A **botnet** is a network of infected devices (bots, zombies) remotely controlled by an attacker (botmaster) via Command & Control (C2/C&C) infrastructure. Lifecycle: (1) **Initial infection** — exploit, phishing, supply chain compromise, RDP/SSH brute force, unsecured IoT (default passwords). (2) **Persistence** — boot autostart, registry keys, scheduled tasks, fileless in memory. (3) **C2 communication** — bot connects to C&C server (HTTP/HTTPS, IRC, DNS tunneling, Tor, Telegram, P2P) and waits for commands; modern botnets use DGA (Domain Generation Algorithms) — randomly generated C&C domains the attacker registers seasonally. (4) **Command execution** — DDoS, spam, data theft (banking, credentials), cryptojacking, ransomware delivery, anonymization proxy, click fraud. Scale: typical botnet has 10K-1M bots; record Mariposa had 12M+ devices, Mirai ~600K IoT, Emotet ~1.6M, Mantis (2022) only 5K machines but 26M req/sec. **Botnets-as-organizations** — recently classified as 'organizations' by Europol; takedowns require 10+ country coordination.

Three main models: (1) **Centralized (client-server)** — all bots communicate with 1-few C&C servers; protocols: HTTP/HTTPS (Zeus, Citadel), IRC (classic, GTbot), Tor hidden services (newer botnets), Telegram (latest C&C-as-a-service). Easy to orchestrate but **single point of failure** — C&C takedown kills the botnet. (2) **Decentralized (P2P)** — bots communicate using protocols like Kademlia DHT; examples: Storm, Waledac, Sality, Gameover Zeus, Mozi (IoT). Resilient against takedown but slower command propagation (P2P latency). (3) **Hybrid** — combines both: super-peers act as mini-C&Cs, normal bots connect to them P2P. Conficker C/D, ZeroAccess. **Trends 2024-2026**: (a) **DGA + DoH** — algorithmic domains resolved via DNS-over-HTTPS to evade DPI, (b) **Domain fronting** — C&C hidden behind legitimate CDNs (CloudFront, Fastly), (c) **Telegram/Discord C&C** — easy setup, hard takedown because legitimate platforms, (d) **Living-off-the-cloud** — C&C in GitHub Gists, Pastebin, Google Docs.

Top 12 botnets by impact: (1) **Storm Worm** (2007, ~50M machines) — first major P2P botnet, used for spam. (2) **Conficker** (2008-2009, ~9-15M) — spread via SMB, defended against antivirus. (3) **Zeus/ZeuS** (2007-2014) — banking trojan, stole $100M+; code leaked 2011 → hundreds of variants (Citadel, GameOver Zeus). (4) **Cutwail** (2007-, peak 1.5M) — spam, $2B/year market value. (5) **Mariposa** (2008-2009, 12.7M) — credential theft, DDoS. (6) **Mirai** (2016, ~600K IoT) — cameras/routers with default passwords, attack on Dyn DNS took down half the US internet; open-sourced → hundreds of forks (Satori, Okiru, Masuta). (7) **Emotet** (2014-2021, 1.6M peak) — 'banking trojan → modular dropper'; Europol takedown January 2021, **resurrection November 2021**, another takedown 2023. (8) **TrickBot** (2016-2022) — Emotet's 'cousin', delivery for Ryuk/Conti ransomware. (9) **Necurs** (2012-2020, 9M) — spam and Dridex/Locky distribution; Microsoft takedown 2020. (10) **Mozi** (2019-2023, 1.5M IoT) — P2P, 90% of IoT botnet traffic in 2020; suddenly shut down 2023 (possible 'kill switch' from Chinese authorities). (11) **Mantis** (2022, 5K machines) — record L7 attacks: 26M req/sec on Cloudflare. (12) **Anubis/Cerberus** (Android banking, 2018-) — mobile.

**IoT botnets** have unique dynamics: (1) **Potential scale** — 50+ billion IoT devices by 2030 vs ~1.5B PCs; every camera/router/lamp is a potential bot. (2) **Weak security** — default passwords (admin/admin, root/12345), no update process, embedded Linux with 5+ year old vulnerabilities, no antivirus. (3) **Always-on, broadband** — IoT runs 24/7 with gigabit connection, ideal for DDoS. (4) **Unified exploits** — port scanning 23/2323 (Telnet), 22 (SSH), 7547 (TR-069), 81/8080 (HTTP admin); one exploit infects millions of identical devices. (5) **Hard remediation** — user doesn't know router is infected; only fix is factory reset + firmware update (most people won't). **Top IoT botnets**: Mirai (cameras, DVRs), Mozi (Netgear, D-Link, Huawei routers), Hajime, Reaper/IoTroop, Persirai, BrickerBot (sabotage — destroyed devices to 'clean' them from Mirai), Echobot, Hide and Seek (P2P, persistence through reboot — rare in IoT). **Defense**: change default passwords, VLAN segmentation for IoT, monitor outbound traffic (camera shouldn't connect to 50 IPs in China), firmware updates, block Telnet/SSH at network edge, use devices from vendors with patch programs.

