Cybersecurity CENTRALS

Courses

MODULE 5 — Botnets and Distributed Attacks

Learning Objectives

By the end of this module, learners will be able to:

  1. Explain what botnets are and how they are constructed, controlled, and monetised.
  2. Describe the lifecycle of botnet infection, propagation, and command-and-control.
  3. Analyse different types of distributed attacks such as DDoS, credential stuffing, and automated exploitation.
  4. Understand the business models behind botnet ecosystems.
  5. Evaluate botnet countermeasures from both technical and strategic perspectives.

Module Overview

Botnets are networks of compromised devices remotely controlled by adversaries. They represent one of the most widespread and persistent threat mechanisms in cyberspace.
Botnets power large-scale attacks, including distributed denial-of-service (DDoS), credential harvesting, ransomware distribution, and brute-force automation.
In this module, we examine botnets as engineered systems: how they function, scale, and remain resilient despite global law enforcement and security countermeasures.

1. What Is a Botnet?

A botnet is a collection of infected devices (bots) controlled remotely by an attacker (the botmaster) through a command-and-control (C2) infrastructure.

Devices commonly hijacked include:

  • Personal computers
  • Servers
  • Internet of Things devices (CCTV cameras, routers, smart appliances)
  • Mobile phones
  • Cloud instances with weak security

The scale of a botnet ranges from a few dozen compromised machines to millions.

1.1 Characteristics of Botnets

Botnets typically:

  • Operate silently
  • Execute commands remotely
  • Spread malware autonomously
  • Perform coordinated attacks
  • Use obfuscation and resilience strategies

Botnets are not a single threat—they are a platform for multiple threats.

2. Botnet Architecture

A botnet consists of several engineered components.

2.1 Bot (Infected Device)

Each bot executes received commands and reports status back to the botmaster.

2.2 Command-and-Control Server

The C2 server orchestrates the botnet using:

  • Centralised architectures
  • Decentralised peer-to-peer networks
  • Covert communication channels (hidden in DNS, social media, blockchain)

2.3 Distribution Mechanisms

Bots are installed via:

  • Phishing
  • Exploit kits
  • Worm-like propagation
  • IoT device scanning for weak passwords
  • Software supply chain compromise

2.4 Payload Delivery

Once a bot is established, the botmaster can deploy additional malware:

  • Ransomware
  • Cryptominers
  • Credential harvesters
  • Keyloggers

The modular nature of botnets makes them attractive to cybercriminals.

3. Types of Botnet Architectures

3.1 Centralised Botnets

A single C2 server issues commands.
Advantages: simple, fast.
Weakness: single point of failure.

3.2 Peer-to-Peer (P2P) Botnets

Bots communicate without a central server.
Advantages:

  • Highly resilient
  • Harder to dismantle

3.3 Hybrid Botnets

Use both centralised and P2P channels to balance control with survivability.

3.4 IoT Botnets

Rely heavily on insecure IoT devices.
Famous example: Mirai.

Botnets evolve structurally to resist takedown attempts.

4. How Botnets Are Used

Botnets are versatile tools. They support numerous offensive operations.

4.1 DDoS Attacks

Distributed Denial-of-Service attacks overwhelm systems with excessive traffic.

Botnets amplify attacks through:

  • Volume-based flooding
  • Protocol exploitation
  • Application-level overload

DDoS is often used for extortion or political activism.

4.2 Credential Stuffing

Botnets automate login attempts using leaked password databases to compromise accounts at scale.

4.3 Brute-Force Attacks

Botnets distribute password-guessing operations across thousands of IP addresses, bypassing rate limits.

4.4 Malware Distribution

Botnets propagate:

  • Ransomware
  • Banking trojans
  • Rootkits

This model is central to many criminal ecosystems.

4.5 Cryptojacking

Botnets hijack CPU resources to mine cryptocurrency.

4.6 Click Fraud and Advertising Abuse

Botnets simulate human interaction for illicit advertising revenue.

Botmasters monetise botnets through diverse channels.

5. The Botnet Economy

Botnets are deeply embedded in criminal business models.

5.1 Renting Botnets

Attackers can rent botnet access for:

  • DDoS services
  • Automated exploitation
  • Credential cracking
  • Malware delivery

Rates may be hourly, daily, or campaign-based.

5.2 Pay-Per-Install Schemes

Botnet operators are paid for each new infected device.

5.3 Selling Access to Compromised Devices

Compromised machines become commodities in underground markets.

5.4 Cryptomining Profits

Botnets mine cryptocurrency without the owner’s knowledge.

The financial incentive ensures botnets continue to expand.

6. Case Studies in Botnet Operations

6.1 Mirai

Targeted IoT devices.
Impact:

  • Massive DDoS attacks
  • Internet outages across major services
  • Demonstrated IoT security weaknesses

6.2 Emotet

One of the most resilient botnets ever created.
Capabilities:

  • Email harvesting
  • Malware distribution
  • Modular expansion

Emotet served as a delivery mechanism for multiple ransomware strains.

6.3 TrickBot

Transitioned from banking trojan to modular botnet.
Used extensively to enable high-impact ransomware campaigns.

These case studies reveal botnets as engineered infrastructures, not isolated malware samples.

7. Defence Against Botnets

7.1 Technical Controls

  • Network traffic filtering
  • Botnet signature detection
  • Endpoint detection and response
  • DNS sinkholing
  • Firewall geo-blocking
  • Behavioural detection of anomalies

7.2 IoT Security Hardening

  • Changing default passwords
  • Updating firmware
  • Disabling unnecessary features

7.3 Coordinated Takedowns

Security researchers, CERT teams, and law enforcement collaborate to:

  • Seize domains
  • Sinkhole C2 traffic
  • Arrest operators

7.4 Reducing Attack Surface

  • Patch management
  • Securing RDP and SSH endpoints
  • Applying zero-trust principles

Botnet defence requires ecosystem-wide collaboration.

8. Reflection Questions

  • Why do P2P botnets resist takedown better than centralised ones?
  • How does IoT insecurity contribute to global botnet growth?
  • Why do botnets continue to expand despite law enforcement efforts?
  • Which defensive control is most effective against botnets in enterprise environments?

Summary

Botnets represent a powerful and flexible cyber threat platform capable of launching distributed attacks, delivering malware, harvesting credentials, and monetising compromised devices at scale. Their resilience, automation, and economic incentives ensure continued evolution and proliferation.
Understanding botnet architecture and operations is essential for predicting threat behaviour and designing defensive strategies.

Pages: 1 2 3 4 5 6 7 8 9 10