What Are Botnets and How Are They Used in DDoS Attacks? 

In February 2024, a news story about a major DDoS attack involving 3 million smart toothbrushes surfaced online. Later, it turned out the incident never actually occurred. Nevertheless, this fake story sparked public concern, driving discussions about botnets and associated threats.

What do modern botnets look like? Why are they used, and what types exist? Learn more in our article.

What Are Botnets and How Are They Used in DDoS Attacks?

The Concept of Botnet

A botnet is a network of devices infected with malware, allowing attackers to control them remotely. These devices — ranging from personal computers to IoT gadgets like smart cameras or vacuum cleaners — can be used for a variety of malicious purposes, from sending spam to launching cyberattacks.

The term “botnet” comes from the words “robot” and “network.” For a device to be part of a botnet, it needs a basic operating system and internet connectivity. Once compromised, the device becomes a “bot” or “zombie,” controlled by an attacker (known as a “botmaster”). Control is usually centralized via a server or decentralized through through a peer-to-peer (P2P) system, making detection more difficult.

The Evolution of Botnets

Early botnets from the 2000s were simple, but over time, they have become more sophisticated and powerful. The growth of smart homes and IoT (Internet of Things) devices has dramatically increased the scale of these networks.

Smart Homes and DDoS Attacks: How Everyday Devices Become Cyber Threats

Botnet Growth Dynamics (based on our analysts’ data):

YearAverage number of devices per botnet
20236,000
202430,000
202572,000

Types and Uses of Botnets

Botnets can serve many purposes depending on the attacker’s goals. Here are the four main types:

1. Mining Botnets
Cybercriminals use infected devices to secretly mine cryptocurrency. This kind of botnet exploits the processing power of unsuspecting victims’ computers, often leading to increased strain on their GPUs and CPUs. If your device suddenly slows down for no reason, it might be part of a mining botnet.

2. Data-Theft Botnets
Botnets can steal sensitive information like banking credentials or account passwords. For instance, the notorious ZeuS botnet stole banking data worldwide in the late 2000s, causing an estimated $70 million in damages.

Stolen credentials can be sold, used for fraud, or even exploited by competitors. For example, in e-commerce, botnets can scrape and manipulate inventory data. To mitigate such risks, it is essential to use Anti-bot solutions.

3. Spam Botnets
Hackers use botnets to send massive amounts of spam, including phishing emails designed to trick victims into sharing personal information or sending money. By leveraging thousands of infected devices with different IP addresses, these attacks can bypass spam filters and reach inboxes more effectively.

4. DDoS Botnets
When attackers want to crash a website or online service, they use botnets to flood it with traffic in a Distributed Denial-of-Service (DDoS) attack. These attacks are distributed across thousands of devices, making them highly powerful and harder to block.

The process usually looks like this:

  1. Devices are infected with malware, giving the attacker control.
  2. The attacker targets a website or service.
  3. Commands are sent to the infected devices.
  4. The devices overwhelm the target with malicious traffic, causing it to crash.

Famous Botnets

Over the years, several botnets have made headlines:

  • Mirai: Known for infecting IoT devices like smart home gadgets with weak default passwords, Mirai caused over $100 million in damages in the 2000s.
  • JackSkid is an evolved version of the Mirai botnet. It exploits vulnerabilities, including zero-day flaws, and compromises devices through brute-force attacks on weak passwords. It can simultaneously deploy tens of thousands of bots. In developing JackSkid, attackers enhanced the original Mirai scanning engine, allowing them to take control of IoT devices more quickly. These compromised devices are then used not only for DDoS attacks but also for cryptocurrency mining and the theft of sensitive data from infected systems.
  • Gafgyt: Almost similar to Mirai, this botnet also targeted IoT devices and was widely used for DDoS attacks.
  • Mantis: Named one of the most powerful DDoS botnets by Cloudflare in 2022, it could generate over 25 million requests per second. Unlike Mirai and Gafgyt, Mantis relied more on servers and virtual machines than IoT devices.
  • Mēris: In 2021, this botnet executed a record-breaking DDoS attack on Yandex, generating nearly 22 million requests per second.
  • AISURU and Kimwolf are large botnets that appear to be part of a shared botnet ecosystem and may be operated by the same cybercriminal group. As of early 2026, they include up to 4 million compromised IoT (Internet of Things) devices. In 2025, AISURU set a record for hyper-volumetric attacks, reaching 31.4 Tbps and 200 million requests per second. Kimwolf was initially used as a malicious proxy service, but was later repurposed for DDoS attacks.

In March 2026, law enforcement agencies in the United States, Canada, and Germany dismantled the command-and-control (C2) infrastructure behind four major botnets — AISURU, Kimwolf, JackSkid, and Mossad. Individuals suspected of orchestrating the attacks were detained.

