Check out the new USENIX Web site. next up previous
Next: Large Botnets May Not Up: Just How Big is Previous: Just How Big is

One Botnet to Rule Them All

Before addressing our main question, let us first begin by analyzing the global statistics that we can infer about the botnet problem in general from the available data. Despite earlier predictions [11], even this seemingly simple task is laden with challenges. For example, a crude count of the number of unique bots (based on user IDs) across all botnets we tracked results in an estimate of 1,153,371 bots, while counting the IP addresses (either cloaked or plain) yields a more moderate figure of 426,279 bots. However, notice that these estimates do not account for two important factors, namely, the overlap across different botnet populations (which may be substantial) and the impact of dynamic addressing (e.g., DHCP and NATting), which is generally difficult to quantify [3] especially when the IP addresses of the bots are cloaked.

From another viewpoint, we note that our cache probing results show evidence of at least one botnet infection in 11% of the 800,000 DNS servers we probed. While one could speculate that this figure is in agreement with the conjecture that bots reside in 11% of the overall Internet host population (e.g., [11]), this claim can not be easily justified. In fact, our DNS results can not be directly extrapolated to actual bot counts.


next up previous
Next: Large Botnets May Not Up: Just How Big is Previous: Just How Big is
Fabian Monrose 2007-04-03