Over the past couple of days, we've seen either the beginning of a new botnet tactic, or we changed something on our networks that is causing network problems.
The shift in tactics is the amount of time that a bot will connect to our service, we issue them a 550 but then they don't drop the connection right away. Typically, after a 550 a bot will drop the connection. These ones seem to be holding on for up to a minute.
This is a little strange since it doesn't make sense for a spammer to hold onto the connection if the connection is refused. I wonder if they're trying to target us specifically? This sounds a little paranoid but sometimes it's prudent to be paranoid.
You are not alone with that. It is a new bot.
Occam's razor suggests to me that it's just a buggy new bot net. It seems like a waste for them to leave the connections open. I'm sure the bad guys could do something a lot more useful with that bandwith than tickle your port 25 uselessly for a few extra seconds each time.
Either that, or it's the world's slowest DDOS attack. :)
I hope it's a buggy new botnet. On the other hand, I've learned not to underestimate spammers. There might be a doings a transpiring.
The person behind the Storm worm seems to have a well-developed vindictive sense. I have heard a trustworthy report that Storm bots will "report back" on IP addresses that attempt to probe their open ports systematically, and schedule them for a major DDOS in the 10s-100s of megabits range.
If these connections are from the Storm worm, intentionally bogging down the mailservers which successfully filter them would be of a piece with that.
I agree that the probable explanation is a buggy bot. But also that the best course is to not underestimate your adversaries.
It's a classic measure/countermeasure game. In the admittedly lower probability case that it /is/ a tactic, then they must be expecting a countermeasure which they intend to exploit. So what we need to do is carefully explore the ramifications of any measures we might plan to take specifically to counter this new change/problem. Whatever may seem the obvious choice, such as reducing time-out intervals, could have another effect that we simply need to examine ahead of time. _IF_ we can imagine an attack vector coming later to exploit that measure, all we have to do is prepare a further counter for that future counter-countermeasure. As in a chess game, it pays tremendously to think ahead and imagine [most of] the potential moves.
The 0wner experiences zero cost by ordering millions of zombies to keep connections open for a minute. I vote for the deliberate vindictive DDOS scenario.
It's just like war. Even in a case where there are one bad guy and one good guy instead of two bad guys, it's still just like war. Each side takes heroic measures to make sure the other side doesn't win.
I agree with Norman. The Storm worm is already known to DDOS IP addresses that scan it, so it's pretty well established that it's owners are saying "You want a piece of me?!" to those who try to counter it.
Knowing this, I would not be at all surprised if they would keep connections open in a sort of reverse tar baby effect just to punish those running anti-spam solutions. In fact, knowing that Storm DDOses things in it spare time, I'd be surprised if it wasn't now trying to punish mail servers that were trying to protect themselves. It doesn't cost the 0wner zero to do this, but it doesn't raise his spam delivery time all that much, either.
Barry Leiba's CEAS rundown New spamming tactic? China hosts nearly half of malware sites Today's Hottest Blog Spam Indian firm touts 'alternative internet' Sophos announces top ten web and email borne threats for August 2007 Spam law brings more...
I'm not sure that it's a tactic as much as the virus not wasting the effort to send the QUIT. But using Exim I can do conditionals on this and feed my blacklists.
After reading this blog i gain my knowledge lot keep it up!
Interesting to see 2007 botnet DDoS testimonies... So much is changed but really not much at ll.