We aren't dealing with stupid people. If 1/10th of
the bots will do the trick, that's 1/10th of the work. A larger
botnet would expose the controllers much more rapidly with focused
traffic flows towards the controllers. No controller = no $$. You'd
also have more people involved to speed up the process and now you're
spending money that you don't have to when 100K will suffice nicely.
Whether you buy the botnets or you build them yourself, you need time
to generate revenue. Survival and greed are factors here. Aggregating
botnets is possible, sure. But that means you're paying someone for
their use. They aren't just giving them away. Of course, you could
buy a botnet, but again, why buy when you can build 100K botnet in
short order and for free?
Discussing botnet sizes is irrelevant though except in the case of
mitigation and deciding where to spend time working *80/20*.
Look at how the discussions surrounding SPAM have evolved. It went
from "damn abusers", to "damn software", to "where's the money coming
from?". The BotNet problem has already evolved to "where's the money".
Botnets are a new phenomenon. [ Gadi!?]
[ SNIP ]
Botnets are a new phenomenon. [ Gadi!?]
hehe, I won't take the bait on that one Martin. 
I suppose that back in the days when it was "new" they weren't really called "armies", and _hackers_ would actually set up "real" bots on pwned boxes. Today we see less and less actual eggdrops/energymechs botnets, and a ton more IRC-related Trojan horses consisting botnets.
The issue is rather new in the security world "press". They are still testing the ground. The actual press will start buzzing about it soon, to a very large degree due to much noise created by me for a long time on some security related mailing lists. I am not sure if this is good or bad.
Many people still believe DDoS is mostly constructed by using broadcast... (remember the rootshell days with lists being distributed?) people "throw" the word botnet around for the past couple of years.. but nothing beyond that.
It can turn into a media "hype" issue. It can turn into a public.. whatever.
Thing is, people will be more conscience about it and maybe something more will be done than a select few who waste their private time fighting this against people who make money from it.
As to the date "all this" started.. I'd have to say that it started a long time ago, but really hit it with the big come-back of Trojan horses (not that they ever really disappeared) during 1996-1997.
Gadi.
Botnets aren't new. They've been prototyped on various IRC networks for years. It started with hordes of linked eggdrop bots for Death Star style privmsg/notice flood attacks on single users (1998? 1999?). When the response was to hunt down and remove the bots in a mass fashion (I hacked up one of the early tools for doing it), it turned into submarine botnets on private servers (or not connected to IRC at all) doing DDoS attacks against targetted IP addresses. These days, it's virally injected remote controls and soon, sharks with frickin laser beams.
- billn
Botnets aren't new. They've been prototyped on various IRC networks for years. It started with hordes of linked eggdrop bots for Death Star style privmsg/notice flood attacks on single users (1998? 1999?). When
For history's sake, most people name BO and netbus as the "original" remote control Trojan horses. Those that started all the mess.
Truth be told, that's far from the truth, although history won't care much about it.
There were two main "remote" Trojan horses that came before.
One was by MrZ (I think!) who hung around the efnet IRC network and created havoc 1, 2 and 3. also known at the time as route32b.exe, mostly.
There was Socket de Troie (sp?), with a cute French GUI interface.
Most botnets back then were indeed eggdrops/energymechs, but the masses started.. erm.. massing with script.ini and DMSETUP.exe showing up in late 1996.
Then came BO and netbus. The original netbus was actually written in delphy if I remember right.. most of these Trojan horses later on, for a few years, were written in VB and C (moving from PASCAL).
Gadi.