Advanced botnet: 
A Bot is defined as malware that runs on a compromised system, designed to participate in a centrally managed network of compromised computers. This network is known as a botnet. Single botnets have been known to consist of over a million compromised computers, and are arguably the most significant threats to the global internet today. The central management is by a command and control server (C&C).

Bot herders are moving from massive botnets of thousands of zombies to smaller and more targeted ones. Also, the IRC protocol for command and control (C&C) is being phased out in favor of more covert protocols. These protocols include HTTP or non-SSL encrypted traffic over port 443. 

The host on which the Bot runs, is known as the attack target.
The C&C server is the attack source.
 

HTTP:
The host sends an HTTP request to the C&C server. The packet from the host to the C&C server (HTTP server) lists the host as the source (src) IP and the C&C server (HTTP server) as the destination (dest) IP. When an alert is raised for this C&C communication, the attacker src is the C&C server IP and the attacked host is the attack destination. 

DNS:
The host sends a DNS request for the C&C server Domain and the DNS server responds with an IP. The attack source here is the C&C server IP and the attack target is the host that sends the DNS request. 

As in the HTTP case, when an alert is raised for this attack, the attacker src is the C&C server IP and the attacked host is the attack destination.

NOTE: Src IP and dest IP in threat explorer are not the src and dest IP in the packet, but the attack src and attack target.