The analysis and implementation of Botnet and DDoS Abstract—Due to the development of computer information science, it leads an explosive development of smart devices. However, the worsening issues of cybersecurity makes people face the difficulty of internet malicious attack. Therefore, we research on prevailing Botnet and DDoS to against various malware. The capability of Botnet and Trojans are quite similar. Trojans only breaks specific target, and Botnet blocks random target automatically. In order to comprehend deeply about the infecting and attacking approach, we use Zeus (a type of Botnet) to understand Botnet. On the other hand, DDoS attacks servers in the means of using the vulnerability on protocols; offenders make server's resources depletion by some service demands. This paper will use the software environment which provided by testbed hardware device to execute analysis and implementation. Keywords-Botnet; DDoS; testbed; network security I. INTRODUCTION In recent years, the internet technology has developed rapidly. Besides that, with the increasing popularity of smartphone, people have used several internet services. As a result of high frequency of using, all kinds of network security problem become more serious and complicated. For example, Botnet has caused several global issues not only because it’s similar capability Trojans does, but also due to the fact that it has capability of computer worm. Botnet has the characteristics of worm. That means it can travel in the network space while searching and attacking the vulnerability of computer host. To increase the acknowledgement about Botnet and strengthen the concept of network security, we can use the testbed to run Zeus. By having hands on experience, we can understand and analyze the danger of Botnet even more. As a result, we can find out the way of defense in the shortest time by doing these researches [3, 4, 7, 8]. For the DDos, the offender sends large amounts of package to dominate the major parts of the target network. By doing the attack, the target will have low service effectiveness in the rush hour of usage. This type of attack can be executed by just a normal internet user; unlike other kinds of attack, DDos cost the lowest effort [1, 2]. We used TFN2K on the testbed as the usage attack generator. By attacking different node ID on the same platform, it can send a large amount of packages with spoofed source IP addresses. Also, it can paralyze the victim’s node ID, thus stopped the package from functioning normally by dropping its connection rate to under 1% [11]. The paper is organized as follows: In Section 2, introduction of Botnet and DDoS. In Section 3, introduction of Testbed, which is the testing platform we used during the experiment. In Section 4, the actual experience when we conducted the Botnet experiment. In Section 5, introduction of DDos implementation we conducted and some other related software. Finally, in Section 5, we conclude the paper. II. INTRODUCTION OF BOTNET AND DDOS A. Botnet In the year of 1989, the first Botnet was encoded by Greg Lindahl in IRC (Internet Relay Chat). Initially, the program was made to better management system, and it was without any malicious behavior. Along with the growth of cyber industry, people with bad intention started upgrading the program with negative formula. The program becomes a hidden danger in the area of cyber security, and it is easily acquired by hackers [9]. There are three parts of Botnet: Bot header (The hacker or mean user itself, to give order), Bot client (The affected computer or target who is remoted control by Bot header), and C&C server (command and control server who take charge of the whole Botnet server, and forward the order from Bot header to Bot client) [5, 6]. The offending mode of Botnet keeps upgrading. Generally it can be divided into different categories, such as install adware, email distribution, illegal intellectual property use, password cracking, click fraud, and DDoS. Furthermore, it can be subcategorized with IRC Botnet, HTTP Botnet, and P2P Botnet. IRC is the most common transfer protocol used by Botnet, and IRC is also the frame of Client-Serve. HTTP Botnet uses HTTP protocol to release order and control through established webpage server and community website. Also, HTTP Botnet is hard to be blocked by firewall through 80 PORT [10]. P2P Botnet, which is also concentrated P2P net and central index server, is used to record resource index information. Also, P2P Botnet is used to respond search from clients, so the server will shut down once the server goes wrong [12]. Kai Chain *1 , Cheng-Chung Kuo 2 , and Chu-Sing Yang 2 1 Department of Computer and Information Science, R.O.C. Military Academy, Kaohsiung 830, Taiwan 2 Institute of Computer and Communication Engineering, Department of Electrical Engineering, National Cheng Kung University, Tainan 701, Taiwan. *chainkai@mail2000.com.tw, jjguo@crypto.ee.ncku.edu.tw, csyang@mail.ee.ncku.edu.tw International Journal of Computer Science and Information Security (IJCSIS), Vol. 14, No. 10, October 2016 194 https://sites.google.com/site/ijcsis/ ISSN 1947-5500