Returning to our outstanding question, we turn our attention to a simple question: how big is a botnet? In short the answer is, it depends. To see why, let us explore the results for estimating the size of the botnets we tracked, based on the strategies given in Section 2. Figure 1 shows the complementary cumulative density function (CCDF) of botnet footprint sizes, counted by user IDs and by IP addresses for the botnets that broadcast that information. Overall, 52% of the botnets we tracked make such data available. Notice that counting bot IP addresses versus IDs already leads to one discrepancy. While botnet sizes, by ID count, can exceed 450,000 bots, counting by IP addresses yields sizes in the range of 100,000 bots.
 |
Figure 2 shows the CCDF of the live botnet population size for the same set of botnets. Clearly, there is an even more substantial discord in this case. While botnet footprint sizes can exceed 100,000 infections 1, their live populations are normally in the range of a few thousand bots--a significant decrease in size which has profound impact on the perceived vivaciousness of these botnets. This discrepancy can be explained by the fact that the live population of a botnet is normally constrained by the capacity of the botnet server and affected by high bot churn rates [14].
Finally, we resorted to DNS cache snooping to estimate the DNS footprints of the remaining 48% of the botnets that do not publish membership data. Figure 3 presents the CCDF of DNS footprint sizes. Because in this case we count domains rather than bots, the discrepancy between DNS footprints and infection footprints (cf. Fig. 1) is wide. Refining the estimate of a botnet's infected population from its DNS footprint is a subject that warrants further work and one we are currently pursuing.
