NSP-SEC

Lorand Jakab ljakab at ac.upc.edu
Mon Mar 22 05:24:04 CDT 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/22/10 04:58, Patrick W. Gilmore wrote:
> On Mar 21, 2010, at 9:52 PM, Alex Lanstein wrote:
>
>>>>> There is, by the way, no relief from this due to events
>>>>> like the recent bust of the Mariposa botnet (13M systems);
>>
>> The public numbers advertised were 13M _IPs_ connecting to a
>> sinkhole over more than a month's time.  When I've had visibility
>> into other large botnets (srizbi, rustock, mega-d), I was
>> consistently seeing a 10 to 1 IPs-to-unique-bots count over a
>> time period of a week.  Happy to make the raw pcap data available
>> to anyone who is curious.  The UCSB guys showed similar results
>> in their excellent Torpig paper.
>> http://www.cs.ucsb.edu/~seclab/projects/torpig/torpig.pdf
>>
>> My unscientific finger-in-the-wind would put it at well under 1M
>> when you are talking a month and a half of monitoring IP
>> connections.
>
> First, Alex, don't you know all security people are 100% secretive?
> :)
>
> Back on topic, there is good data out there showing far, far more
> than 1 million hosts on the Internet infected.  Hrmm, my first two
> Google searches did not turn anything up.  So maybe those security
> guys are being secretive!
>

There are usually two important numbers to consider when discussing
botnet sizes: botnet footprint and the number online bots. The former
is the one typically reported by media and antivirus companies,
because it's much larger (and more impressive). It represents the
total number of host that were infected during the whole lifetime of
the botnet. However, over time many machines are cleaned (i.e.,
Microsoft's MSRT on patch Tuesdays), new machines still get infected,
but the number gets updated always only with the new infections. So it
gets high over time, but doesn't represent the actual firepower of the
botnet, which is the second figure, the number of online bots. This is
the number of host that are available to the botmaster at a given
time, and is much smaller.

To give an example, a measurement done by Thorsten Holz et al. on the
infamous Storm botnet in 2008 showed that the number of online hosts
was actually just around 30,000 at the time of the measurements, while
the highly publicized botnet size (representing the footprint) was
over 1M. I'm not up to date on the topic, but I assume the
relationship between the two figures is similar these days.

So I think Rich and Valdis were talking about footprint and Alex about
the online bots, and the two order of magnitude difference actually fits.

- -Lorand Jakab
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEARECAAYFAkunRUMACgkQlUwN75BxDXQWHgCgsx1KRnomAL9Y8iwl8kff5skC
vIMAmwaM8d68DqmXzlYovRS08AO/ePwV
=LoNE
-----END PGP SIGNATURE-----





More information about the NANOG mailing list