Get A Quote

What is Sinkholing?

Now that the Internet is the most important medium in the world, even many non-technical people have heard of things like botnets and denial-of-service (DoS) attacks. Nonetheless, very few people ever talk about sinkholing, one of the more important tactics for defending against both (among other types of attacks).


Definition of a Sinkhole

Put simply, a sinkhole is a server or network segment to which malicious traffic is intentionally directed. It is similar to a honeypot but it is used actively as a defense. Once the traffic is isolated in a sinkhole, it can no longer hurt its intended targets; additionally, the traffic can be analyzed to reveal the source of the attack as well as information about the techniques being employed.

For example, when a Denial-of-Service (DoS) attack is detected against a web server, all of that malicious traffic could instead be directed to a sinkhole. Sinkholes are designed to withstand this traffic and to prevent any packets from coming back out—no backscatter.

Additionally, they are normally outfitted with analysis tools to perform reconnaissance: packet sniffing and flow analysis and traceroutes to the attackers.


A Few of the Numerous Security Applications of Sinkholes


Controlling the Command and Control Server

As mentioned above, entire huge botnets can be effectively neutralized by changing their given DNS entries. Obviously now we’re talking about changing entries in public DNS servers. Generally speaking, DNS organizations are happy to modify their listings for the purpose of taking down botnets, but there have also been examples of law enforcement agencies obtaining court orders to change public DNS listings for this purpose.

By changing this one address, gigantic botnets of even hundreds of thousands of infected hosts are effectively neutralized. Not only that, but the traffic of all the infected hosts (zombies) can be analyzed to discover the methods employed by the attackers, and possibly even the identity of the attackers. An especially devious tactic is to mimic the control interface of the real C&C server and wait for the botnet owner to try and log in, thus revealing him or herself.


Further Reading

These are just a few specific examples of the many ways that sinkholes can be used to defend networks and fight back against criminal hackers. For those interested, there is a wealth of information with more technical depth available on the internet.

Here are a few references with some more in-depth technical information: