Hello Sniffer Folks, I've spoken before about the blackhats using high amplitude bursts to get chunks of their spam through and that some of the time they were pre-testing their messages and then launching them on bot nets with fresh (as yet unseen) IPs.
This has been an effective strategy for them but not a heavily used tactic -- that is, until a couple of days ago. The new SNF engine provides some new and useful real-time telemetry and it has allowed us to see many things more clearly. A few weeks back (3-7) we saw a few very strange events on our major spamtraps and larger filtering systems that use SNF. A handfull of times it appeared that new spam campaigns would start with virtually all new IPs and new messages while at the same moment old bot nets would go dark. These were not ordinary shifts where some portion of the spam flow changed direction-- these were "is this thing broken" kinds of events where our telemetry changed so radically that I quickly ran through all of our equipment to make sure it was working -- also to prove I wasn't crazy-- did I actually see it? Yes. I did. I theorized then that this was a test of a more aggressive form of this spam delivery tactic and that we would probably see more of it. In the past few days (Starting Monday actually, showing how institutionalized the spam & malware business has become) we have seen multiple storms just like this. These are bot net stampedes where entirely fresh bots (new IPs) begin sending entirely new pre-tested campaigns en-mass while old bots duck out of the way. There have been several of these events per day since they started appearing aggressively on Monday. It looks like this new technique is here to stay -- we shall see. The most telling bit of telemetry that sets these events apart: GBUdb normally truncates 30-75% of traffic on systems where SNF is out front. On our heavy spamtraps that means truncating 2500-3500 messages per minute while scanning a total near 4000 per minute. When one of these new storms hits we see truncate rates fall to extraordinarily small numbers -- from 2500-3500 to 30-50! TWO ORDERS OF MAGNITUDE! This indicates that at that one coordinated moment virtually all of the old bots are shut down and entirely new ones are activated in extremely large numbers! This telemetry is seen across the board indicating an unprecedented level of coordination. We will be watching with interest to see what else we can learn and we will be making changes and upgrades to adapt (of course). No doubt there are many ramifications of this new tactic that we will be discovering over the coming days and weeks. Some that we might predict: * DNS based IP reputation systems will see higher loads as very large segments of their data are rendered inert and large numbers of new IPs must be swapped into place. * More spam leakage is certain on systems that don't have some kind of delayed scanning ("Gauntlet" and/or greylisting) mechanisms. * Some network infrastructures will begin to fail occasionally and all network infrastructures will see higher load bursts as previously unseen IPs from large bot nets bypass firewall ACLs. * Firewall ACLs will need to be changed more frequently and the changes will require much more data than usual. This may also be true of routing tables (BGP etc) as some systems do dynamic network blocking via null routing. If you begin to see unusual activity and instability that appears similar to the above then it is likely related to these new blackhat practices. I hope this information is helpful. I look forward to your comments and insights. Best, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. ############################################################# This message is sent to you because you are subscribed to the mailing list <sniffer@sortmonster.com>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>