**1. Introduction**

In 1990, the continuous development of the global economy led to the continuous reform and innovation of information technology, which gave birth to the computer and the Internet, and Internet technology was introduced into every household. In the new century, with the globalization and informatization of network, computer network has become indispensable knowledge for the development of the Internet. At present, the demand of computer network is increasing, and various social organizations such as enterprises, governments, and schools are constantly connecting themselves to the network to exchange and share information resources. With the interconnection of global networks, the Internet is everywhere in the world. From China's core report the 43rd Statistical Report on Internet Development in China [1], we can see the development of the Internet in China and the country's emphasis on the Internet.

The number of Internet users in China has increased gradually from 2007 to 2019, reaching more than 829 million in 2018. The penetration rate of the Internet also increased dramatically year by year. In 2018, the penetration rate was more than 59.6% for the population. It can be seen that the resources of the Internet are accessible to everyone.

The emergence of the Internet has brought a lot of convenience to people's life, but meanwhile, with the continuous expansion of network scale, the security risks have been exposed. For the computer network itself, there are some inherent security risks in design. With the network scale gradually expanding and complex network environment, many criminals make use of the vulnerability on the network for network invasion, information leakage, hacker blackmail, and other attacks. These hazards not only affect people's safe use of the network but also can lead to the disclosure and destruction of sensitive information of enterprises, public institutions, military, and financial institutions, adversely affecting the national economy and security. According to the data of the 2018 China Internet Cyber Security Report provided by the China National Internet Emergency Center [1], the number of security vulnerabilities collected by the National Information Security Vulnerability Sharing Platform is 14,201 in 2018.

Botnet is a common computing platform which can be controlled remotely by attackers by invading several noncooperative user terminals in network space. "Invading in network space" refers to an area where hackers can enter and exit at will to send arbitrary information and files within an IP block or an Internet region; "noncooperative" means that a vulnerable computer receives no warning notice for the upcoming attack; and "remote control" means that a Botnet usually has a C&C server that can remotely accept control commands from hacker and concurrently send the corresponding instructions in the form of messages to the corresponding infected host (Bot). Over time, a small Bot can be expanded to be a Botnet with thousands of Bots, which, due to the large number of Bots, has high-performance storage size and fast computational response time. Making use of these characteristics, hackers can easily occupy network flow and launch corresponding persistent attacks on a specific target, such as mail attacks, HTTP flooding attacks, etc. At this stage, Botnet has become the main attacking method used by hackers. Due to its simple formation and various types, Botnet has become one of the biggest threats to Internet security and a key research topic by experts.

A Botnet is an attacking platform composed of multiple Bots that is controlled by the commands that hackers send to it, and its behavior is also controlled by hackers. Therefore, the attack of Botnet is generally controlled by the subjective consciousness of the hacker, which leads to the threat generated by it making it hard to locate and predict its threat. From the last century to the present, Botnet attacks not only cause network equipment paralysis but also seriously affect the country at political and economic level, involving military aspects as well. Many newspapers and magazines have published Botnet attacks. In the early twenty-first century, the Conficker Botnet, which was spread by network sharing and U disk, has spread tens of thousands of host computers, and this Botnet mainly made use of the vulnerability MS08–067. During that attack, not only the personal computer was affected, but also the national defense platforms of Germany and the United Kingdom were affected to varying degrees. Some aircrafts were delayed because the attacks prevented releasing of normal commands. In 2016, the United States experienced a large area of network outage, which was caused by a denial-of-service attack on Dyn, a famous American company. The company emphasized that the attack covers millions of IoT devices around the world (the source IPs of UDP/domain name server (DNS) attack are almost fake IPs, so this number does not represent the number of Bots) and some of the important attacks are from IOT devices. Through analysis, the culprit of the incident was the Mirai Botnet, whose source code was published online [2]. According to the 2017 China Internet Security Report, more than 200,000 IP addresses in the Chinese mainland have been affected by hacker attacks, including more than 4000 C&C servers serving to convey commands. These cases show that Botnet poses a serious security threat to China.

