What Is a Botnet? Definition, How They Work & Defense

Learn how Adaptive Multi-Factor Authentication combats data breaches, weak passwords, and phishing attacks.

A botnet is a network of computers or devices under the control of a hacker, infected with malware, and used to carry out malicious actions.

The term botnet comes from the words “robot” and “network.” A bot is an automated computer program that can be used to infect malware, disseminate inflammatory information while posing as a human user, and steal data. Bad bots are programmed by hackers.

A botnet uses multiple internet-connected devices to infiltrate other devices and carry out scams and cyberattacks on a large scale. There are several different types of botnet attacks, and these are continuously evolving.

Botnets can control a variety of internet-connected devices. Upping cybersecurity at the user level can help to prevent botnet attacks.

What is a botnet?

A botnet is a collection of computers, internet of things (IoT) devices, smartphones, and any internet-connected devices that are infected by malware and under the control of a single party called a “bot-herder.” The bot-herder can use the botnet for malicious purposes, carrying out cyberattacks on a larger scale than a single bot is capable of doing.

Bots are not necessarily bad; they are automated computer programs that act like human users and can effectively speed up searches, aid with customer service, and direct traffic where it needs to go. Bad bots, on the other hand, contain malware, are controlled by hackers, and can be programmed to carry out cyberattacks and more.

A botnet is generally a negative thing, using multiple bad bots to infect other devices and commit large-scale attacks. The bot-herder can send one command to all of the bots under their control at once, and they can then carry out a coordinated and simultaneous attack. Cyber criminals often rent out their botnets on the black market for large profits.

How Does a Botnet Work?

Botnets are designed to increase the range, reach, and speed of hackers to carry out cyberattacks. They can grow and evolve as the bot-herder manipulates and updates them as well. Botnets use infected devices, also called zombie computers, as they mindlessly operate without the user’s knowledge and under the control of the bot-herder to carry out commands.

A botnet is typically built in three stages.

  1. Stage 1: Find and exploit a vulnerability. The hacker will look for a vulnerability within a device, either finding a software, application, or website issue or through human error. Online messages and email can be used to try and set a user up for a malware infection.
  2. Stage 2: Malware infection is deployed. Malware can be delivered by a variety of methods, including via Trojan viruses embedded in email attachments or clickbait popups. Social engineering techniques are often used by hackers to persuade users to unknowingly download malware to their device. Visiting infected sites can institute the drive-by download to deliver malware as well.
  3. Stage 3: Device is activated and attack is initiated. During this stage, the various infected machines, or bots, are organized into a network the bot-herder can control remotely. The zombie computers are then used in a larger zombie network to carry out attacks.

Once activated, a botnet can grant admin-level access to the bot-herder, allowing the ability to perform the following actions:

  • Collect personal data of the user.
  • Monitor user’s activity.
  • Read and write system data.
  • Install and run applications.
  • Send data and files.
  • Search for vulnerabilities within other devices.

What can a botnet control?

A botnet can affect any device connected to the internet or with access to an internet connection. This can include the following devices:

  • Computer desktops and laptops
  • Mobile devices like smartphones and tablets
  • Internet of things (IoT) devices, including wearable devices (smartwatches and fitness trackers), smart home devices (televisions, security cameras, thermometers, speakers, and smart plugs), and in-vehicle infotainment (IVI)
  • Internet infrastructure hardware, such as web servers and network routers 

Bot-herders can amass thousands or millions of devices (zombie computers) at a time to create a massive botnet for large scale cyber attacks.

How botnets are controlled

Botnets are controlled remotely by the bot-herder using command and control (C&C). This can be through either a centralized, or client-server model, or decentralized through the peer-to-peer (P2P) model.

Traditionally, botnets operated through Internet Relay Chat (IRC) networks, websites, and domains using the client-server model. With this model, the program will send a request and wait for a return response. Infected devices access a predetermined location and wait for the bot-herder to send the commands to the server, which are then relayed to the bots. The commands are executed, and results reported back to the bot-herder.

All commands are sent to a central server before being distributed to the bots. This centralized method can leave the bot-herder vulnerable to exposure.

Bot-herders are now commonly using the P2P model to control botnets, which is a serious threat to internet security using a decentralized method to keep their identity secret. The instruction responsibilities are embedded on to each zombie computer directly, and the bot-herder only has to contact one of the infected devices to send commands. These commands are then disseminated between the devices, avoiding the issue the centralized method has of the single point of failure.

