Botnet Economics: Uncertainty Matters

  • Zhen Li
  • Qi Liao
  • Aaron Striegel


Botnets have become an increasing security concern in today’s Internet. Thus far the mitigation to botnet attacks is a never ending arms race focusing on technical approaches. In this chapter, we model botnet-related cybercrimes as a result of profit-maximizing decision-making from the perspectives of both botnet masters and renters/attackers. From this economic model, we can understand the effective rental size and the optimal botnet size that can maximize the profits of botnet masters and attackers. We propose the idea of using virtual bots (honeypots running on virtual machines) to create uncertainty in the level of botnet attacks. The uncertainty introduced by virtual bots has a deep impact on the profit gains on the botnet market. With decreasing profitability, botnet-related attacks such as DDoS are reduced if not eliminated from the root cause, i.e. economic incentives.


Virtual Machine Profit Margin Effective Size Benchmark Model Successful Attack 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. Bacher, P., Holz, T., Kotter, M., and Wicherski, G. “Know Your Enemy: Tracking Botnets,” The Honeynet Project & Research Alliance, March 2005.Google Scholar
  2. “Computer Scientist Fights Threat of Botnets,” ScienceDaily, Nov. 10 2007. Available at
  3. Dagon, D., Zou, C., and Lee, W.“Modeling BotnetPropagation Using Time Zones,” in Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS’06), Febuarary. 2006.Google Scholar
  4. Ford, R., and Gordon, S. “Cent, Five cent, Ten cent, Dollar: Hitting Botnets Where It Really Hurts,” in New Security Paradigms Workshop, 2006, pp. 3–10.Google Scholar
  5. Franklin, J., and Perrig, A. “An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants,” in Proceedings of the 14th ACM conference on Computer and Communications Security, SESSION: Internet Security, Alexandria, Virginia, 2007, pp. 375–388.Google Scholar
  6. Jin, C., Wang, H., and Shin, K. “Hop-Count Filtering: An Effective Defense Against Spoofed DoS Traffic,” in Proceedings of the 10th ACM Conference on Computer and Communications Security, 2003, pp. 30–41.Google Scholar
  7. Jin, S. and Yeung, D. “A Covariance Analysis Model for DDoS Attack Detection,” in Proceeding of the IEEE International Conference on Communications (ICC), vol. 4, June 2004, pp. 1882–1886.Google Scholar
  8. Karasaridis, A., Rexroad, B., and Hoeflin, D. “Wide-scale BotnetDetection and Charaterization,” in USENIX Workshop on Hot Topics in Understanding Botnets (HotBots’07), 2007.Google Scholar
  9. Mahajan, R., Bellovin, S., Floyd, S., Ioannidis, J., Paxon, V., and Shenker, S. “Controlling High Bandwidth Aggregates in the Network,” ACM SIGCOMM Computer Communication Review(32:3), July 2002, pp. 62–73.CrossRefGoogle Scholar
  10. Park, K., and Lee, H. “On the Effectiveness of Probabilistic Packet Marking for IP Traceback under Denial of Service Attack,” in Proceedings of INFOCOM 2001, 2001, pp. 338–347.Google Scholar
  11. Rajab, M. A., Zarfoss, J., Monrose, F. and Terzis, A. “A Multifaceted Approach to Understanding the BotnetPhenomenon,” in 6th ACM SIGCOMM conference on Internet Measurment, SESSION: Security and Privacy, 2006, pp. 41–52.Google Scholar
  12. Rajab, M. A., Zarfoss, J., Monrose, F., and Terzis, A. “My Botnetis Bigger Than Yours (Maybe, Better Than Yours): Why Size Estimates Remain Challenging,” in Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, Cambridge, MA, 2007, pp. 5.Google Scholar
  13. Savage, S., Wetherall, D., Karlin, A. P., and Anderson, T. “Practical Network Support for (IP) Traceback,” in Proceedings of SIGCOMM, 2000, pp. 295–306.Google Scholar
  14. Snoeren, A., Partridge, C., Sanchez, L., Jones, C., Tchakountio, F., Kent, S. and Strayer, W. “Hash-Based IP Traceback,” in Proceedings of SIGCOMM, 2001, pp. 3–14.Google Scholar
  15. “Worldwide Infrastructure Security Report vol.ii (2006),” ARBOR NETWORK. Available at
  16. Xu, J., and Lee, W. “Sustaining Availability of Web Services under Distributed Denial of Service Attacks,” Transactions on Computers (52:2), Feburary 2003, pp. 195–208.MathSciNetCrossRefGoogle Scholar
  17. Yau, D. K. Y., Lui, J. C. S., Liang, F. and Yam, Y. “Defending against Distributed Denial-of-Service Attacks with Max-min Fair Server-centric Router Throttles,” IEEE/ACM Transactions on Networking (13:1), 2005, pp. 29–42.CrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media, LLC 2009

Authors and Affiliations

  • Zhen Li
  • Qi Liao
  • Aaron Striegel

There are no affiliations available

Personalised recommendations