China, even the whole world, has paid great attention to the security problems caused by Botnet. In the field of scientific research, on January 23, 2008, the "Seminar of Response to Botnet" sponsored by China National Internet Emergency Center/Coordination Center (CNCERT/CC) was held in Huaxin Building, Beijing. At the International Supply Media Conference held in Nice, France, in 2017, Derek Manky, head of global security strategy of Fortinet, said that the intelligent cluster networks could replace Botnet as a new threat in the future. At the 8th International Conference on Communication and Network Security (ICCNS) in 2018, research

**27**

to paralyze the Botnet.

*Threats from Botnets*

the world:

*DOI: http://dx.doi.org/10.5772/intechopen.88927*

munication privacy and anonymity were discussed in depth.

shortcomings of virus, so it is very popular among hackers.

C&C server, such as Alibaba Cloud, Tencent Cloud, etc.

controller so as to prevent replay attacks.

enhances the concealment of Botnet.

topics such as communication and network security, malware and Botnet, and com-

There are several reasons why Botnet can become the biggest security threat in

1.The development history of Botnet is divided into two phases. It mainly is a kind of virus or worm in the first phase and transforms into the Botnet platform in the second phase. The advantages of the virus are rapid infection and rapid transmission, but the disadvantages are also obvious, that is, the Bot cannot be controlled by the hacker, the degree of infection cannot be perceived by the hacker, and the infected geographical area is very limited and cannot be expanded on a large scale. In summary, the virus is small scale but uncontrollable. The Botnet combines the advantages of the virus and overcomes the

2.The virus attack has the characteristic of integration. Botnet is different, the control command of Botnet is issued by separate C&C server, and the attack and invasion are completed by the controlled Bot. The C&C server and the controlled host will make requests and connections through HTTP packets. In this way, hackers only need to send a few commands to the C&C server to launch diversified forms of attack, which improves the flexibility of Botnet and

3.Security is the foundation of each computer field, and the development of any field will be accompanied by technical achievements in the security of this field. Because Botnet and security measures are developed in a certain order, Botnet can rise rapidly during this period. In the expansion process of Botnet, the first thing is to find the C&C server, and the hackers will make use of the vulnerability to snatch the control of the host. For example, Mirai Botnet will use the weak password vulnerability to hack into the server's telnet port to gain control of the host; the IRC Botnet will break the shared chat room server for the construction of its own C&C server; due to lack of security awareness of users, some companies' cloud servers are also hacked by hackers and used as

4.The Botnet applies the knowledge of the key to the management of the Botnet controller in order to prevent the entire Botnet from being uncontrollable after the C&C server is compromised by security experts, so as to improve its concealment and survivability. For example, in a decentralized Botnet, multiple C&C servers are used for unified control, and encryption technology and authentication technology are used in the process of message transmission between C&C servers; in this way, illegal messages cannot be accepted by the

Through the above analysis, the process of defending Botnet can be summarized into five steps: analysis and detection, trusted tracking, measurement, situation prediction, and counterattack. Among them, the "analysis and detection" is to find cues of Botnet from the data flow; the "trusted tracking" is to determine the information source of the Botnet; the "measurement" is to manipulate the architecture, life cycle, and attack process of the Botnet; the "situation prediction" is to evaluate the next activity of the Botnet in advance and to prevent and warn in advance; and the "counterattack" is to reduce its activity and break the C&C server

## *Threats from Botnets DOI: http://dx.doi.org/10.5772/intechopen.88927*

*Computer Security Threats*

Vulnerability Sharing Platform is 14,201 in 2018.

