About 315 Web sites, including domains operated by the CIA, the FBI, Google, Microsoft, and Mozilla, are being deluged with junk data, enough in some cases to qualify as a denial of service attack.
The source is the Pushdo botnet, which has been operating since at least 2007. Pushdo bots distribute the Wigon rootkit and the Cutwail spam trojan most often.
In an online post on Friday, Shadowserver security researcher Steven Adair said that some 315 Web sites are being sent junk data via SSL connections.
"Technically they are being attacked, although knocking the sites offline doesn't seem to be the goal," he says. "The bots seem to start to initiate an SSL connection and [send] a bit of junk to the Web sites and then disconnect. They do not actually request an resources from the Web site or do anything else other than repeat the cycle periodically. They are doing this to hundreds of sites all day long."
For Web sites set up to deal with lots of traffic, like chrome.google.com and ssl.bing.com, the data surge hasn't noticeably degraded site performance, though it may inflate bandwidth bills.
Other less well-provisioned sites however, may experience service slowdowns or stop responding completely if the traffic volume is sufficient.
Adair isn't certain as to the purpose of the attack, if it is one. The volume of traffic is too noticeable to reflect convert activity and not large enough to represent a serious denial of service threat, he says.
It's possible that the attack's goal is reconnaissance rather than denial of service.
SANS Internet Storm Center handler Steve Hall has asked admins of affected sites to capture some of the incoming packets and upload them via a SANS Web form for analysis.