Botnet Command & Control

• Periodic beacon traffic at regular intervals (every 30–300 seconds) to unusual external IPs
• DNS queries for algorithmically generated or recently registered domains (DGA patterns)
• Outbound IRC (port 6667/6697) or HTTP POST to uncommon high ports from internal hosts
• Long-duration TCP connections with low throughput and minimal user-visible activity
• Hosts connecting to known Tor hidden services or bulletproof hosting ASNs
• Encrypted traffic to IPs with no PTR record or hosting on residential ranges
• Unusual process making outbound connections (e.g., svchost.exe connecting to port 443 on an IP-only host)

Firewall & DNS logging

# Block outbound IRC commonly used by older botnets
iptables -I OUTPUT -p tcp --dport 6667 -j DROP
iptables -I OUTPUT -p tcp --dport 6697 -j DROP

# Log anomalous outbound connections
iptables -I FORWARD -m state --state NEW -j LOG --log-prefix "NEW_CONN: "

Snort rule — detect DGA-style fast-flux beaconing

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS \
  (msg:"BOTNET C2 HTTP beacon pattern"; flow:to_server,established; \
   content:"POST"; http_method; \
   pcre:"/^POST\s+\/[a-z0-9]{8,32}\s/"; \
   threshold:type both, track by_src, count 5, seconds 60; \
   sid:9001001; rev:1;)

DNS-based detection (Zeek/Bro)

event dns_request(c: connection, msg: dns_msg, query: string, ...) {
    if ( |query| > 30 && /[0-9]{4,}/ in query )
        print fmt("Possible DGA query: %s from %s", query, c$id$orig_h);
}

Identify beaconing with tcpdump + frequency analysis

tcpdump -nn -i eth0 'tcp and not port 22 and not port 80 and not port 443' \
  -w /tmp/capture.pcap
# Analyze intervals between connections to same destination
tshark -r /tmp/capture.pcap -T fields -e ip.dst -e frame.time_epoch \
  | sort | awk '{print $1}' | uniq -c | sort -rn | head -20

1. Block known C2 feeds: Subscribe to threat intelligence feeds (Abuse.ch, Spamhaus ZEN, Emerging Threats) and enforce block lists on firewalls and DNS resolvers.
2. DNS sinkholing: Redirect DGA domains to an internal sinkhole server to prevent bot communications and log affected hosts.
3. Restrict outbound traffic: Enforce egress filtering — only permit outbound traffic on ports required by business operations (80, 443, 25, 53). Block IRC and uncommon high ports at the perimeter.
4. Isolate infected hosts: Immediately quarantine systems showing beacon patterns. Capture memory and disk images for forensic analysis before reimaging.
5. Deploy EDR: Use endpoint detection and response (EDR) tooling to monitor process network activity, flagging unexpected outbound connections from system processes.
6. Enable DNS-over-HTTPS (DoH) logging: Force all DNS through a controlled resolver to log and block C2 domain lookups before connection is established.
7. Network segmentation: Prevent lateral movement by placing sensitive systems in isolated VLANs with strict inter-segment firewall policies.
8. Regular threat hunting: Schedule periodic sweeps using network flow data (NetFlow/IPFIX) to identify hosts with persistent external connections and anomalous traffic volume ratios.

Emotet (2014–2021): One of the most destructive botnets ever observed, Emotet used hierarchical C2 tiers — infected machines served as C2 proxies for upstream servers — making takedowns extremely difficult. At its peak, it delivered Ryuk ransomware and TrickBot to hundreds of thousands of organizations. A coordinated Europol/FBI action in January 2021 seized 700+ servers and dismantled the infrastructure.

Mirai Botnet (2016): Mirai compromised IoT devices using default credentials and used them to launch record-breaking DDoS attacks peaking at 1.2 Tbps against Dyn DNS, disrupting major platforms including Twitter, Netflix, and Reddit. Its C2 used hardcoded IP addresses and simple telnet-based control channels.