Bots can also look to find other infected devices by probing IP addresses to contact other zombie computers. In this way, the botnet can grow itself, finding, updating, and communicating with all of the known bots.

What are botnets used for?

Botnets are generally created for malicious purposes for personal or financial gain. Cybercriminals who create botnets typically want to either steal something or wreak some kind of havoc. Botnets can be used for these purposes:

  • Sabotaging services: crashing websites and taking services offline
  • Theft of information: stealing private, personal, confidential, or sensitive information to access accounts and gain unauthorized access to systems and networks, often using spyware
  • Financial theft: stealing or extorting money directly
  • Electronic scams: controlling personal computers and devices for a variety of malicious purposes
  • Cryptocurrency scams: mining for cryptocurrency with users’ processing power
  • Rent or sale to other criminals: since botnets are commonly rented out or sold outright to other cybercriminals on the dark web or black market.

Types of botnet attacks

Botnets in and of themselves are already an attack, as the bot contains malware that infects the user’s device. Botnets are used collectively to carry out larger-scale attacks than a single infected device can manage.

These are some common types of botnet attacks:

  • Distributed Denial-of-Service (DDoS): This is one of the most common types of botnet attacks that uses the zombie computers to overload websites and online services in an attempt to overload the web traffic and crash the site or run the service offline for a period of time. The target server or network is so overwhelmed with botnet requests that legitimate users are unable to access it.

This can be done for financial, personal, or political reasons. Often, hackers extort payment to stop the attack. The DDoS attack can limit resources, promote customer dissatisfaction, and impact revenue. It is difficult to resolve.

  • Email spam and phishing: Spam botnets can be very large and can send out billions of spam messages daily. These spam messages often contain malware to either increase the botnet, distribute additional malware, or for other electronic scams.
  • Ad and click fraud: Click fraud involves a user’s computer visiting websites without their consent or knowledge, creating false web traffic. With ad fraud, influencers can boost popularity and online publishers can increase their commission from advertisers.
  • Brute force and targeted intrusions: Using a botnet can increase the success of credential stuffing and dictionary attacks based on the sheer volume of the attempts. A targeted attack can gain further access into a network targeting specific valuable assets.
  • Financial breach: Financial botnets aim to steal money directly from credit card information and organizations.

Best practices for preventing botnet attacks

Once a bot makes it into the system as part of a botnet, it can be difficult to eradicate. Instead of just getting rid of a piece of malware, the hacker is able to continually update and change the way the bot works, making it harder to kick them out of the system once they are in.

The best defense against botnets are preventative measures, which include the following:

  • Use antivirus software on all of your devices. Internet security suites can protect you against Trojan viruses and additional forms of malware.
  • Use smart passwords, protect them, and employ multi-factor authentication (MFA). Complex, strong, and long passwords should be difficult to guess, changed often, and not used across multiple platforms. Using additional authentication as well, such as biometrics, can further protect your devices.
  • Check and update all privacy and security options on devices that can connect to the internet. Many devices have manufacturer default passwords built in, and these should be updated to use custom login credentials.
  • Research the security features on devices before buying. Often, you can get what you pay for, and less expensive devices may have weaker security features.
  • Avoid downloading email attachments. Email attachments often contain malware. You should always verify that the email is coming from a trusted source. Even better, scan it with an antivirus software before opening if you must open it at all.
  • Do not click on links in messages. Social media, emails, and even text messages can all distribute bot malware. Instead, manually input the link into your address bar or search for an official version of it.

Key takeaways

Botnets are malicious tools used by hackers to control multiple devices at once. Bots are pieces of automated malware that can infect any device that connects to the internet. Multiple bots can be controlled as a network under a single hacker: the bot-herder. Botnets are able to spread malware faster and carry out large-scale cyber attacks.

Botnets will continue to evolve with technology. As methods to thwart cybercriminals are implemented, the bad actors will also get smarter and find new ways around security measures. To protect yourself from a botnet attack, be vigilant with your online and internet-connected devices.


What Is a Bot? Understanding the Good and the Bad. (April 2021). Spectrum News 1.

The Client/Server Model. (2021). The IBM Corporation.

Modeling and Analysis of Peer-to-Peer Botnets. (July 2012). Discrete Dynamics in Nature and Society.

Botnet-Based Distributed Denial of Service (DDoS) Attacks on Web Servers: Classification and Art. (August 2012). International Journal of Computer Applications