Botnet size may be exaggerated, says Enisa

Summary:The number of zombie computers can be exaggerated for effect and do not accurately portray risks in any case, according to the European Network and Information Security Agency

The number of zombie computers in botnets can be exaggerated and does not reflect their true threat, according to a European information security body.

The European Network and Information Security Agency (Enisa) on Tuesday questioned published figures for numbers of compromised computers, especially as organisations may exaggerate bot figures for effect.

The key point to focus on is that numbers don't tell you anything.

– Giles Hogben, Enisa

"The key point to focus on is that numbers don't tell you anything," Enisa botnet expert Giles Hogben told ZDNet UK. "Even a botnet of 1,000 machines can cause severe damage, so you should focus on other aspects of the botnet."

Botnet numbers are extrapolated from samples, but there is often no explanation of the methodology used to arrive at the estimates, Enisa said in a report, entitled Botnets: 10 Tough Questions, published on Tuesday.

"Well-known reported figures for botnet sizes that caught major media attention ranged from around seven to nine million bots for Conficker, over 13 million bots associated with Mariposa and up to 30 million infected machines in the Bredolab botnet," said the report. "As big numbers imply big threats — therefore, high attention — there is a significant incentive for overestimation."

Inflated figures

Methodologies such as counting IP addresses with infected traffic could not give an accurate representation of botnet size, said Enisa. For example, University of California, Santa Barbara research (PDF) has shown that analysis of unique IP addresses from the Torpig botnet showed 1,200,000 hosts, versus analysis of a unique bot identifier, which showed 180,000 zombies.

While media articles about Torpig did report the 180,000 figure, organisations may have an interest in feeding the media large estimates to attract funding, Hogben said.

"It may be that there are two equally unsubstantiated figures out there and you choose the bigger one because it supports your goals," Hogben said in an email interview. "Mainly: media attention; funding – security investments and projects; a political agenda; or hiding the fact that your defences were not so great ('my defences failed against a horde of 30 million zombies' doesn't sound as bad as 'my site was taken down by 30 computers')."

Wrong defences

Organisations that use inaccurate figures risk misapplying security resources, he added.

"It could mean you invest money in defences you don't need, or you don't invest in the defences you do need," Hogben said. "You might invest in the wrong sort of defences."

The Enisa report contained recommendations for European legislators. One of the recommendations in the report was to formulate a 'Good Samaritan Law' that would make exceptions from liability for individuals who took actions against botnets with good intentions. This law would have to be tempered to discourage cyber-vigilantism, said the paper.


Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.

Topics: Security

About

Tom is a technology reporter for ZDNet.com, writing about all manner of security and open-source issues.Tom had various jobs after leaving university, including working for a company that hired out computers as props for films and television, and a role turning the entire back catalogue of a publisher into e-books.Tom eventually found tha... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.