From “Killing Botnets” by Ken Baylor and Chris Brown of McAfee.

A botnet of 1 million bots, with a conservative 128 Kbps broadband upload speed per infected bot, can wield a powerful 128 gigabits of traffic. This is enough to take most of the FORTUNE 500 companies (and several countries) offline using DDoS attacks. If several large botnets are allowed to join together, they could threaten the national infrastructure of most countries.

I’m pretty sure that the threat posed by Botnets is the one that we need be most anxious about. It’s a real threat against which we are really vulnerable and the potential event costs are off the scale. That all equates to very high risk.

Baylor and Brown’s paper is really an advert for McAfee’s Intrushield product but don’t dismiss it as merely a sales pitch because the research is valid regardless of whether you want the product or not.

More interesting is the latest edition of Symantec’s Internet Threat Report (vol 12, published in September). This states that between “January 1

and June 30, 2007, Symantec observed an average of 52,771 active bot-infected computers per day…also observed 5,029,309 distinct bot-infected computers during this period.” This, according to the statistics is actually a 17% reduction on the previous period. Academic research on the subject however, indicates that many bots are not usually detected until the botherder has abandoned the computer. As soon as the bot client stops running, the remnants can be detected. This is to say, the actual number is much larger than what Symantec can report.

The research paper, A Multifaceted Approach to Understanding the Botnet Phenomenon by Rajab, Zarfoss et al reports the following observation:

To provide a broader view of the scope of botnet activity, we present the cumulative results of our DNS probing experiments. Over the duration of the monitored period, we tracked cache hits for a total of 65 IRC server domain names. From the 800,000 probed servers, 85,000 (or ≈ 11%) were involved in at least one botnet


What should we do with Botnets when we find them on our networks? Clearly, blocking inbound and outbound traffic relating to a botnet is the first reaction. Pre-emptive and pro-active measures are also essential in my opinion. Can we go straight to the source and take action against the “botnet herder”? That is an option but it will still leave behind a multitude of infected hosts. There are only really three options at the moment and these are described in the book Botnets by Schiller, Binkley et al (ISBN: 978-1-59749-135-8).

1. We need more education about security in general and botnets in particular.

2. We need more white-hat organizations and communication between security professionals.

3. If you practice good security practices, odds are you won’t be joining a botnet.

The same book makes another important observation: “To be owned, each botnet client has to have at least one security issue…a new shiny firewall won’t solve the problem unless it somehow is part of a process of incremental improvement with some brainpower and policy thinking behind it”

I wanted to avoid writing an essay so I’ll close off with some bullet points to be thinking about:

– Botnets are modular—one module exploits the vulnerabilities it finds to gain control over its target

– Botnets are adaptive; they can be designed to download different modules to exploit specific things that they find on a victim.

– Botnet attacks are targetable. That is, the hacker can target a company or a specific market sector

– Although botnets can be random, they can also be customized to a selected set of potential hosts

– The targeting capability of botnets is adaptive. The bot client can check a newly infected host for applications that it knows how to exploit

The aforementioned research paper closes with the following remark:

Last but not least, our graybox testing technique enabled us to understand the level of sophistication reached by bot software today, which includes self-protection mechanisms and modular packages with multiple attack vectors.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

It's funny you write about Baylor and Brown. Within a month of that paper being published, Baylor became Chief Information Security Officer, not of McAfee, but of Symantec. Brown followed him there within 3 months and heads-up Risk Management.