How does a Botnet affect the difficulty?

How does the blocktime work?
It is important to understand, that the blocktime is not a fix value for the network. It is only a guideline and therefor optimal value.

Catalyst has a blocktime (DIFFICULTY_TARGET) of 60 seconds.

This means, that the network will adjust the difficulty to the hashrate of miners on the network to balance out the blocktime to the 60 seconds.

If the hashrate increases, while the difficulty stays the same, the blocktime will be below 60 seconds and therefor blocks are found faster than usual. The network evens that out by increasing the network difficulty, which makes it harder for the miners to find a block. Once an average of 60 seconds per block is reached, the difficulty rests.

Botnet Attack
Lets say, a botnet attacks Catalyst. The hashrate of the network doubles in short time. Since the difficulty will not adjust instantly, more blocks are found than usually.

Instead of every 60 seconds, the network finds now blocks every 30 seconds.

The botnet harvests those blocks and then leaves. Now the difficulty slowly adjusts to that attack and rises. Since the botnet hashrate is gone now, the remaining network has to deal with that increased difficulty. Blocks are found slower than usual.

Instead of every 60 seconds, the network finds now blocks every 120 seconds.

After a while, the difficulty will go down again and adjust to the remaining hashrate.

Now we are back to 60 seconds per block.

Difficulty adjustments
So whats the technical background of the difficulty? Why does it react delayed?

Catalyst uses a rolling window of the last 60 (+1) blocks. In essence, for each new block the difficulty is being retargeted based on the last 60 (+1) blocks. Thus, for example, block 1000060 will take blocks 1000000 to 100060 for the difficulty calculation, whereas block 1000061 will take blocks 1000001 to 1000061. In addition, to mitigate the effect of dishonest and inaccurate timestamps, 20% of the outliers are cut-off for the calculationĀ¹.

A rolling window will reduce the variance of block time, because the network is able to adjust the difficulty every block. By contrast, with Bitcoin it would be possible to push out 5 minute blocks for a week or 1 hour blocks for 12 weeks until the difficulty retargets.

So this means, that it always calculates the difficulty on the average hashrate of the previous 60 (+1) blocks. That is why, the difficulty reacts delayed to botnets.

Hope this lil excursion was interesting to read and you learned something today:)
Thanks for your time!