On one honeypot we observed 12 attempts to install IRC bots to join various botnets after system access was gained. In one example we analysed, a bot connected to a channel on a public IRC server to which 387 other clients had already connected. Typically, the vast majority of the bots supported commands for denial-of-service attacks. Since most Linux boxes tend to be servers rather than workstations, it is plausible that even a relatively small botnet of around 400 Linux machines would have a great deal of bandwidth available to mount a DoS attack, while being small enough to evade detection until used. For examples of two attacks that attempted to join botnets, see 'The Lupper Worm' and 'Mambo Exploit' in Appendix A. The paper Know Your Enemy: Tracking Botnets gives more detail on how botnets operate.