Internet security and a key research topic by experts.

institutions, military, and financial institutions, adversely affecting the national economy and security. According to the data of the 2018 China Internet Cyber Security Report provided by the China National Internet Emergency Center [1], the number of security vulnerabilities collected by the National Information Security

Botnet is a common computing platform which can be controlled remotely by attackers by invading several noncooperative user terminals in network space. "Invading in network space" refers to an area where hackers can enter and exit at will to send arbitrary information and files within an IP block or an Internet region; "noncooperative" means that a vulnerable computer receives no warning notice for the upcoming attack; and "remote control" means that a Botnet usually has a C&C server that can remotely accept control commands from hacker and concurrently send the corresponding instructions in the form of messages to the corresponding infected host (Bot). Over time, a small Bot can be expanded to be a Botnet with thousands of Bots, which, due to the large number of Bots, has high-performance storage size and fast computational response time. Making use of these characteristics, hackers can easily occupy network flow and launch corresponding persistent attacks on a specific target, such as mail attacks, HTTP flooding attacks, etc. At this stage, Botnet has become the main attacking method used by hackers. Due to its simple formation and various types, Botnet has become one of the biggest threats to

A Botnet is an attacking platform composed of multiple Bots that is controlled by the commands that hackers send to it, and its behavior is also controlled by hackers. Therefore, the attack of Botnet is generally controlled by the subjective consciousness of the hacker, which leads to the threat generated by it making it hard to locate and predict its threat. From the last century to the present, Botnet attacks not only cause network equipment paralysis but also seriously affect the country at political and economic level, involving military aspects as well. Many newspapers and magazines have published Botnet attacks. In the early twenty-first century, the Conficker Botnet, which was spread by network sharing and U disk, has spread tens of thousands of host computers, and this Botnet mainly made use of the vulnerability MS08–067. During that attack, not only the personal computer was affected, but also the national defense platforms of Germany and the United Kingdom were affected to varying degrees. Some aircrafts were delayed because the attacks prevented releasing of normal commands. In 2016, the United States experienced a large area of network outage, which was caused by a denial-of-service attack on Dyn, a famous American company. The company emphasized that the attack covers millions of IoT devices around the world (the source IPs of UDP/domain name server (DNS) attack are almost fake IPs, so this number does not represent the number of Bots) and some of the important attacks are from IOT devices. Through analysis, the culprit of the incident was the Mirai Botnet, whose source code was published online [2]. According to the 2017 China Internet Security Report, more than 200,000 IP addresses in the Chinese mainland have been affected by hacker attacks, including more than 4000 C&C servers serving to convey commands.

These cases show that Botnet poses a serious security threat to China.

caused by Botnet. In the field of scientific research, on January 23, 2008, the "Seminar of Response to Botnet" sponsored by China National Internet Emergency Center/Coordination Center (CNCERT/CC) was held in Huaxin Building, Beijing. At the International Supply Media Conference held in Nice, France, in 2017, Derek Manky, head of global security strategy of Fortinet, said that the intelligent cluster networks could replace Botnet as a new threat in the future. At the 8th International Conference on Communication and Network Security (ICCNS) in 2018, research

China, even the whole world, has paid great attention to the security problems

**26**

topics such as communication and network security, malware and Botnet, and communication privacy and anonymity were discussed in depth.

There are several reasons why Botnet can become the biggest security threat in the world:


Through the above analysis, the process of defending Botnet can be summarized into five steps: analysis and detection, trusted tracking, measurement, situation prediction, and counterattack. Among them, the "analysis and detection" is to find cues of Botnet from the data flow; the "trusted tracking" is to determine the information source of the Botnet; the "measurement" is to manipulate the architecture, life cycle, and attack process of the Botnet; the "situation prediction" is to evaluate the next activity of the Botnet in advance and to prevent and warn in advance; and the "counterattack" is to reduce its activity and break the C&C server to paralyze the Botnet.

At present, there are many different methods for detecting Botnet. For example, Moheeb and others built a real network flow monitoring system to analyze the flow records, binary file types, Botnet control commands, etc.; Cai [3] evaluated the key behavioral characteristics of HTTP Botnet and designed a detection method for HTTP Botnet based on feature analysis; Song [4] adopted displacement entropy and Kalman filtering to detect and analyze the characteristics of P2P Botnet and proposed the corresponding detection algorithm; XU found that P2P Botnet shows higher robustness when random nodes fail, but the robustness declines rapidly when central nodes fail; and Chen proposed a solution to the problem that HMM method cannot be adopted for flow detection of hierarchical Botnet.
