Of late, articles about botnets with hundreds of thousands of members have captured the headlines on several occasions (e.g., [11,17,18]). This attention is warranted, as botnets undoubtedly pose a significant threat to the Internet. Starting from the early work of Freiling et al. [7], a number of research efforts have explored the rise of botnets. However, the issue of determining botnet size still remains contentious. In particular, Dagon et al. used DNS redirection to study the size and evolution of several botnets and reported botnets with 350,000 members [5]. Similar observations were also reported in [8,13]. In contrast, the work of Cooke et al. [4] and Jahanian [9] seem to point to a trend towards smaller botnets with sizes ranging from several hundreds to a few thousand hosts; many of these botnets emerge and then become defunct after relatively short periods of time [9]. In this paper we examine two techniques for gleaning information about a botnet's size namely, IRC tracking and DNS snooping [6]. Our results show that while the footprints of the botnets we tracked can grow to several tens of thousands of bots, their effective sizes usually are limited to a few thousands at any given point in their lifetime. These discrepancies argue that botnet size should be a qualified term that is relevant only within the context of the counting method used to generate the result.
Equally important to the question of size is that of the overall prevalence of botnets. While the earlier work of Rajab et al. [14] provided partial insights about this issue, more recent work has attempted to answer this particular question. Specifically, Ramachandran et al. [15] monitored queries sent to servers maintaining the DNS names of blacklisted hosts to infer the overall prevalence of bots in these lists. In this paper, we show that the same discrepancies that plague size measurements of individual botnets apply to total populations counts as well, and we attempt to expose the causes that lead to these inaccurate and conflicting size estimates.
Lastly, Dagon et al. [10] presented a taxonomy and analysis of potential botnet structures. In this paper, we sketch a technique for unveiling the existence of hidden clusters among botnets.