Sample stats on botnets

A few months ago there was a research presentation presented on computer security.  It touched upon botnets and the presenter gave some data.  Below are some summary results based on a 9-day down-sampled spam trace from Hotmail.

  • There were 294 botnets detected, about 460,000 individual bots.  This is about 1600 bots per botnet.  That's smaller than I thought.

  • 50% contained over 1000 machines.
  • 80% use less than half of the bots in its network each time.  This must be an attempt to reuse botnets so they limit the resources in order to keep them off of blocklists.
  • Large botnets send less numbers of spam messages per bot.  This is intuitively obvious.
  • 60% botnet-related spam are from long-lived botnets.  Our own individual stats confirm this, we have a private blocklist where there is a core group of IPs that never go away.
  • 50% contain machines from >30 countries.  I have no information on what countries are the worst offenders.

One day we plan to start combing through our own data to see if we can find even more granular detail on spammers and their botnets.

Comments (2)
  1. Matt Sergeant says:

    How are you grouping botnets together? If it’s just by similar subjects this method doesn’t work.

  2. David Cawley says:

    I’d also be interested in hearing more about how the researcher correlated an IP address with a specific bot.

    If this is based solely on grouping similar messages together it’s more an analysis of spam campaigns rather than botnets.

Comments are closed.

Skip to main content