Abstract
Botnets have become an increasing security concern in today’s Internet. Thus far the mitigation to botnet attacks is a never ending arms race focusing on technical approaches. In this chapter, we model botnet-related cybercrimes as a result of profit-maximizing decision-making from the perspectives of both botnet masters and renters/attackers. From this economic model, we can understand the effective rental size and the optimal botnet size that can maximize the profits of botnet masters and attackers. We propose the idea of using virtual bots (honeypots running on virtual machines) to create uncertainty in the level of botnet attacks. The uncertainty introduced by virtual bots has a deep impact on the profit gains on the botnet market. With decreasing profitability, botnet-related attacks such as DDoS are reduced if not eliminated from the root cause, i.e. economic incentives.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Alternatively, we can view n e as the minimum number of accesses required to disable a website, and further define the number of accesses per machine to figure out the size of rental. We do not see it necessary to go into such details and believe our conclusions are not affected.
- 2.
Although we are considering Internet Relay Chat (IRC), which is the dominant C&C channel in today’s botnet, the parameter for botnet maintenance costs can be defined accordingly based on the underlying technique adopted to control bots, whether through IRC or other decentralized systems such as P2P.
- 3.
Similar to the determination of n e, how many bots, q, a C&C channel can host is determined by technological progresses and limited by the capacity of the channel. Given technology, q is fixed.
- 4.
Defenders refer to whoever has the incentive to run/maintain honeypots such as researchers and government agencies. While these organizations by lawhave desire to fight against cybercriminals, private parties may also be motivated to create honeypots if they are financially compensated. For example, a honeypot server may collect data on the botnet to sell to customers for development of infrastructure protection techniques.
- 5.
Furthermore, the increased likelihood for an attack to fail also increases the psychological costs of launching such an attack, which makes the practice even less interesting.
- 6.
In reality, the chance for a botnet master to be detected and arrested is small. Dropping the penalty component of the costs does not damage the model conclusions. Effects of non-zero legal punishment and how legal enforcement can be combined with honeypots to fight botnets, especially when botnets are used to launch attacks with linearly increasing payoffs such as spams, are studied in a related work.
- 7.
The actual values of the parameters can be estimated from empirical studies. The numbers assigned here are for illustrative purposes.
- 8.
Botnetmasters may seek for innovation in response to the increased use of honeypots. For example, they may develop cheaper means of C&C (i.e., lower m). According to (20) and (21), profit may increase and the cutoff p v has to be larger. Cheaper means of C&C is unfavorable innovation concerning fighting attacks. Nevertheless, it does not affect the nature of model conclusions.
- 9.
The effective size of a botnet is the number of bots connected to the IRC channel at a specific time. While the effective size has less impact on long-term activities such as executing commands posted as channel topics, it significantly affects the number of minions available to execute timely commands such as DDoS attacks.
- 10.
The size of the botnet is 1.11 (=1/(1 – 0.1)) times the size in the benchmark case. The increase in size is 11 percent.
References
Bacher, P., Holz, T., Kotter, M., and Wicherski, G. “Know Your Enemy: Tracking Botnets,” The Honeynet Project & Research Alliance, March 2005.
“Computer Scientist Fights Threat of Botnets,” ScienceDaily, Nov. 10 2007. Available at http://www.sciencedaily.com/releases/2007/11/071108141303.htm
Dagon, D., Zou, C., and Lee, W.“Modeling BotnetPropagation Using Time Zones,” in Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS’06), Febuarary. 2006.
Ford, R., and Gordon, S. “Cent, Five cent, Ten cent, Dollar: Hitting Botnets Where It Really Hurts,” in New Security Paradigms Workshop, 2006, pp. 3–10.
Franklin, J., and Perrig, A. “An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants,” in Proceedings of the 14th ACM conference on Computer and Communications Security, SESSION: Internet Security, Alexandria, Virginia, 2007, pp. 375–388.
Jin, C., Wang, H., and Shin, K. “Hop-Count Filtering: An Effective Defense Against Spoofed DoS Traffic,” in Proceedings of the 10th ACM Conference on Computer and Communications Security, 2003, pp. 30–41.
Jin, S. and Yeung, D. “A Covariance Analysis Model for DDoS Attack Detection,” in Proceeding of the IEEE International Conference on Communications (ICC), vol. 4, June 2004, pp. 1882–1886.
Karasaridis, A., Rexroad, B., and Hoeflin, D. “Wide-scale BotnetDetection and Charaterization,” in USENIX Workshop on Hot Topics in Understanding Botnets (HotBots’07), 2007.
Mahajan, R., Bellovin, S., Floyd, S., Ioannidis, J., Paxon, V., and Shenker, S. “Controlling High Bandwidth Aggregates in the Network,” ACM SIGCOMM Computer Communication Review(32:3), July 2002, pp. 62–73.
Park, K., and Lee, H. “On the Effectiveness of Probabilistic Packet Marking for IP Traceback under Denial of Service Attack,” in Proceedings of INFOCOM 2001, 2001, pp. 338–347.
Rajab, M. A., Zarfoss, J., Monrose, F. and Terzis, A. “A Multifaceted Approach to Understanding the BotnetPhenomenon,” in 6th ACM SIGCOMM conference on Internet Measurment, SESSION: Security and Privacy, 2006, pp. 41–52.
Rajab, M. A., Zarfoss, J., Monrose, F., and Terzis, A. “My Botnetis Bigger Than Yours (Maybe, Better Than Yours): Why Size Estimates Remain Challenging,” in Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, Cambridge, MA, 2007, pp. 5.
Savage, S., Wetherall, D., Karlin, A. P., and Anderson, T. “Practical Network Support for (IP) Traceback,” in Proceedings of SIGCOMM, 2000, pp. 295–306.
Snoeren, A., Partridge, C., Sanchez, L., Jones, C., Tchakountio, F., Kent, S. and Strayer, W. “Hash-Based IP Traceback,” in Proceedings of SIGCOMM, 2001, pp. 3–14.
“Worldwide Infrastructure Security Report vol.ii (2006),” ARBOR NETWORK. Available at http://www.arbornetworks.com/report
Xu, J., and Lee, W. “Sustaining Availability of Web Services under Distributed Denial of Service Attacks,” Transactions on Computers (52:2), Feburary 2003, pp. 195–208.
Yau, D. K. Y., Lui, J. C. S., Liang, F. and Yam, Y. “Defending against Distributed Denial-of-Service Attacks with Max-min Fair Server-centric Router Throttles,” IEEE/ACM Transactions on Networking (13:1), 2005, pp. 29–42.
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer Science+Business Media, LLC
About this chapter
Cite this chapter
Li, Z., Liao, Q., Striegel, A. (2009). Botnet Economics: Uncertainty Matters. In: Johnson, M.E. (eds) Managing Information Risk and the Economics of Security. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-09762-6_12
Download citation
DOI: https://doi.org/10.1007/978-0-387-09762-6_12
Published:
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-09761-9
Online ISBN: 978-0-387-09762-6
eBook Packages: Computer ScienceComputer Science (R0)