Last week, the Dutch police managed to shut down the “Bredolab” botnet. At least, that is what they claimed during the worldwide media coverage that followed. A few days later, while the police was still basking in the praise for its success, the botnet was resurrected. Embarrassing? Yes. Surprising? Not really. It highlights a fundamental misunderstanding about the fight against botnets. Contrary to what the Dutch police claimed and many people think, law enforcement cannot shut down botnets. It is important to understand why and what the implications are of this sobering thought.
The Bredolab case is the latest in a series of successes in the fight against botnets. The past few months also saw reports of crackdowns on the Zeus and Waledac botnets. For years, we have been told how difficult it is to fight botnets. Why is law enforcement now more successful than in the past?
The answer has two parts. The obvious part is that law enforcement agencies have developed more expertise and are collaborating more effectively. The less obvious part is that they do not really shut down the botnet itself, but one specific part of it: its command and control (C&C) servers. In some cases, as in the case of Bredolab, the C&C servers are centralized and thus form a single point of failure.
The Dutch police, with the help of GOVCERT and security firm Fox IT, managed to infiltrate the C&C servers. It observed the botnet for about a month, gathering evidence, before ordering the servers to be shut down. It then issued a warrant for the Armenian it suspected of operating the botnet. The Armenian was arrested shortly thereafter. All of this is impressive police work and well deserving of praise.
By then, the PR machine had kicked into gear. The shutdown was actually staged for television. A camera crew filmed while an employee of the hosting provider disconnected the C&C servers. At least, that is what they wanted viewers to believe. In reality, the servers used for Bredolab were dispersed across the data center. So they had the employee disconnect a rack of servers that were already out of use and had nothing to do with Bredolab. Oh well, no harm done.
But it didn’t stop there. In a variety of ways, they inflated the success of their action. First of all, they claimed to have shut down the botnet. This claim was uncritically repeated by the media. Unfortunately, they did no such thing. They only shut down the C&C servers. All the bots, i.e., the infected machines, were still up and running. Without a C&C server, they no longer receive instructions. The assumption is that this renders them harmless. A mistaken assumption, as soon became clear. With a few days, other criminals found a way to set up new C&C servers and reestablished contact with the bot population.
It is understandable and certainly not unique to the Dutch police to inflate success. But the problem is that it misconstrues the role of law enforcement in the fight against botnets. It is one thing to take down a C&C server, it is quite another to take down a botnet. The latter is a much more cumbersome war of attrition against large numbers of infected machines. If this war is lost, or not even begun, then capturing one criminal and his C&C servers will only have a very short-lived impact. And indeed, this is what we see in most recent successes against botnets: there is an immediate impact, but it is very brief and shortly thereafter, things are back to normal. It is like arresting a drug dealer. If you do not successfully disrupt the infrastructure, he will just be replaced by another one.
There was another way in which the police and the public prosecutor inflated their success. They kept – and keep – emphasizing that this was a large botnet: 30 million machines were infected at some point, they claim. Again, this claim has been repeated uncritically by virtually everyone reporting on the case. The number seemed high to me. I pulled up Microsoft’s Security Intelligence Reports. From what I could gather, the telemetry of Microsoft detected at the most 1.5 million machines over the course of 2009 to the recent shutdown. The way Microsoft collects data means it is a conservative estimate. It can only see an infection if the computer runs the Malicious Software Removal Tool – provided as an automatic update through Windows Updates – or one of Microsoft’s security packages. Not all users do this, of course. That said, Microsoft says that its security software runs on over 600 million Windows machines worldwide. So it does capture a large chunk of the universe. Let’s say that the actual number of Bredolab infection is double the Microsoft estimate, then that adds up to 3 million machines. A difference of a factor of 10 with the estimate provided by the police.
I have a hunch how this difference can be explained. The police has had control over the botnet for about a month. During this month they claimed they saw 3 million infections. They then extrapolated this to 30 million over the 10 months that the botnet was in full swing. How did they get the figure of 3 million? For most botnets, there is only one way to do this: count the number of unique IP addresses that connect to the C&C server.
There is one well-known limitation of counting machines this way: the use of dynamic IP address allocation means that the same machine will show up under multiple addresses. So you will overestimate the size of the botnet. By a factor of 10? Actually, yes. Last year, a study of the Torpig botnet revealed that if you estimated the botnet size by counting IP addresses, you can miss the mark by one order of magnitude. The researchers could produce this startling conclusion courtesy of a peculiarity of the Torpig botnet: it assigns a unique identifier to each infected machine.
Why is this exaggeration relevant? Because, again, it misconstrues the fight against botnets. In this fight, taking down C&C servers promise quick, visible, but short-lived wins. Quick and visible means it draws policy attention and funding. In the Netherlands, the Ministry of the Interior is funding a private sector proposal to blackhole all C&C traffic. This is not a good plan, for a variety of reasons, one of them being that it will not actually shut down botnets. The more succesful the attacks are on centralized C&C servers, the more criminals will adopt other techniques. Peer-to-peer C&C, for example, has been available and in use in botnets for a while. So it is not hard to switch to it and thus render the expensive Dutch plan useless.
The real battlefield is in cleaning up the millions of bots. That is not a heroic fight with bad guys, but a laborious process of Internet Service Providers engaging with their own customers. To stimulate and support that process, it make a world of difference if you are dealing with 3 million or 30 million machines. No one likes to engage in a fight if their effort seems futile.
Success in the fight against botnets begins with understanding what this fight entails. The Dutch police is not helpful, in this respect, but perhaps that is too much to ask. It is more damning that almost everyone reporting on this incident simply parrots their hyperbolic claims.