What is a Botnet?

How Botnets Are Built

Botnet operators compromise devices through malware distributed via phishing emails, drive-by download attacks on compromised websites, exploitation of unpatched vulnerabilities in internet-facing services, and credential stuffing against devices with default or weak passwords. IoT devices — home routers, cameras, smart TVs, network storage devices — are particularly attractive botnet candidates because they are numerous, often run outdated firmware with unpatched vulnerabilities, and operate continuously without the security monitoring that protects corporate endpoints.

The Mirai botnet, which caused the 2016 Dyn DDoS attack that disrupted major internet services globally, infected IoT devices by scanning for devices using default factory credentials. Its source code was published online in 2016, spawning dozens of derivative botnets that continue to exploit default credentials on IoT devices.

Botnet Uses

DDoS attacks use botnet traffic volume to overwhelm targets with requests that legitimate infrastructure cannot handle. Spam botnets distribute billions of phishing and spam emails daily from compromised devices, bypassing IP reputation filters that would block known spam sources. Credential stuffing botnets distribute authentication attempts across thousands of IP addresses to defeat rate limiting. Proxy botnets rent access to their compromised device networks to other criminals, providing residential IP addresses that pass geolocation checks that datacenter IPs fail. Cryptomining botnets use compromised device CPU and GPU resources to mine cryptocurrency for the botmaster.

Botnet Defense

For organizations, botnet defense focuses on preventing corporate devices from being compromised and becoming botnet participants, and on blocking botnet-originated attack traffic. Endpoint protection with behavioral detection identifies botnet malware activity. Network monitoring identifies unusual outbound communication patterns associated with C2 beaconing. IP reputation services block known botnet infrastructure at the perimeter.

For IoT-heavy environments — manufacturing, healthcare, retail — IoT security management includes firmware update processes, network segmentation isolating IoT devices from corporate networks, and monitoring of IoT device communication patterns for anomalies indicating compromise.

Real-World Example: Mirai Botnet Takes Down the Internet — 2016

On October 21, 2016, the Mirai botnet launched a massive DDoS attack against Dyn, a DNS provider whose infrastructure served major internet services including Twitter, Amazon, Netflix, Reddit, and GitHub. The attack generated approximately 1.2 Tbps of traffic from approximately 100,000 compromised IoT devices. Major internet services were disrupted for most of a day across the US East Coast. The attack demonstrated that compromised consumer IoT devices — security cameras, DVRs, home routers — represent collective attack infrastructure comparable to the most powerful DDoS capabilities previously available only to nation-states.