Storm, Nugache lead dangerous new botnet barrage

[Bill Stewart]

At 10:37 AM 1/12/2008, Len Sassaman wrote:
>On Sat, 12 Jan 2008, Peter Gutmann wrote:
> > (Alternatively, "because they can".  They're not paying for the 
> overhead, it
> > doesn't really make much sense not to encrypt everything).
>I don't agree -- they *are* paying for the overhead. Not in dollars, but
>in CPU cycles (and a minor programming overhead.) If you increase the
>performance degradation on the hosts in the botnet, you're going to lose

Encrypting the control channel isn't going to burn a lot of CPU;
hopefully the botnet doesn't need more than a few KB/hour of control,
and almost certainly it wouldn't need more than a few KB/sec of data
(such as spam-target email addresses), so encrypting it's low-horsepower.

The heavy-resource job of a bot is sending out lots of packets to targets,
whether it's spam email sessions or DDOS UDP packets,
and the limiting factor on that is upstream bandwidth, typically 128-768kbps.
On a modern CPU you could even encrypt that traffic if you wanted,
without the CPU breaking a sweat, though the only application I can see for 
that
is encrypted SMTP sessions if you're spamming somebody high-tech.

Most computers have enough spare CPU that they can burn it looking for
space aliens or folding proteins at home without noticing a performance hit;
the real trick on keeping resource consumption low enough to not be noticed
is managing upstream bandwidth so that you don't stifle http queries and 
TCP acks.