Botnets act as a force multiplier for individual attackers, cyber-criminal groups, and nation-states looking to disrupt or break into their targets’ systems. By definition, they are a collection of any type of internet-connected device that an attacker has compromised. Commonly used in distributed denial of service (DDoS) attacks, botnets can also take advantage of their collective computing power to send large volumes of spam, steal credentials at scale, or spy on people and organizations.

A botnet attack can be devastating. Last year, the Mirai botnet shut down major swathes of the internet, including Twitter, Netflix, CNN, and other major sites, as well as major Russian banks and the entire country of Liberia. The botnet took advantage of unsecured internet of things (IoT) devices such as security cameras, installing malware that then attacked the DYN servers that route internet traffic.

Why we can’t stop botnets?

The challenges to shutting botnets down include the widespread availability and ongoing purchases of insecure devices, the near impossibility of simply locking infected machines out of the internet, and difficulty tracking down and prosecuting the botnet creators. When consumers go into a store to buy a security camera or other connected device, they look at features, they look for recognizable brands, and, most importantly, they look at the price.

Botnet detection: Targeting traffic

Botnets are typically controlled by a central command server, so, in theory, taking down that server then following the traffic back to the infected devices to clean them up and secure them should be a straightforward job. But it’s anything but easy. When the botnet is so big that it impacts the internet, the ISPs may band together to try to figure out what’s going on and curb the traffic.