On 01 May 2013, at 1:51 PM, André Warnier <a...@ice-sa.com> wrote: > But *based on the actual data and patterns which I can observe on my servers > (not guesses), I think it might have an effect*.
Of course it might have an effect - the real important question is will it have a *useful* effect. A bot that gives up scanning a box that by definition isn't vulnerable to that bot (thus the 404) doesn't achieve anything useful, the bot failed to infect the host before, it fails to infect the host now, nothing has stopped the bot moving to the next host and trying it's luck there. Perhaps it does achieve a reduction in traffic for you, but that is for you to decide, and the tools already exist for you to achieve this. To put this into perspective, Rackspace will give me a midrange virtual server instance with 8GB of RAM for $350-ish per month. If I wanted 10 000 of these, that's a $3.5m dollar a month server bill. Or I could break into and steal access to 10 000 servers in my botnet, some far larger than my 8GB ballpark, and save myself $3.5m per month. Will attempts by sites across the net to slow down my bots convince me to stop? For $3.5m worth of computing power that I am getting for free, I think not. Regards, Graham --
smime.p7s
Description: S/MIME cryptographic signature
