The Cisco Talos and Umbrella research teams are deploying a distributed hailstorm detection system which brings together machine learning, stream processing of DNS requests and the curated Talos email corpus.
Talos has discussed snowshoe spam before. Traditional snowshoe spam campaigns are sent from a large number of IP addresses, and a low volume of spam email per IP address. Using such techniques, snowshoe spammers intend to fly under the radar with respect to any reputation or volume-based metrics that could be applied by anti-spam systems. This post concerns “hailstorm” spam. Hailstorm spam is an evolution of snowshoe spam. Both snowshoe and hailstorm spam are sent using a large number of sender IP addresses, but unlike snowshoe spam, hailstorm campaigns are sent out in very high volume over a short timespan. In fact, some hailstorm spam attacks end just around the time the fastest traditional anti-spam defenses can update in response.
The images below, taken from Umbrella Investigate, nicely illustrate the difference between a typical snowshoe spam campaign versus a typical hailstorm spam campaign. The top image below illustrates what the DNS query volume looks like for a domain involved in a typical snowshoe attack. Note the maximum query rate is only 35 queries per hour for the snowshoe domain example. The bottom graph, in contrast, shows the DNS query volume for a domain involved in a typical hailstorm attack. In this graph, there is practically no query volume until suddenly when the DNS query volume spikes to over 75K queries per hour, then drops back down to nothing.
|Typical DNS query volume patterns for traditional snowshoe spam (top) vs. hailstorm spam (bottom).|