What is Command-and-Control Server?
Common abbreviations for command-and-control servers are C&C servers or C2 servers. These are servers that can be used to control the computers in a botnet. A botnet is a network of infected computers that are under foreign control without the knowledge of the owners or users and can be controlled remotely. The botnet can be used, for example, for distributed denial of service (DDoS) attacks or for sending spam emails.
The command-and-control server allows the botmaster to send commands to individual or all computers in the botnet or to receive data from the botnet. The number and structure of networking C&C servers vary depending on the type of botnet. It can be one central server in a star structure or multiple servers in hierarchical structures or in random P2P structures.
To make it difficult to locate the command-and-control servers, methods such as automated obfuscation of domain names, interposing reverse proxies, or hiding traffic in legitimate data are used. Web protocols such as IRC, HTTP, Telnet, and others are used as protocols for data exchange between C2 servers and botnet computers.
Architecture and used protocols of command-and-control servers
Botnets with their command-and-control servers can be organized in different ways. A simple structure is the star topology with a single central C&C server. In addition, botnets exist with hierarchical structures and multiple C2 servers or botnets in the form of P2P structures with distributed C2 server functions.
Various protocols are used for communication between the command-and-control servers and the botnet computers to be controlled. The Internet Relay Chat (IRC) messaging protocol is very popular. Other protocols are:
- HTTP (Hypertext Transfer Protocol) and HTTPS (Hypertext Transfer Protocol Secure ) respectively.
- FTP (File Transfer Protocol)
- Protocols and functions of the Domain Name System (DNS)
By using common web protocols used for normal network traffic and employing encryption, communication with the C&C server can be disguised and hidden.
Functions executable with the help of a command-and-control server
A command-and-control server provides the botmaster with a wide variety of executable functions. Information exchange between the C2 server and the botnet computers is usually bidirectional. Control commands can be sent to individual computers or to the complete botnet.
Control commands can be sent, for example, to coordinate and launch DDoS attacks, infect other computers, reload malware and other software, encrypt or delete data, retrieve confidential information and sensitive data, carry out crypto mining activities, interrupt services, or send spam messages.