Hello Sniffer Folks,
I've spoken before about the blackhats using high amplitude bursts to
get chunks of their spam through and that some of the time they were
pre-testing their messages and then launching them on bot nets with
fresh (as yet unseen) IPs.
This has been an effective strategy for them but not a heavily used
tactic -- that is, until a couple of days ago.
The new SNF engine provides some new and useful real-time telemetry
and it has allowed us to see many things more clearly.
A few weeks back (3-7) we saw a few very strange events on our major
spamtraps and larger filtering systems that use SNF. A handfull of
times it appeared that new spam campaigns would start with virtually
all new IPs and new messages while at the same moment old bot nets
would go dark.
These were not ordinary shifts where some portion of the spam flow
changed direction-- these were "is this thing broken" kinds of events
where our telemetry changed so radically that I quickly ran through
all of our equipment to make sure it was working -- also to prove I
wasn't crazy-- did I actually see it?
Yes. I did.
I theorized then that this was a test of a more aggressive form of
this spam delivery tactic and that we would probably see more of it.
In the past few days (Starting Monday actually, showing how
institutionalized the spam & malware business has become) we have seen
multiple storms just like this.
These are bot net stampedes where entirely fresh bots (new IPs) begin
sending entirely new pre-tested campaigns en-mass while old bots duck
out of the way.
There have been several of these events per day since they started
appearing aggressively on Monday. It looks like this new technique is
here to stay -- we shall see.
The most telling bit of telemetry that sets these events apart: GBUdb
normally truncates 30-75% of traffic on systems where SNF is out
front. On our heavy spamtraps that means truncating 2500-3500 messages
per minute while scanning a total near 4000 per minute.
When one of these new storms hits we see truncate rates fall to
extraordinarily small numbers -- from 2500-3500 to 30-50! TWO ORDERS
OF MAGNITUDE!
This indicates that at that one coordinated moment virtually all of
the old bots are shut down and entirely new ones are activated in
extremely large numbers!
This telemetry is seen across the board indicating an unprecedented
level of coordination.
We will be watching with interest to see what else we can learn and we
will be making changes and upgrades to adapt (of course).
No doubt there are many ramifications of this new tactic that we will
be discovering over the coming days and weeks. Some that we might
predict:
* DNS based IP reputation systems will see higher loads as very large
segments of their data are rendered inert and large numbers of new IPs
must be swapped into place.
* More spam leakage is certain on systems that don't have some kind of
delayed scanning ("Gauntlet" and/or greylisting) mechanisms.
* Some network infrastructures will begin to fail occasionally and all
network infrastructures will see higher load bursts as previously
unseen IPs from large bot nets bypass firewall ACLs.
* Firewall ACLs will need to be changed more frequently and the
changes will require much more data than usual. This may also be true
of routing tables (BGP etc) as some systems do dynamic network
blocking via null routing.
If you begin to see unusual activity and instability that appears
similar to the above then it is likely related to these new blackhat
practices.
I hope this information is helpful.
I look forward to your comments and insights.
Best,
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
#############################################################
This message is sent to you because you are subscribed to
the mailing list <sniffer@sortmonster.com>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to <[EMAIL PROTECTED]>
