Understanding large-scale spamming botnets from Internet edge sites

This paper aims to understand empirically the impact of a largescale spamming botnet, and the effectiveness of targeting its core infrastructure-C&C servers-from the viewpoint of several Internet edge sites. We also attempt to study the characteristics of the spamming botnet in the long-term to see how quickly bot masters react and what type of action they take. Our primary target in this paper is one of the world's previously worst known spamming botnets, Srizbi, whose C&C servers were shutdown by its upstream ISPs on November 11, 2008. We conduct an extensive measurement study spanning a large volume of e-mail delivery logs and packet traces collected at five vantage points. The measurement period spans three years and includes of the rise and fall of the botnet. We leverage passive TCP fingerprinting on the collected packet traces to identify bot-infected hosts and spam messages sent from them. We first extract variants of the known TCP signatures that are associated with the spamming botnet by correlating the data sets in the time and space domains. Next, by using the signatures, we quantify the volume of spam sent from the botnet and the effectiveness of the C&C server shutdown from an Internet edge siteperspective. We attempt to study the characteristics of the spamming botnet in both the time and space domains. We reveal several findings that are useful in understanding the spread of spamming botnets; specifically, we note the steady growth of the botnet's size and the rapid version transition after the shutdown of C&C servers. We also estimate the entire size of Srizbi botnet. We then study how the botnet membership is distributed around the globe and how its size changed over time.