Available botnet detection schemes all supposed that ISPs would be cooperative to record or generate the necessary routing information for path reconstruction. In practice, ISP’s service constantly is a mutual benefit for intelligence exchange. Therefore the constraint, require cooperation between ISPs, ought to be relaxed. A new IP traceback scheme based on ant colony optimization (ACO) algorithm is proposed for incomplete attack information formed by routing honeypots or routers’ logs. The aim of our work is to develop an analysis model for reconstruction of attack paths to traceback the botnet Command and Control (C&C) via ant-inspired collective intelligence to find possible routes with support and confidence degree. The validation of model uses NS2 (Network Simulator, version2) complied by dark IP map, to simulate the scenario of spoofed IP attacks, to test the effectiveness of model. Furthermore, sensitivity analysis is conducted to investigate significant parameters’ effect on the output of attack paths. Experimental results show that the proposed approach effectively suggests the best attack path and Command and Control of botnet in a dynamic network environment.