-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/22/10 04:58, Patrick W. Gilmore wrote:
On Mar 21, 2010, at 9:52 PM, Alex Lanstein wrote:
There is, by the way, no relief from this due to events like the recent bust of the Mariposa botnet (13M systems);
The public numbers advertised were 13M _IPs_ connecting to a sinkhole over more than a month's time. When I've had visibility into other large botnets (srizbi, rustock, mega-d), I was consistently seeing a 10 to 1 IPs-to-unique-bots count over a time period of a week. Happy to make the raw pcap data available to anyone who is curious. The UCSB guys showed similar results in their excellent Torpig paper. http://www.cs.ucsb.edu/~seclab/projects/torpig/torpig.pdf
My unscientific finger-in-the-wind would put it at well under 1M when you are talking a month and a half of monitoring IP connections.
First, Alex, don't you know all security people are 100% secretive? :)
Back on topic, there is good data out there showing far, far more than 1 million hosts on the Internet infected. Hrmm, my first two Google searches did not turn anything up. So maybe those security guys are being secretive!
There are usually two important numbers to consider when discussing botnet sizes: botnet footprint and the number online bots. The former is the one typically reported by media and antivirus companies, because it's much larger (and more impressive). It represents the total number of host that were infected during the whole lifetime of the botnet. However, over time many machines are cleaned (i.e., Microsoft's MSRT on patch Tuesdays), new machines still get infected, but the number gets updated always only with the new infections. So it gets high over time, but doesn't represent the actual firepower of the botnet, which is the second figure, the number of online bots. This is the number of host that are available to the botmaster at a given time, and is much smaller. To give an example, a measurement done by Thorsten Holz et al. on the infamous Storm botnet in 2008 showed that the number of online hosts was actually just around 30,000 at the time of the measurements, while the highly publicized botnet size (representing the footprint) was over 1M. I'm not up to date on the topic, but I assume the relationship between the two figures is similar these days. So I think Rich and Valdis were talking about footprint and Alex about the online bots, and the two order of magnitude difference actually fits. - -Lorand Jakab -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iEYEARECAAYFAkunRUMACgkQlUwN75BxDXQWHgCgsx1KRnomAL9Y8iwl8kff5skC vIMAmwaM8d68DqmXzlYovRS08AO/ePwV =LoNE -----END PGP SIGNATURE-----