media. Estimates of its reach run into the millions of infected machines, commonly cited in the range of roughly 9 to 15 million cumulatively. It is the textbook DGA case: later variants generated tens of thousands of candidate C2 domains per day to outrun the defenders trying to block them, prompting the formation of the Conficker Working Group.

TrickBot. TrickBot appeared around 2016 as a banking trojan and evolved into a modular botnet and malware-delivery platform, dropping ransomware such as Ryuk and Conti for its operators and partners. Its modular design, where capabilities are added as downloadable plugins, is the modern template: the botnet is a platform, and the modules decide what it does this week.

Meris and Mantis. These are the recent record-setters for application-layer DDoS measured in HTTP requests per second rather than raw bandwidth. The Meris botnet, built largely from compromised MikroTik network devices, drove an attack of roughly 21.8 million requests per second in 2021. In June 2022 Cloudflare mitigated a 26 million requests-per-second attack it attributed to the Mantis botnet, which was built from a small number of hijacked cloud servers and virtual machines rather than IoT junk, a sign of where high-power botnets are heading.

MITRE ATT&CK mapping

Botnet behavior maps cleanly onto ATT&CK, which is useful because it lets you turn "this looks like a botnet" into specific, detectable techniques.

• Command and Control (TA0011) is the central tactic. Relevant techniques include Application Layer Protocol (T1071) for HTTP/HTTPS or IRC C2, Dynamic Resolution: Domain Generation Algorithms (T1568.002) for DGA-based rendezvous, Fallback Channels (T1008), and Non-Standard Port (T1571).
• Impact (TA0040) covers the payload: Network Denial of Service (T1498) and Endpoint Denial of Service (T1499) for DDoS, and Resource Hijacking (T1496) for crypto mining.
• Initial Access and Persistence cover the infect stage, including Valid Accounts (T1078) for the default-credential logins that built Mirai.
• Credential Access maps the credential-stuffing use via Brute Force (T1110).

The value of the mapping is operational: if your detections cover T1071, T1568.002, and T1498, you are covering the spine of most botnet activity regardless of which specific family you are facing.

Detecting a botnet

Bots are built to hide, but the thing they cannot hide is that they have to talk to their controller. Detection lives almost entirely in the network and in the patterns of that conversation.

Beaconing. A bot polling its C2 produces a regular, machine-timed connection: the same destination, at roughly the same interval, in small request sizes, repeating for hours or days. Humans do not browse like that. Beaconing detection looks for that periodicity, often by measuring the regularity of the time gaps between a host's connections to a given destination. A near-constant interval with low jitter is one of the strongest single signals of an infected host. This is core network traffic analysis work, and an intrusion detection system tuned for beaconing catches C2 channels that no static signature would flag.

DGA domains. Hosts resolving a stream of algorithmically generated domain names, long, random-looking strings that mostly return NXDOMAIN because the botmaster only registered a few, are a high-fidelity botnet indicator. Watching DNS for a single host generating many failed lookups of high-entropy domains surfaces DGA malware directly.

NetFlow and volume anomalies. Flow records reveal what packet inspection misses at scale: a host suddenly talking to thousands of external destinations (a bot doing the talking in a P2P mesh, or a DDoS source), a spike in outbound connections, or sustained traffic to a destination no one else in the environment contacts. Baseline normal egress and the botnet activity stands out as deviation.

Reputation and known indicators. Connections to IPs and domains already flagged as C2 infrastructure by threat intel, and matches against known bot malware hashes on the endpoint, remain the cheapest first filter. They miss novel infrastructure, which is why behavioral detection sits alongside them rather than being replaced by them.

The throughline: signatures catch the malware you already know, but behavior, the beacon, the DGA lookups, the anomalous flows, catches the bot whether or not you have seen its family before.

Defending against and dismantling botnets

Defense splits into two jobs: keep your own hosts out of the botnet, and, at the industry level, dismantle the botnet itself.

Keeping hosts clean is unglamorous and decisive. Patch the services botnets exploit. Change default credentials on everything, the single control that would have starved Mirai. Segment networks so a compromised host cannot freely reach others. Filter outbound traffic, because a bot that cannot reach its C2 is inert, and egress filtering plus DNS monitoring is where you cut the rally step.

Dismantling a botnet attacks its C2, and the primary technique is sinkholing. Defenders take over the C2 rendezvous point, by seizing the domain or registering the DGA domains before the botmaster can, and redirect all the bots' check-in traffic to a server they control. The bots phone home to the sinkhole instead of the botmaster, which severs the operator's control and, as a bonus, gives defenders a precise census of infected hosts to notify and clean. The Conficker Working Group's domain pre-registration and the takedowns of Emotet and Gameover Zeus all turned on seizing or sinkholing the C2.

Two hard truths from those operations. First, P2P and DGA exist specifically to make sinkholing harder, which is why modern takedowns require coordinated, often international, legal and technical effort rather than a single seizure. Second, a takedown removes infrastructure, not people. Emotet proved that operators who stay free rebuild. Lasting disruption usually requires arrests alongside the technical strike, which is the pattern in the Mirai prosecutions and the multi-agency operations against Emotet and its peers.

The bottom line

A botnet is one operator's network of compromised hosts, the bots, wired together through a command-and-control channel and acting as a single weapon on command. The architecture, centralized, peer-to-peer, fast-flux, or DGA-backed, is mostly a series of trades about keeping that C2 reachable while keeping it out of defenders' hands, and it is the C2 that both sides fight over. Every bot follows the same lifecycle, infect, rally, obey, and the rally and beacon steps are the most detectable thing it does.

For a defender the work is concrete. Starve the infect step by patching and killing default credentials, cut the rally step with egress filtering and DNS monitoring, and find the bots already inside by their behavior: the regular beacon, the failed DGA lookups, the anomalous flows that no signature would catch. Dismantling the botnet itself means sinkholing the C2, and the lesson of Emotet and Mirai is that infrastructure comes back unless the people behind it do not.