From Embedded Lab Vienna for IoT & Security
Jump to: navigation, search


This Wiki entry deals with the topic botnets. It introduces the reader to the key terminology before discussing the various types of botnets, including architecture and infection methods. The explosion in recent years of IoT devices that lack the security standards of devices such as laptops and smartphones has created a new pool of potential hosts for botnets and exacerbated the problem of botnets. Criminals will always look to exploit new technology for illegal financial gains and more must be done on a global level to combat the threat of botnets. Countermeasures and prevention methods will be discussed.

What is a Botnet

A botnet is a network of compromised machines under the control of an attacker.[1]

Types of Botnets

There are two types of botnet architecture - centralised and decentralised.[2] Centralised botnets have a client-server architecture. They usually communicate via IRC protocol.[3] Decentralised botnets have a peer-to-peer(P2P)or unstructured architecture. To create a botnet, machines or IoT devices first need to be infected to allow for remote control. This is done without the consent of the owners. Infection can be done by a special Trojan virus that can breach the security of users’ computers.[4] The botnet is then controlled a person called the Botmaster.[3] Infection mechanisms can include web downloads, email attachments as well as automatic bots that scan for vulnerabilities to exploit.[3] Infection can also come in form of an infected USB stick or an insider attack.


In the centralised model, each bot acts only a client receiving instructions from a server. There is a central point that forwards the control messages to the bots.[5]

Agent Handler

Agent handlers are comprised machines which are used by the puppet master to launch the attack and make it harder to trace back the puppet master. The handlers are commanding the compromised agents to perform the attack at the victim. [6]


The IRC model is based on the Internet Relay Chat (IRC). This chat is a text-based system that is based on the client server networking model. The message exchange is grouped into channels which can also be used for group communications. During the infection of the agents a backdoor with an IRC component gets created for instructions from the IRC Network and other data transfers. To perform an attack the puppet master only needs to log into a malicious IRC Server and send the instructions to his bot army. [6]


In the P2P model, each bot or node acts as both client and server. This means it can both send and receive commands. A P2P botnet is much harder to disrupt as the P2P communication system is much harder to disrupt.[5] Stopping one bot does not lead to stopping the whole botnet. Control commands can be sent from the command and control centre and are then propagated throughout the botnet via the bots themselves.


The unstructured model is a sub-type of P2p model where "no single bot would know about any more than one other bot".[5] The bot or controller would send a message and it would get randomly passed on to the next bot.[5] This makes it very hard to detect the bots and it may not even be possible to detect all the bots.[5] The drawback for the attacker is that there is no guarantee of delivery and the latency is very high.[5]


Every botnet needs bots. These are the machines or IoT devices that are infected by an attacker and make up the network. IoT devices include light bulbs, fridges, sensors and health equipment. The bots are controlled by a command and control server which is in turn controlled by the Botmaster.


Botnets can be used for various purposes including DDOS attacks, stealing info from the infected machine (bot), bitcoin mining, spam, phishing, identity theft and keylogging.[3] A Distributed Denial of Service (DDoS) attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources.[7] According to [8], a DDoS service can be hired for as little as $10 per hour, $30-70 per day, $150 per week or $1,200 per month. A list of uses for botnets from [8] is as follows:

  • Attack ISPs, sometimes resulting in denial-of-service to legitimate traffic
  • Send spam email
  • Launch DDoS attacks and bring down websites and APIs
  • Perform click fraud
  • Solve weak CAPTCHA challenges on websites in order to imitate human behaviour during logins
  • Steal credit card information
  • Hold companies to ransom with threats of DDoS attacks

The aim is to make money out of the victims or increase the size of the botnet to in turn make more money.


[9] gives a comprehensive list of actions necessary to protect and prevent botnets. These include:

  • Ingress and egress filtering
  • Legacy devices that cannot be secured should be located, removed and replaced these with secure devices
  • Devices should be kept up to date
  • DDoS mitigation services that are on and off premise should deployed – Cloudflare, Project Shield (Google), AWS Shield, Microsoft Azure
  • Enterprise traffic should be monitored
  • Market incentives that align with security practice

Further actions from [9] are:

  • Using industry-led inclusive processes, establish internationally applicable IoT capability baselines supporting lifecycle security for home and industrial applications founded on voluntary, industry-driven international standards
  • Internet service providers should expand current information sharing to achieve timelier and effective sharing of actionable threat information both domestically and globally
  • Home IT and IoT products should be easy to understand and simple to use securely


Six countermeasures, as described in [10], are:

  • Command and Control Server Takedown

Command and control server takedown is only possible when the server location is known. Even if the location is known, it still may not be possible to stop the server due to backups, issues coordinating with law enforcement and geographical constraints.

