Editing Botnet (section)

==Architecture==
Botnet architecture has evolved over time in an effort to evade detection and disruption. Traditionally, bot programs are constructed as [[Client–server model|clients]] which communicate via existing servers. This allows the '''bot herder''' (the controller of the botnet) to perform all control from a remote location, which obfuscates the traffic.<ref name=":1" /> Many recent botnets now rely on existing [[Peer-to-peer|peer-to-peer networks]] to communicate. These P2P bot programs perform the same actions as the client–server model, but they do not require a central server to communicate.

===Client–server model===
[[File:Server-based-network.svg|thumb|right|250px|A network based on the [[client–server model]], where individual clients request services and resources from centralized servers]]
The first botnets on the Internet used a client–server model to accomplish their tasks.<ref>{{Cite web|title=Botnets: Definition, Types, How They Work|url=https://www.crowdstrike.com/cybersecurity-101/botnets/|access-date=2021-04-18|website=Crowdstrike|language=en|archive-date=10 January 2023|archive-url=https://web.archive.org/web/20230110154909/https://www.crowdstrike.com/cybersecurity-101/botnets/|url-status=live}}</ref> Typically, these botnets operate through [[Internet Relay Chat]] networks, [[Network domain|domains]], or [[website]]s. Infected clients access a predetermined location and await incoming commands from the server. The bot herder sends commands to the server, which relays them to the clients. Clients execute the commands and report their results back to the bot herder.

In the case of [[IRC bot|IRC botnets]], infected clients connect to an infected IRC [[Server (computing)|server]] and join a channel pre-designated for C&C by the bot herder. The bot herder sends commands to the channel via the IRC server. Each client retrieves the commands and executes them. Clients send messages back to the IRC channel with the results of their actions.<ref name=":1">{{Cite book |doi=10.1016/B978-159749135-8/50004-4| title=Botnets| last1=Schiller| first1=Craig A.| last2=Binkley| first2=Jim| last3=Harley| first3=David| last4=Evron| first4=Gadi| last5=Bradley| first5=Tony| last6=Willems| first6=Carsten| last7=Cross| first7=Michael| date=January 1, 2007 |publisher=Syngress| isbn=9781597491358| location=Burlington, Virginia| pages=29–75}}</ref>

===Peer-to-peer===
[[File:P2P-network.svg|thumb|250px|A peer-to-peer (P2P) network in which interconnected nodes ("peers") share resources among each other without the use of a centralized administrative system]]

In response to efforts to detect and decapitate IRC botnets, bot herders have begun deploying malware on [[peer-to-peer]] networks. These bots may use [[digital signature]]s so that only someone with access to the private key can control the botnet,<ref name=":0">{{Cite journal | last=Heron| first=Simon| date=April 1, 2007| title=Botnet command and control techniques| journal=Network Security| volume=2007| issue=4| pages=13–16| doi=10.1016/S1353-4858(07)70045-4}}</ref> such as in [[Gameover ZeuS]] and the [[ZeroAccess botnet]].

Newer botnets fully operate over P2P networks. Rather than communicate with a centralized server, P2P bots perform as both a command distribution server and a client which receives commands.<ref>{{cite book|chapter-url=https://books.google.com/books?id=I-9P1EkTkigC&pg=PA335|title=Handbook of Information and Communication Security|publisher=Springer|year=2010|isbn=9783642041174|editor1-first=Mark|editor1-last=Stamp|editor2-first=Peter|editor2-last=Stavroulakis|chapter=Peer-to-peer botnets|first=Ping|last=Wang|access-date=28 July 2016|archive-date=22 June 2024|archive-url=https://web.archive.org/web/20240622185954/https://books.google.com/books?id=I-9P1EkTkigC&pg=PA335#v=onepage&q&f=false|url-status=live}}</ref> This avoids having any single point of failure, which is an issue for centralized botnets.

In order to find other infected machines, P2P bots discreetly probe random [[IP address]]es until they identify another infected machine. The contacted bot replies with information such as its software version and list of known bots. If one of the bots' version is lower than the other, they will initiate a file transfer to update.<ref name=":0" /> This way, each bot grows its list of infected machines and updates itself by periodically communicating to all known bots.