How to Tell If a Device Is Infected with Malware

The following signs may indicate that a device has been compromised:

  • Unexpected reboots. This is especially suspicious for devices designed to run 24/7, such as surveillance cameras, routers, and smart sensors. The CPU may be overloaded by externally controlled tasks, attackers may be updating malicious code, or generating excessive network requests.
  • Unusual power consumption. An infected device may consume significantly more energy than usual. This is especially noticeable on battery-powered IoT devices such as smartwatches, smart doorbells, or motion sensors.
  • Overheating even when idle or under minimal load. This may be caused by malicious processes running in the background.
  • Abnormally high network activity. The device generates unusual traffic, such as increased outgoing data with no clear reason or frequent connections to remote servers.
  • Connections to unknown IP addresses, especially those located abroad or unrelated to the device manufacturer’s infrastructure.
  • Unexplained performance degradation. Applications and web pages take longer to load, the operating system starts slowly or crashes, and internet services or email clients may become unstable.
  • Disrupted core functionality. For example, surveillance cameras stop recording or streaming video, and smart sensors respond slowly or stop working altogether because system and network resources are being used by the botnet.
  • Suspicious processes that appear in the task manager or system logs and reappear after being terminated.
  • Unknown applications installed on the device without your knowledge.
  • Changes to system, browser, or device settings that you did not make.
  • Messages sent from your account via email, messaging apps, or social media — the device may be used to send spam.
  • Blocking and blacklisting. Email servers may be added to anti-spam lists, or external services may block connections from your IP address. Your provider may also report unusual traffic spikes or suspicious activity.
  • Security alerts from antivirus or other protection tools, such as blocked outgoing connections or detected malware.

What to Do If Your Device Has Joined a Botnet

  1. Disconnect the device from the internet to break communication with the command-and-control server.
  2. Back up important files to external storage such as a USB drive or external disk.
  3. Reset the device to factory settings and restore data from a backup.
  4. Clean startup processes and disable any suspicious services.
  5. Change all passwords, especially for email, banking, and messaging accounts.
  6. Update the operating system and antivirus software, as updates often patch known vulnerabilities.
  7. Run a full malware scan to ensure no threats remain.
  8. If necessary, reinstall the operating system if other measures do not resolve the issue.

How to Prevent a Device from Joining a Botnet

  • Regularly update your operating system and applications. Updates often fix known vulnerabilities.
  • Use a modern antivirus solution and keep it up to date.
  • Enable a firewall and do not ignore its warnings.
  • Set strong, unique passwords for all devices and services. Avoid default credentials, as botnet scanners can easily exploit them. Do not reuse passwords across accounts.
  • Enable two-factor or multi-factor authentication to protect accounts from unauthorized access.
  • Avoid opening suspicious emails, attachments, or links. Even if a message appears to come from someone you know, verify the sender’s address.
  • Download software only from official websites or trusted app stores. If you must use other sources, always scan files before opening them.
  • Secure network devices. Change default admin credentials, disable remote access if not needed, enable Wi-Fi encryption, and keep firmware up to date.
  • Segment your network and control access. Use a separate network for IoT devices so that a compromise does not expose critical systems. Implement intrusion detection systems (IDS) and endpoint protection solutions (EDR).
  • Configure DNS protection. Technologies that block connections to known malicious domains act as a first line of defense before connections are established.
  • Be cautious when using public Wi-Fi networks. Attackers may intercept traffic or attempt to gain access to your device, sometimes posing as legitimate network providers.
  • Train employees in basic cybersecurity practices.
  • Monitor traffic and device behavior. Sudden spikes in outbound traffic, connections to unknown IPs, unexpected reboots, or increased power consumption should trigger further investigation.

Tools and Technologies for Detecting Anomalies

Network monitoring tools can help detect suspicious activity:

  • Wireshark (wireshark.org) — a tool for detailed analysis of network packets.
  • tcpdump — a utility for capturing and analyzing network traffic.

To determine whether specific IP addresses are associated with botnets, you can use services such as VirusTotal and AbuseIPDB

You can also identify signs of compromise using Indicators of Compromise (IOC). This typically involves a combination of methods, including manual analysis of logs and traffic, automated extraction from incidents, and local IOC collection.

Intrusion detection systems (IDS) rely on network signatures:

  • Snort analyzes traffic and compares it against predefined rules. If suspicious activity is detected, it generates alerts and may take actions such as blocking connections or notifying administrators.
  • Suricata (suricata.io) detects suspicious connections and malicious activity.

Traffic can also be filtered at the web server level using tools like Nginx, which provides built-in mechanisms to limit the number of requests from a single IP address or over a given time frame to prevent overload.

Router logs should also be monitored. Most modern devices allow administrators to analyze network connections and block suspicious activity.

