When you decide that you’re done working for the day and log off until the next morning, your computer might not be going to sleep when you do. If it’s been infected by a botnet attack, there is a very high chance that the machine is still actively phoning Command-and-Control servers, receiving and acting on instructions to perform nefarious activities. Your computer could be working long into the night, sending out spam emails by the thousands or even participating in a DDOS attack. In this post, we’ll take a look at the landscape of online bots, and see what parts of the world are home to the most infected machines.
You’ve probably seen this rotating globe on the Labs website. It graphs the real-time botnet requests coming from and going into different countries around the world. (Head to http://labs.umbrella.com/global-network/ to see it spin!) 50 million people worldwide use our DNS service, and we handle 50 billion DNS requests per day. Of those, the total number of botnet requests that we automatically detect and block is approximately 80 to 90 million per day.
Recently we decided to take a look at the global distribution of bot machines. What areas of the world are most affected by botnets? To provide a geographic view of the actual number of bot machines, we queried the OpenDNS passive DNS log for the unique IPs communicating to a list of known bot CnC servers over a 60 minute window. To make a fair global comparison, we sampled 6 p.m.—7 p.m. on a single day in each local time zone. Take a look at the interactive heatmaps below to see a visualization of how infected devices are distributed around the world:
Map A shows the total DNS bot requests from one country over the course of one hour.
Map B shows the percentage of bot machines among all online devices in a country.
We see that the highest ratio of bot infections are seen in Kazakhstan and Belarus, keeping in mind that our numbers do reflect the smaller number of total users of OpenDNS in those countries. Across the globe, we see that about 1 out of 100 online devices is a bot, actively communicating with CnC servers. The U.S., China, and Brazil fare slightly better, at an infection rate of 4 out of 1000 devices.
While we were proud to notice that Internet users in Estonia and Brunei are using OpenDNS services, unfortunately all of the devices we observed from these countries have called out to the CnC servers. They were not shown in the map above to avoid skewing the results.