Botnets: Detection, Measurement, Disinfection & Defence

Botnets, consisting of thousands of interconnected remote‐controlled computers, pose a big threat against the Internet. Besides the involvement of such malicious infrastructures in politically motivated attacks more than once in the recent past, huge economic damage is caused in a similar manner to large companies, but also individual persons likewise. Over the last years, the botnet scene has more and more moved towards organized crime.

To address this problem, Fraunhofer FKIE and as an subcontractor the University of Bonn have been awarded by the European Network and Information Security Agency (ENISA) to study and report on the detection and tracking of, but also defence against botnets.

The primary results of this project are divded into three reports.

The main report "Botnets: Detection, Measurement, Disinfection & Defence" gives a comprehensive overview and analysis on existing approaches to the detection and measurement as well as mitigation of botnets. Additionally, a collection of recommendations and good practices is presented to attack botnets from all angles.
A key result on the aspect of measurement is that the number of infected machines alone is an inappropriate measure to assess the threat posed by a certain botnet. On the one hand, most of the existing measurement approaches lack accuracy and the methodology applied to obtain numbers is often not explained in enough detail. Besides this, even small botnets can cause severe damage, for example, when being involved in the theft of sensitive or classified information. On the other hand, threat potential heavily depends on the stakeholder targeted. Different botnets may pursue completely different goals and provide specific functionality.
Concerning countermeasures, the diversity of current legal frameworks of various EU Member States affects the efficiency of the fight against botnets. International cooperations and investigations across borders are driven by processes that increase the reaction time by large factors. This leads to the fact that these investigation are easily to evade by cyber criminals, which are during their operations by default not respecting any laws.
The recommendations involve not only technical but also policy and legal aspects, emphasizing the importance of global cooperation. They are divided into good practices for the mitigation of existing botnets, the prevention of new infections, and minimising the profitability of botnets and cybercrime in general.

Another report called "Botnets: 10 Tough Question" features the results of intense discussions with top experts representing various stakeholder groups such as Security Researchers, Law Enforcement, Internet Service Providers and legal experts. This report has the intention to provide policy-makers with the needed background information on central issues in the fight against botnets.

A third report (to appear in Q2 2011) focuses on the legal situation in the fight against botnets in EU context.

A Workshop on Botnet Detection, Measurement, Disinfection & Defence took place on March 09‐10, 2011, in Cologne, Germany.

For further information, feel free to contact us via e-mail:

botnet-mitigation@REMOVETHISPART.cs.uni-bonn.de