Editing Botnet (section)

===Domains===
Many large botnets tend to use domains rather than IRC in their construction (see [[Rustock botnet]] and [[Srizbi botnet]]). They are usually hosted with [[bulletproof hosting]] services. This is one of the earliest types of C&C. A zombie computer accesses a specially-designed webpage or domain(s) which serves the list of controlling commands. The advantages of using [[web page]]s or domains as C&C is that a large botnet can be effectively controlled and maintained with very simple code that can be readily updated.

Disadvantages of using this method are that it uses a considerable amount of bandwidth at large scale, and domains can be quickly seized by government agencies with little effort. If the domains controlling the botnets are not seized, they are also easy targets to compromise with [[denial-of-service attack]]s.

[[Fast flux|Fast-flux DNS]] can be used to make it difficult to track down the control servers, which may change from day to day. Control servers may also hop from DNS domain to DNS domain, with [[domain generation algorithm]]s being used to create new DNS names for controller servers.

Some botnets use free [[Domain Name System|DNS]] hosting services such as [[DynDNS|DynDns.org]], [[No-IP|No-IP.com]], and Afraid.org to point a [[subdomain]] towards an IRC server that harbors the bots. While these free DNS services do not themselves host attacks, they provide reference points (often hard-coded into the botnet executable). Removing such services can cripple an entire botnet.