Home / Blogs

How Many Bots? How Many Botnets?

We touched on this subject in the past, but recently Rich Kulawiek wrote a very interesting email to NANOG to which I replied, and decided to share my answer here as well—

I stopped really counting bots a while back. I insisted, along with many friends, that counting botnets was what matters. When we reached thousands we gave that up.

We often quoted anti-nuclear weapons proliferation sentiments from the Cold War, such as: “why be able to destroy the world a thousand times over if once is more than enough?” we often also changed it to say “3 times” as redundancy could be important. :>

Today, it is clear the bad guys can get their hands on as many bots as they need, or in a more scary scenario, want. They don’t need that many.

As a prime example, I believe that VeriSign made it public that only 200 bots were used in the DNS amplification attacks against them last year. Even if they missed one, two or even three zeroes, it speaks quite a bit as to our fragile infrastructure.

If brute force alone can achieve this, what of application attacks, perhaps even 0days? :)

Still, we keep surviving and we will still be here next year, too, with bigger and bigger trucks and tubes to hold the Internet together, whether for regular or malicious usage. eCommerce and online banking might not survive in a few years if people such as us here don’t keep doing what we do, but that part of it is off topic to NANOG.

10 years ago, almost no one knew what botnets were. Counting and measuring seemed to be very important 3 years ago, and to governments and academics, even a year ago. Today it is just what funding for botnet research is based on ( :) ), still, I don’t really see the relevance. Botnets are a serious issue, but they are only a symptom of the problem called the Internet.

Sitting on different networks and testing them for how many malicious scans happen every second/minute/hour/day and then checking that against how many machines with trivially exploited vulnerabilities exist on these networks can fill in some of the puzzle, but the delta from what we may see if we consider email attachments and malicious web sites…

The factor may be quite big.

We will never be able to count how many bots exist. We can count limited parts of that pool such as those seen in spam. These are several millions every day (which should be scary enough) but not quite the right number.

And this is before we get into the academic off-topic discussion of what a bot actually is, which after almost 11 years of dealing with these I find difficult to define. Is it an IP address? A computer? Perhaps an instance of a bot sample (and every machine could have even hundreds).

Welcome to the realm of Internet security operations and the different groups and folks involved (and now industry). It is about Internet security rather than this or that network security or this and that sample detection.

By Gadi Evron, Security Strategist

Filed Under


Martin Hannigan  –  Mar 9, 2007 7:13 AM

We should consider any machine without anti virus software to be basically compromised and instead count these hosts, shouldn’t we? The larger vulnerability seems like a more accurate threat representation at this point.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix


Sponsored byVerisign

Domain Names

Sponsored byVerisign