My IP Help

Botnet

A network of compromised devices ("bots") controlled remotely by an attacker, used to launch DDoS attacks, send spam, mine cryptocurrency, or brute-force credentials at scale.

Last updated:

What is a botnet?

A botnet is a collection of internet-connected devices that have been infected with malware and are controlled as a single unit by a remote operator — the "botmaster." Each compromised device (a bot or zombie) runs quietly in the background while listening for instructions from a command and control server. Modern botnets span tens of thousands to millions of devices, including residential routers, IP cameras, DVRs, and unpatched servers.

What botnets are used for

Botnets are a rented commodity in the criminal economy. The same network can be repurposed for:

  • DDoS attacks — the classic use; flood a target with traffic from thousands of source IPs
  • Spam delivery — send millions of messages without the sender IPs tracing back to the botmaster
  • Credential stuffing and brute force — distribute attempts across bots so no single IP trips rate limits
  • Click fraud — simulate ad clicks to drain advertiser budgets
  • Cryptomining — steal CPU cycles from infected devices
  • Proxy-for-rent — sell bot IPs as "residential proxies" to customers who want to look like real users

How botnets are detected

Network-level detection looks for beaconing — periodic outbound connections to the same remote host with suspiciously regular timing. IP reputation databases flag IPs that have been seen participating in known botnet campaigns; traffic from those IPs is high-risk by default. At the internet scale, takedowns usually require sinkholing the C2 domain or seizing the operator's infrastructure. For defenders of individual services, checking source IPs in an IP abuse report checker quickly flags traffic from known-bot IPs.

Frequently Asked Questions

Botnets are rented for DDoS attacks, spam and phishing delivery, credential stuffing and brute-force login attempts, click fraud against ad networks, cryptomining on the infected device, and — increasingly — sale as "residential proxy" pools so buyers can blend in with normal home-ISP traffic.
Through malware infection: a default-password IoT device gets scanned and taken over, a user installs a trojanized app, an unpatched server is exploited remotely, or a phishing attachment drops a dropper. Once infected, the device beacons to a command-and-control server and waits for instructions, running quietly enough that most owners never notice.
Signs include unexplained outbound traffic when the device is idle, slow performance or overheating, ISP abuse notices, your IP appearing on spam or abuse blocklists, and unusual DNS lookups to random-looking domains. On a home router, check for unknown open ports or sudden bandwidth spikes in the admin panel.
Sometimes. Coordinated takedowns sinkhole the command-and-control domains, seize hosting infrastructure, or arrest operators — the Emotet, Mirai source-leak, and Qakbot operations are examples. But many devices stay infected and get absorbed into the next botnet because the underlying vulnerability was never patched.
The Mariposa botnet (2008–2010) infected around 12 million devices, and the 911 S5 residential-proxy botnet dismantled in 2024 included over 19 million compromised IPs across 190+ countries. Mirai variants in 2016 powered the then-record 1.1 Tbps DDoS attack on DNS provider Dyn by coordinating hundreds of thousands of IoT devices.
Back to glossary