How many bots? How many botnets?

we touched on this subject in the past, but recently rich kulawiek wrote a very interesting email to nanog to which i replied, and decided to share my answer here as well –

i stopped really counting bots a while back. i insisted, along with many friends, that counting botnets was what matters. when we reached thousands we gave that up.

we often quoted anti-nuclear weapons proliferation sentiments from the cold war, such as: “why be able to destroy the world a thousand times over if once is more than enough?” we often also changed it to say “3 times” as redundancy could be important. :>

today, it is clear the bad guys can get their hands on as many bots as they need, or in a more scary scenario, want. they don’t need that many.

as a prime example, i believe that verisign made it public that only 200 bots were used in the dns amplification attacks against them last year. even if they missed one, two or even three zeroes, it speaks quite a bit as to our fragile infrastructure.

if brute force alone can achieve this, what of application attacks, perhaps even 0days? :)

still, we keep surviving and we will still be here next year, too, with bigger and bigger trucks and tubes to hold the internet together, whether for regular or malicious usage. ecommerce and online banking might not survive in a few years if people such as us here don’t keep doing what we do, but that part of it is off topic to nanog.

10 years ago, almost no one knew what botnets were. counting and measuring seemed to be very important 3 years ago, and to governments and academics, even a year ago. today it is just what funding for botnet research is based on ( :) ), still, i don’t really see the relevance. botnets are a serious issue, but they are only a symptom of the problem called the internet.

sitting on different networks and testing them for how many malicious scans happen every second/minute/hour/day and then checking that against how many machines with trivially exploited vulnerabilities exist on these networks can fill in some of the puzzle, but the delta from what we may see if we consider email attachments and malicious web sites…

the factor may be quite big.

we will never be able to count how many bots exist. we can count limited parts of that pool such as those seen in spam. these are several millions every day (which should be scary enough) but not quite the right number.

and this is before we get into the academic off-topic discussion of what a bot actually is, which after almost 11 years of dealing with these i find difficult to define. is it an ip address? a computer? perhaps an instance of a bot sample (and every machine could have even hundreds).

welcome to the realm of internet security operations and the different groups and folks involved (and now industry). it is about internet security rather than this or that network security or this and that sample detection.

gadi evron,
ge@beyondsecurity.com.

Share