About Botnet Detection

A botnet comprises a large number of malware-infected client computers that are controlled by a remote server to perform malicious acts. A remote command and control server can control botnet computers to perform these types of attacks:

  • Denial-of-service attacks
  • Sending spam and viruses
  • Stealing private data from clients

Botnets have traditionally used HTTP and IRC protocols to communicate with infected botnet clients. To block this communication, network security services can control access to theses services and ports. For example, the Firebox can use the WebBlocker Command and Control and Botnet Activity categories to block communication from infected botnet clients on your network to botnet sites over HTTP. For more information about WebBlocker, see About WebBlocker.

Botnet communication has evolved to evade security services and find other paths to control infected botnet clients over non-traditional network ports, social networks, and PTP networks.

Botnet Detection Sites List

The Botnet Detection subscription service uses a list of known botnet site IP addresses. These known botnet sites are added to the Blocked Sites List, which enables the Firebox to block these sites at the packet level.

For more information about the Blocked Sites List, see About Blocked Sites.

The list of Botnet Detection sites is too large to display in the Blocked Sites List.

Botnet Detection is enabled with the Reputation Enabled Defense (RED) feature key. For more information about RED, see About Reputation Enabled Defense.

See Also

Configure Botnet Detection

Botnet Site Exceptions

Configure the Botnet Detection Update Server