Five layers of detection: (1) **Network-level** — DNS traffic analysis (anomalous query frequency, queries to newly registered domains, ML-based DGA detection), beaconing detection (regular C&C check-in intervals: every 60s ± jitter), Tor/I2P traffic, unexpected ports (IRC 6667, custom). (2) **Endpoint** — EDR/AV malware-as-bot detection, persistence mechanisms (autorun, scheduled tasks, services), unusual process trees (cmd.exe spawned by browser), connections to known C&C IPs. (3) **Behavioral analytics** — UEBA detects accounts sending 1000+ emails/hour (spam bot), miner consuming 100% CPU without user activity, device participating in internal network scanning (lateral movement). (4) **Threat intelligence feeds** — Spamhaus DROP/EDROP, abuse.ch (Feodo Tracker, ThreatFox), CIRCL, MISP communities, commercial (Recorded Future, Mandiant Advantage); block communication to known C&C IPs/domains. (5) **Sinkhole analysis** — researchers seize C&C domains (after DGA registration expiration) and log connecting IPs — enables mapping of infected devices. **Tools**: Zeek (Bro) with botnet-detection scripts, Suricata with ET Open ruleset, Wireshark for deep analysis, Joe Sandbox / Cuckoo for dynamic malware sample analysis, Maltego for C&C infrastructure mapping.

Six landmark operations: (1) **Operation Tovar (2014)** — Gameover Zeus + CryptoLocker takedown; FBI + Europol + 12 countries + Microsoft + Symantec; seizure of 7 C&C servers, P2P sinkholing, arrest of Evgeniy Bogachev (still on FBI Most Wanted, $3M reward). (2) **Avalanche (2016)** — global malware-as-a-service platform hosting 20+ malware families; 30+ countries, 800K+ domains sinkholed; revealed one platform can support many cybercriminals. (3) **Necurs (2020)** — Microsoft Digital Crimes Unit seized 6M DGA domains 25 months in advance; Microsoft and 35 countries; **lesson: DGA can be defeated through predictive registration**. (4) **Emotet (Operation Ladybird, January 2021)** — Europol + Eurojust + 8 countries; seizure of 700+ servers; bot operators sent 'self-uninstall' update; **resurrection November 2021** shows takedown without arrests is half-measure. (5) **Joker's Stash (2021)** — takedown of carding marketplace fueled by credential-stealing botnets. (6) **Qakbot (Operation Duck Hunt, August 2023)** — FBI seized infrastructure and sent uninstall command to 700K infected computers (unprecedented move). **Lessons**: (a) takedown without arrests → resurrection; (b) international coordination required (operators in non-cooperative jurisdictions); (c) sinkhole + remediation outreach to victims; (d) legal boundaries (Microsoft uses civil suits instead of criminal to seize domains — faster).

Layered defense: **Prevention** (stop infection): (1) **Patch management** — most botnets exploit known CVEs; 30-day SLA for critical patches, automatic OS and browser updates. (2) **EDR/XDR** — endpoint protection detecting persistence mechanisms and C2 traffic. (3) **Email security** — anti-phishing (Proofpoint, Mimecast), attachment sandboxing (FireEye, Cloudflare Area 1). (4) **Web filtering** — SWG blocks known C&C domains, 'malware', 'newly registered domains' categories. (5) **MFA everywhere** — protects against credential-stuffing botnets. (6) **IoT hardening** — change default passwords, VLAN segmentation, block Telnet/SSH/UPnP at edge. **Detection**: (7) **DNS firewall** (Cloudflare Gateway, Cisco Umbrella) — blocks C&C queries; log all DNS queries. (8) **NetFlow analysis** — anomalous outbound connections, beaconing patterns. (9) **TI feeds** integrated with firewall/SIEM — automatic blocking of known C&C IPs. **Response**: (10) **IR playbook** for 'host communicating with C&C' — network isolation, EDR triage, image collection, reimage. (11) **Threat hunting** — proactive hunt for indicators (Sysmon logs, autoruns, scheduled tasks). (12) **Post-incident** — root cause analysis (how was it infected?), strengthen the layer that failed. **Useful frameworks**: MITRE ATT&CK (TA0011 Command and Control), CIS Controls v8 (controls 4, 9, 10, 13), NIST CSF (Detect, Respond functions).