Measuring Botnet Effectiveness

Theeffectivenessof a botnet is an estimate of overall utility, to accomplish a given purpose. While botmasters may innovate new uses of botnets, the ability of a botnet to meet existing uses such as spam, DDoS, warez distribution and phishing is roughly approximated by size and bandwidth. Both of these terms require elaboration.

We agree with [47], that “botnet size” must be a qualified term. Here, we do not use size to mean the total population count, such as that usually used in worm epidemiology studies [37–39, 50]. Instead, we mean the “giant” component of the botnet, or largest connected (or online) portion of the graph [10, 42]. Botnets are of course more powerful if they have large infected population, but the giant component lets us directly measure the damage potentially caused by certain botnet functions.

In the case of DDoS, the giant component,S, lets us measure the largest number of bots that can receive instructions and participate in an attack. This contrasts with the total population of all infected victims, which may not always be reachable by the botmaster, e.g., because of diurnal variations. [16].

A related measure is the average amount of bandwidth that a bot can contribute, denoted asB. Estimating bandwidth along a single link is a complex problem, and the subject of numerous investigations in the networking community [6, 25]. To esti- mate the cumulative bandwidth of an entire botnet presents an even more challeng-

ing task. For example, one could measure the bandwidth between bots, between a bot and the botmaster, or between any bot and a third party (e.g., a DDoS victim).

By average bandwidth,B, we mean the cumulative available bandwidth in a bot that

a botmaster could generate from the various bots (e.g., for DDoS) under ideal cir-

cumstances. Such a measurement of course varies with the distribution of bandwidth available to each member of the botnet, the probability that any victim is “on-line” at any given time, and the amount of bandwidth already being consumed by the victims themselves (e.g., for normal use).

We roughly classify three types of bots according to their transit categories: those using modems (type1), those using DSL/cable (type2), and those using ’high-speed’ networks (type3). While bandwidth within each class is highly variable in itself, we believe this grouping is a reasonable first approximation because they are standard in industry–e.g., many commodity databases already map connection classes according to these categories [34]. The probability of a bot belonging to typeiis denoted asPi. According to [24], a reasonable distribution for US-based bots could be estimated as

P1 = 0.3, P2 = 0.6, P3 = 0.1. Similar distributions could be inferred for a global

population.

Let us denote the average maximum network bandwidth within each type asMi, the average normal usage of bandwidth within each type isAi. Thus, the average available bandwidth could be used by a botmaster on a bot isMi−Ai. We simplify our measurement by assuming a botmaster would not use even more bandwidth, since this would interfere with the victims existing use, and the disruption might alert them to the infection.

We also need to consider the diurnal sensitivity of these networks. More complete diurnal models of bot behavior were presented in [16]. However, to avoid modeling diurnal changes in numerous time zones, we can use a simplified metric based on the estimated number of hours a victim is online per day (and therefore capable of participating in the botnet). We assign different weights (denoting the distribution of time hosts are online each day) to each class of bots. For example, if we assume average online hours per day for a bot using modem is 2, for a bot with DSL/ca- ble is 6, and for a bot with high-speed is 24, then we have the probability vector

W _{= [2/32,6/32,24/32] = [0.0625,0.1875,0.75]. We selected these numbers}

based on [43]; however, our analysis considers other ranges of values.

Using the simplified bandwidth estimation for each bot, and a simplified diurnal model, we can express the average available bandwidth of a bot as:

B =

3

X

i=1

(Mi−Ai)PiWi (1)

In Section 3, we suggest the utility of this metric by comparing different botnets. The weights and distribution of hosts in each class are of course variable. To under- stand their sensitivity, we evaluated the weighted bandwidth for different ranges of estimates.

Figure 1 shows the weighted bandwidth, with different variations in diurnal sen- sitivity. We can see in Figure 1(a), that the final average weighted bandwidth is

around 20Kbps for a single bot, for the values fixed in that plot. With approximately 50,000 such bots in a botnet, the botmaster can utilize about 1Gbps bandwidth on

average at any time.3_{The parameters for the plots in Figure 1 are drawn from data}

measurements described in Section 3.

The plots reveal the sensitivity of this metric to the diurnal variation in users.

Compare for example Figure 1(a), where low bandwidth users are presumed on-

line for only two hours, to Figure 1(c), where six hours is fixed instead. For diurnal weighing above 6 hours/day, variation in the online hours for the medium and high- bandwidth users does not result in much variation in the overall bandwidth, as shown in Figure 1(a). However, in Figure 1(c), the online variation of the other classes has a significant impact on bandwidth particularly when higher-speed users are “always on” and have a diurnal weight of 1. This suggests that botnets with many low-speed connections experience less variation when the lower-speed connections minimize their time online. In Section 3, we further compare estimated bandwidth of two bot- nets. 4 6 8 10 12 12 14 16 18 20 22 2418 19 20 21 22 23 24 25 Medium BW (hours) High BW (hours) Weighted BW (kbps)

(a) Fixed online hours for Type1 at 2, varying other two types. 4 6 8 10 12 12 14 16 18 20 22 24 18 19 20 21 22 23 24 25 Medium BW (hours) High BW (hours) Weighted BW (kbps)

(b) Fixed online hours for Type1 at 4, varying other two types. 4 6 8 10 12 12 14 16 18 20 22 24 18 19 20 21 22 23 24 25 Medium BW (hours) High BW (hours) Weighted BW (kbps)

(c) Fixed online hours for Type1 at 6, varying other two types.

Fig. 1.Weighted bandwidth and diurnal sensitivity. Low-bandwidth bots have a significant

effect on average bandwidth when they are online for more than≈4 hours. Figures (a) through

(c) fix the diurnal weight of low-bandwidth bots at 2, 4 and 6 hours. Only at the extreme, plot (c), does average bandwidth change significantly. This impact is seen when high- and medium bandwidths bots have less than 24-hour/day connectivity.