Botnets: Does Size Matter?

Every so often the command and control servers for a botnet get taken down, and we are told breathlessly by the more extravagant security experts that this botnet was responsible for a quarter (or a half or a third) or all the world's spam, and that we can expect to see a big reduction in spam volumes. However, here at Cloudmark, where we're actually filtering a big chunk of the world's spam, we don't see much long term difference in spam volumes before and after these botnet take downs. After each botnet take down occurs, spammers simply switch their spam campaign traffic to a different botnet. There are only a few hundred large scale spam operations and maybe a few dozen botnet herders around that cater to spammers. Many of them are in touch with one another on various underground forums. Spammers may already be operating on multiple botnets, and when one is out of service, they can simply increase the volume on the others. That's not to say that taking botnets down is unimportant. Anything we can do to make spamming more difficult and expensive is a win as long term it will result in fewer spammers and less spam. However, there is another factor at work here. While the total number of machines under control of the bot herders has some impact on spam volumes, the rate of infection of new machines is more important. I believe we could take down the command and control servers for every botnet in the world at the same time, and within a few months spam levels would be back to where they were before the take down. Let's talk about why. First of all, it's very hard to estimate botnet size. Most estimates are based on the number of IP addresses accessing the Command and Control servers, or sending spam. However, the relationship between IP addresses and infected devices is not one to one. Networks with a limited IP address space may use NAT to support multiple infected machines with a single outbound IP address, and conversely, some networks may reassign dynamic IP addresses frequently, causing a single infected machine to be counted more than once as it shows up in botnet trackers as multiple IP address entries. Nevertheless, once an infected machine has been sending spam for any length of time, all the IP addresses it appears on will get blacklisted on the various lists maintained by Cloudmark and other anti-spam organizations. An infected machine has a useful life to the spammer of anywhere from a few minutes to a few weeks depending on the volume of spam that they are sending from it. The machines that have been infected for a while may still be active and trying to send spam, but in most cases they will be blocked as soon as they try to make an SMTP connection, and will rarely get to send messages successfully. While botnets can be useful for other purposes (setting up fake webmail accounts, data mining social networks, DDOS attacks, etc.) for spamming they have a limited useful life. The spammer needs a constant supply of fresh IP addresses to stay in business. Most large scale malware infections happen due to exploits that already have a fix available. A device which is running the latest patches to the operating system and a current anti-virus package is less likely to get infected. We see most botnet spam originate from regions where there are many pirated and out of date copies of Windows, and far less from countries where users are more scrupulous about running security software and applying application and operating system updates. So long as operating systems and users fall short of perfection we are going to see machines on the Internet that are exploitable by spammers. While we applaud botnet take downs we feel that it is also necessary for ISPs to limit the amount of spam that can be sent by compromised devices and have active prevention, detection and remediation programs in place to reduce the economic value of bots and thus make spam less profitable. Coordinated activities, such as the voluntary “U.S. Anti-Bot Code of Conduct” organized by the FCC’s Communications, Security, Reliability and Interoperability Council (CSRIC), are useful frameworks for ISPs to conform to, encouraging greater education of consumers who may not be well educated in computer security matters as well as encouraging botnet remediation through data sharing amongst operators and the security community.