Botnet size may be exaggerated, says Enisa

The number of zombie computers in botnets can be exaggerated and does not reflect their true threat, according to a European information security body.

The European Network and Information Security Agency (Enisa) on Tuesday questioned published figures for numbers of compromised computers, especially as organisations may exaggerate bot figures for effect.

The key point to focus on is that numbers don't tell you anything.

– Giles Hogben, Enisa

"The key point to focus on is that numbers don't tell you anything," Enisa botnet expert Giles Hogben told ZDNet UK. "Even a botnet of 1,000 machines can cause severe damage, so you should focus on other aspects of the botnet."

Botnet numbers are extrapolated from samples, but there is often no explanation of the methodology used to arrive at the estimates, Enisa said in a report, entitled Botnets: 10 Tough Questions, published on Tuesday.

"Well-known reported figures for botnet sizes that caught major media attention ranged from around seven to nine million bots for Conficker, over 13 million bots associated with Mariposa and up to 30 million infected machines in the Bredolab botnet," said the report. "As big numbers imply big threats — therefore, high attention — there is a significant incentive for overestimation."

Inflated figures

Methodologies such as counting IP addresses with infected traffic could not give an accurate representation of botnet size, said Enisa. For example, University of California, Santa Barbara research (PDF) has shown that analysis of unique IP addresses from the Torpig botnet showed 1,200,000 hosts, versus analysis of a unique bot identifier, which showed 180,000 zombies.

While media articles about Torpig did report the 180,000 figure, organisations may have an interest in feeding the media large estimates to attract funding, Hogben said.

"It may be that there are two equally unsubstantiated figures out there and you choose the bigger one because it supports your goals," Hogben said in an email interview. "Mainly: media attention; funding – security investments and projects; a political agenda; or hiding the fact that your defences were not so great ('my defences failed against a horde of 30 million zombies' doesn't sound as bad as 'my site was taken down by 30 computers')."

Wrong defences

Organisations that use inaccurate figures risk misapplying security resources, he added.

"It could mean you invest money in defences you don't need, or you don't invest in the defences you do need," Hogben said. "You might invest in the wrong sort of defences."

The Enisa report contained recommendations for European legislators. One of the recommendations in the report was to formulate a 'Good Samaritan Law' that would make exceptions from liability for individuals who took actions against botnets with good intentions. This law would have to be tempered to discourage cyber-vigilantism, said the paper.