Botnets – networks of machines infected with malicious software – are widely regarded as a critical security threat. Measures that directly address the end users who own the infected machines are useful, but have proven insufficient to reduce the overall problem. Recent studies have shifted attention to Internet Service Providers (ISPs), the providers of Internet access to end users, as possible control points for botnet activity.
In the report, we set out to empirically answer the following questions:
• First, to what extent are ISPs critical control points for botnet mitigation?
• Second, to what extent do they perform differently relative to each other, in terms of the number of infected machines in their networks?
• Third, and last, to what extent can we explain the differences in performance from the characteristics of the ISPs or the environment in which they are located?
We have gathered data on the location of infected machines over time by studying spam traffic. Around 80- 90 % of all spam is issued by infected machines. The origin of a spam message therefore very likely indicates the presence of an infected machine. Our raw data is a global dataset that comprises 109 billion spam messages from 170 million unique IP addresses, all of which were delivered to a ‘spam trap’ in the period 2005-2009.
Our findings lend direct and indirect support to the view that ISPs are important potential control points.