Logging Recommendations

  • Maintain a balance. Excessive logging can overload storage, while insufficient logging makes troubleshooting difficult.
  • Assign a unique request ID to each log entry to track its path through the system.
  • Use a consistent log format.
  • Ensure logs are clear and useful for developers and analysts, while avoiding sensitive data.

Key Metrics to Monitor

  • RPS (requests per second) over different time intervals (second, minute, hour) to identify traffic patterns.
  • NXDOMAIN spikes, which may indicate DNS anomalies.
  • Number of unique IP addresses, helping identify distributed attack activity.

Frequently Asked Questions

What Is a Botnet?

A botnet (short for “robot network”) is a network of devices infected with malware and controlled remotely by attackers. These compromised devices are often called “bots” or “zombies.” A botnet can include PCs, smartphones, IoT devices, and even servers.

How Are Botnets Used in DDoS Attacks?

To take a service offline, attackers send massive amounts of traffic from thousands or even millions of compromised devices to a single target.

Here’s how a typical botnet-driven DDoS attack works:

  1. Devices are infected with malware, giving attackers remote access.    
  2. A target is selected, and commands are sent to command-and-control (C2) servers.
  3. These servers distribute the command to all infected devices.
  4. The devices then begin flooding the target with malicious requests.

The key advantage of a botnet is scalability: the more devices it includes, the more powerful the attack becomes. At the same time, the true source of the attack is hidden behind a large number of infected nodes.

How Can I Tell If My Device Is Part of a Botnet?

Look out for the following warning signs:

  • The device restarts on its own.
  • It consumes significantly more power than usual.
  • It overheats even when idle or under low load.
  • Network activity increases without a clear reason.
  • The device connects to unknown IP addresses.
  • Performance slows down noticeably.
  • Core functions stop working properly.
  • Applications and services begin to malfunction.
  • Unfamiliar processes or programs appear.
  • System settings change without your involvement.
  • Messages are sent from your accounts without your knowledge.
  • Antivirus or security tools raise alerts.

How Do I Remove a Botnet Infection from a Computer?

You can try the following steps:

  1. Disconnect the device from the internet to cut off communication with the control server.
  2. Run a full antivirus scan. If nothing is detected but infection is still suspected, use specialized scanning tools.
  3. Review startup programs and remove anything unfamiliar or suspicious.
  4. Reinstall the operating system if the malware cannot be removed.
  5. Change passwords for all important accounts.

Can Antivirus Software Protect Against Botnets?

Partially — but it may not be enough against advanced threats. Modern antivirus tools can detect and block well-known botnets during scans or when malware attempts to install itself. Some solutions also include dedicated protection features for this type of threat.

However, antivirus alone is not sufficient against modern botnets. Attackers use sophisticated evasion techniques, encrypted communication, and social engineering. A single antivirus solution — especially a free one — may fail to detect malware that is already inside the system and actively hiding itself.

Effective protection requires a layered approach, including behavioral analysis, network monitoring, segmentation, regular updates, and specialized security solutions.

How to Respond to a Botnet DDoS Attack?

The best strategy is to prepare in advance:

  • Use specialized anti-DDoS services to filter malicious traffic.
  • Deploy firewalls that can detect and block suspicious requests, even when they mimic legitimate traffic.
  • Use a CDN to reduce load on origin servers and improve performance.
  • Prepare backup infrastructure (servers and network channels) to reroute traffic if needed.
  • Reduce the attack surface by disabling unused services and closing inactive ports.
  • Continuously monitor traffic and system performance.

If your site is already under attack, contact your hosting provider — they may be able to filter traffic on their side. However, effectiveness depends on their capabilities and whether application-layer protection is in place.

If you haven’t already, connect a professional anti-DDoS service. Many providers offer fast onboarding for customers who are already under attack.

You can also take additional steps (though they won’t fully stop large-scale modern attacks):

  1. Temporarily restrict access by IP address or geographic region where most malicious traffic originates.
  2. Apply rate limiting at the web server level, such as limiting connections per second or packet rates.
  3. Disable vulnerable features — for example, restrict access to xmlrpc.php in WordPress if it is not needed, and protect login pages with two-factor authentication and CAPTCHA.

“A protection provider must have a geographically distributed infrastructure. The closer large-scale DDoS attacks are filtered to their sources, the less likely they are to reach their target. We recommend not relying on basic traffic filtering alone, but instead building a multi-layered defense across different levels of infrastructure — one that can effectively detect bot-driven attacks and respond to them quickly.”

Ramil Khantimirov, CEO and Co-Founder of StormWall

The Growing Threat

Botnet attacks can inflict millions in losses and severely damage reputations. While some businesses recover, many face long-term devastation.

Don’t wait until it’s too late — secure your company now. StormWall provides cutting-edge cybersecurity solutions to protect against these growing threats.

DDoS Protection for Websites

  • Activate protection in 10 minutes
  • 24/7 technical support
Get a 10-day free trial