Is UCLA overrated

Enisa: The size of botnets is overrated

The EU Internet Security Agency Enisa has published a report on botnets. It is entitled "Botnets: 10 Tough Questions". Among other things, the authority reports doubts that the size of a botnet is directly related to the security risk it poses. The number of affected devices is also likely to be played up for reasons of effectiveness.

"Numbers say nothing at all," explained Giles Hogben, botnet expert at Enisa, to ZDNet UK. “Even a botnet made up of 1,000 machines can cause great damage.” That is why you have to focus on other aspects.

The number of computers involved in botnets would be extrapolated based on samples, according to the report (PDF). At the same time, however, there are no explanations as to how these estimates come about.

“Common extrapolations of botnet sizes, which have also received media attention, range between seven and nine million affected computers at Conficker, Mariposa is said to have more than 13 million infected devices, and up to 30 million computers are likely to be part of the Bredolab -Bot network “, write the authors. “Big numbers mean big dangers - and therefore a lot of attention. There is significant potential here to overestimate the number of bots. "

Methods such as counting IP addresses with infected traffic cannot provide any information about the size of a botnet, according to Enisa. For example, the University of California received different numbers (PDF) in an investigation of the Torpig botnet: An analysis of individual IP addresses found 1.2 million hosts - while the analysis of a single bot identifier only resulted in 180,000 zombie computers.

Although the media actually spread the 180,000 infected devices in this case, organizations may be interested in publishing higher estimates in order to attract investors, said Hogben. "You may have two equally unprovable numbers, but you choose the larger one because it suits your goals." Media attention is one point, political goals another. “Or to hide the fact that your own security defenses were not particularly effective. 'My protection failed against a horde of 30 million zombie PCs' doesn't sound as bad as 'My site was dismantled by 30 computers'. "

The Enisa report also contains recommendations for European legislators. For example, the authority considers a so-called “Good Samaritan Act” to be sensible. The aim is to exempt hackers from liability if they act against botnets with good intent. However, care must be taken to prevent vigilante justice via the Internet.