Giant Portion

"largest connected (or online) portion
of the graph"

How many bots can participate in an attack

Average bandwidth

The series of all groups i

Average maximum bandwidth

Average normal bandwidth use

Probability of bot being in group i

average online hours per day

• Network diameter l
• Since a botnet with more interconnections has more short paths, it passes messages quickly, and provides fewer detection opportunities

Botnet Efficiency

Botnet response strategies

• Random targeting can be effective in random networks
• Random targeting is ineffective for scale free networks
• Responses to scale free networks are more effective
• With scale free, targeting high speed nodes is more likely to increase the diameter of the network, increasing message distrobution time
• Keeping watch of effectiveness (available bandwith), helps with monitoring success rate

Methodology

• Nugache
  • used for spam email
  • data collection
  • distributed via limewire
  • Made by a 19 year old!
• Used emulator infected with nugache
• Forced unique ip on every node they controlled
• observed connections to computer in the wild
• Observed mostly > 6 links, but up to 30 links in some case
• This indicated scale free
• Cleaning highly connected nodes can have a high impact.

Bandwith as a metric

• Tested on two botnets, focus on DDoS
• Probed bandwith on random nodes
• Used to find an average, method described in metric for estmating bandwith
• Botnet size of 50k = 1Gbps total bandwith
• Botnet 1:  53.3004 Kbps, Botnet 2: 34.8164 Kbps
• Not adjusted for diurnal = roughly the same available bandwith
• Adjusted for diurnal = Botnet 2 has 50% capacity of botnet 1