  • DNS-based Countermeasures

DNS-based countermeasures only work if the command and control infrastructure of the botnet is based on DNS. It requires the de-registration of the domains used by the botnet. It only affects the newly connected hosts and not the already connected computers.

  • Response DDoS

For this countermeasure to work, the command and control endpoints need to be known. A DDoS response will only keep the botnet offline as long as the DDoS response lasts. DDoS attacks are illegal in most countries which means that this countermeasure should not be considered.

  • Hack-Back

If a command and control server can be found then it would be possible to disable the botnet via hacking. A vulnerability must be found and compromised in the infrastructure and this countermeasure requires a team of specialised penetration team. The ethics of hacking a compromised machine are a little murky. It is possible that third-party data is obtained as a result of hacking

  • Infiltration/Manipulation

Identifies and exploits weaknesses in the command and control protocol and/or architecture.

  • BGP Blackholing

BGP Blackholing (also known as sinkholing) is the redirecting of botnet-related traffic. Redirected traffic can be discarded or analysed to gain insight into the botnet.


In conclusion, botnets will continue to pose a threat to enterprises and home users until global standards can be reached to better secure devices, especially IoT devices. Whilst having an infected IoT device or computer might not be recognisable to the average user as the device will continue to function normally, albeit at a slightly reduced capacity, outages to DNS servers and for example a loss of access to services such as Netflix will or when sensitive data such as a credit card or banking details are stolen from an infected machine. There needs to be globally concerted action to improve standards to make sure the onus does not lie on the consumer. Criminals will always look to exploit weaknesses to make financial gains and to disrupt services. It should not be made easy for them by offering unsecured IoT devices on a platter to be infected.



  1. Ben Stock, Jan Göbel, Markus Engelberth, Felix C Freiling, and Thorsten Holz. Walowdac-analysis of a peer-to-peer botnet. In 2009 European Conference on Computer Network Defense, pages 13–20. IEEE, 2009.
  2. Himanshi Dhayal and Jitender Kumar. Botnet and p2p botnet detection strategies: A review. In 2018 International Conference on Communication and Signal Processing (ICCSP), pages 1077–1082. IEEE, 2018.
  3. 3.0 3.1 3.2 3.3 Pedram Amini, Muhammad Amin Araghizadeh, and Reza Azmi. A survey on botnet: Classification, detection and defense. In 2015 International Electronics Symposium (IES), pages 233–238. IEEE, 2015.
  4. Kapersky. What is a botnet?, 2020. Last accessed Thursday 2nd January, 2020.
  5. 5.0 5.1 5.2 5.3 5.4 5.5 Michael Bailey, Evan Cooke, Farnam Jahanian, Yunjing Xu, and Manish Karir. A survey of botnet technology and defenses. In 2009 Cybersecurity Applications & Technology Conference for Homeland Security, pages 299–304. IEEE, 2009.
  6. 6.0 6.1 Nazrul Hoque, Jugal K. Kalita. Botnet in DDoS Attacks: Trends and Challenges, pages 2242 - 2270. IEEE, 20015.
  7. Arbor Networks Google Ideas. What is a ddos attack?, 2013. Last accessed Tuesday 7th January, 2020.
  8. 8.0 8.1 Max Goncharov. Russian underground 101. Trend Micro incorporated research paper, page 51, 2012.
  9. 9.0 9.1 William T Polk. A report to the president on enhancing the resilience of the internet and communications ecosystem against botnets and other automated, distributed threats. Technical report, NIST, 2018.
  10. Christian Czosseck, Gabriel Klein, and Felix Leder. On the arms race around botnets - setting up and taking down botnets. In 2011 3rd International Conference on Cyber Conflict, pages 1–14. IEEE, 2011.