The Role of Internet Service Providers in Botnet Mitigation an Empirical Analysis Based on Spam Data

31 Pages Posted: 22 Jan 2012

See all articles by Michel van Eeten

Michel van Eeten

Delft University of Technology

Johannes M. Bauer

Michigan State University-Department of Media and Information

Hadi Asghari

Delft University of Technology

Shirin Tabatabaie

affiliation not provided to SSRN

David Rand

Trend Micro Incorporated

Date Written: August 15, 2010

Abstract

Botnets, networks of machines infected with malicious software, are widely regarded as a critical security threat. Measures that directly address the owners of the infected machine end users are useful, but have proven insufficient to reduce the overall problem. Recent studies have shifted attention to key intermediaries – most notably, Internet Service Providers (ISPs) – as control points for botnet activity. Surprisingly little empirical information is available to assess the claim that ISPs are an important control point, as well as related claims, for example, that large ISPs are worse cybercitizens than smaller ones. This paper is a first effort to go beyond generalized arguments by dissecting the diversity of ISPs and the number of infected machines in their networks. As most of the current spam is sent through botnets, the origin of spam messages provides us with a proxy for detecting infected machines. Using a global dataset of 138 million unique IP addresses that connected to a spam trap in the period 2005-2008, we have analyzed in detail the geographic patterns, time trends, and differences at the level of countries and ISPs. This data underlines the key position of ISPs as intermediaries. For example, in our dataset just 10 ISPs account for around 30 percent of all unique IP addresses sending spam worldwide; 50 ISPs account for over half of all sources. For the first time, the patterns in infected machines are connected to other data, such as the size of the ISPs and the country in which they are located. Using bivariate and multivariate statistical approaches we investigate empirically the effects of country-level policy measures on the number of unique IP addresses sending spam at the ISP level. The data reveals wide differences between ISPs in the relative number of infected machines, sometimes up to three orders of magnitude. Whereas the overall number of infected machines is largely driven by the size of the user base, we also find limited evidence that public policies to improve cybersecurity have the desired mitigating effects. Our findings confirm some of the claims made in the research literature but refute others.

Suggested Citation

van Eeten, Michel and Bauer, Johannes M. and Asghari, Hadi and Tabatabaie, Shirin and Rand, David, The Role of Internet Service Providers in Botnet Mitigation an Empirical Analysis Based on Spam Data (August 15, 2010). TPRC 2010. Available at SSRN: https://ssrn.com/abstract=1989198

Michel Van Eeten (Contact Author)

Delft University of Technology ( email )

PO Box 5015
Delft, 2600GA
Netherlands

Johannes M. Bauer

Michigan State University-Department of Media and Information ( email )

409 Communication Arts Building
East Lansing, MI 48824-1212
United States
517-355-8372 (Phone)
517-355-1292 (Fax)

HOME PAGE: http://www.msu.edu/~bauerj

Hadi Asghari

Delft University of Technology ( email )

P.O. Box 5015
2600 GB Delft
Netherlands

Shirin Tabatabaie

affiliation not provided to SSRN

David Rand

Trend Micro Incorporated ( email )

Register to save articles to
your library

Register

Paper statistics

Downloads
363
Abstract Views
1,915
rank
80,043
PlumX Metrics