While the topic of large botnets has certainly captured the attention of academicians and practitioners alike [5,7,12,14,15,16], there seems to be little, if any, agreement on what specifically the size of a botnet refers to. Arguably, the only consensus seems to be that a botnet's size is the main determining factor of its perceived impact. However, unlike other classes of malware (e.g., worms), where the size of the infected population determines the impact of the outbreak, botnet size can convey several meanings. Therefore, to clear the fog on this issue, we start by providing different definitions of botnet size and detail the context in which each definition is relevant.
In what follows, we draw the distinction between two main terms. First, we denote a botnet's footprint as the overall size of the infected population at any point in its lifetime. While this measure reflects how wide spread a botnet infection is, it fails to capture the actual capacity of the botnet to execute a particular command issued by the botmaster at any given point in time. Second, we consider the botnet's live population as the number of live bots simultaneously present in the command and control channel. Therefore, unlike its footprint, the live population of a particular botnet indicates the botnet's capacity to perform a malicious task posted as a command message by the botmaster.
Generally speaking, the estimation techniques we survey belong to two broad categories based on the information used. Next, we elaborate on each category, detailing the estimation techniques, their challenges, and their relevance in light of the aforementioned notions.