As botnets continue as a major purveyor of malicious activity, finding new and improved ways to measure their influence will be key to preventing future attacks. But gaining an accurate read on active populations continues to prove difficult.
In recent years more research has been devoted to finding how best to accurately measure botnets, a task made more difficult by increasingly sophisticated cloaking mechanisms to evade detection. Recently Dr. Jose Nazario, senior manager of security research at Arbor Networks, spoke during an Indonesian security conference about various ways to quantify a botnet’s influence.
He focused on traditional and emerging methodologies, including the current prevailing practice of establishing “command and control” channels such as sinkholes. The technique involves identifying the command and control server and redirecting machines to a “safe” server for analysis. Malicious traffic, whether spam or something more nefarious, is then sent straight to the research box, indicating the size of the botnet based on the number of IP addresses.
“Sinkholes are the most common mechanism right now to count botnets, and are widely done by many groups,” he wrote in a post excerpting his talk on the Arbor Networks blog.
Another time-tested method for estimating a botnet’s size is the more passive “dark IP monitoring.” This method takes large unused IP address blocks and eavesdrops on exploit traffic or traffic using a specific TCP/IP service as a botnet tries to spread. Nazario noted that Arbor used this method in 2003 to study the Blaster worm outbreak.
A more straightforward measuring stick comes from merely counting reports globally generated by host-based antivirus software. Microsoft does this with its Windows AV software, he said.
“Another direct method is to crawl a peer-to-peer botnet, gathering the peer list from every node and recursively walking the botnet. This enumeration of the botnet is possible if you know the P2P protocol, but is easily thwarted by strong cryptography,” Nazario said.
Of course, the stealth nature of botnets makes accuracy difficult. For example, if ISPs are blocking ports or collection addresses and instead directing clients to go to their own sinkholes on their own servers, the number of infected machines may be underestimated. Or, “if the domain names for the botnet, which now point to sinkholes, are used in DNS blacklists, clients will never be recorded at the sinkhole, again leading to undercounting,” Nazario wrote.
Then there’s the fact if the hosts are offline, they won’t be counted during the mass roundup.
Another possible setback to correctly counting a botnet can happen if, for instance, the routing protocol generates multiple IP addresses during a given period. NAT also has been shown to misrepresent IP addresses. Nazario mentioned Arbor estimated 2003’s Blaster worm had infected 800,000 – a radically smaller number than the 8 million Microsoft later reported.
Even nine years later, better ways to gauge a botnet’s influence continues to be a struggle – but it’s an undertaking more companies are willing to accept in order to eventually bring down the number and size of botnets … perhaps to near nothing in the future.
“Where we are going with this now is trying to standardize methodologies so we can measure consistently,” Nazario concluded. “Furthermore, we’re trying to identify the causes for the gaps in the methodologies (e.g. network vs host measurements) and provide stronger data by closing those gaps. Based on this data, we also work globally to identify working strategies that effectively shut down botnets and drop infection rates. We then want to coordinate these efforts globally to lead to lower infections in each region.”
