What is Sinkholing?

Now that the Internet is the most important medium in the world, even many non-technical people have heard of things like botnets and denial-of-service (DoS) attacks. Nonetheless, very few people ever talk about sinkholing, one of the more important tactics for defending against both (among other types of attacks).

 

Definition of a Sinkhole

Put simply, a sinkhole is a server or network segment to which malicious traffic is intentionally directed. It is similar to a honeypot but it is used actively as a defense. Once the traffic is isolated in a sinkhole, it can no longer hurt its intended targets; additionally, the traffic can be analyzed to reveal the source of the attack as well as information about the techniques being employed.

For example, when a Denial-of-Service (DoS) attack is detected against a web server, all of that malicious traffic could instead be directed to a sinkhole. Sinkholes are designed to withstand this traffic and to prevent any packets from coming back out—no backscatter.

Additionally, they are normally outfitted with analysis tools to perform reconnaissance: packet sniffing and flow analysis and traceroutes to the attackers.

 

A Few of the Numerous Security Applications of Sinkholes

• Distributed sinkholes are a standard feature of the infrastructure of all major Internet Service Providers (ISPs) today. They are positioned throughout the network and assigned anycast addresses so that malicious traffic is directed to the nearest one, reducing congestion. The ISPs utilize internal DNS servers with lists of known malicious addresses that automatically route any traffic coming from them into the sinkholes. They also automatically reroute anything claiming to come from the small remaining pool of unallocated IP space, which is obviously malicious or at least erroneous by definition.

• It is a good practice for any organization to use internal DNS servers to redirect suspicious outbound communications to sinkholes for analysis too. A few examples of this are restricting any DNS queries (port 53) to known DNS server addresses and blacklisting any other protocols that should not be emanating from the organization as well as all traffic to any known malicious IPs. The logs of the traffic that ends up in these sinkholes can provide invaluable clues about compromised hosts inside the organization.

• Sinkholing is also a powerful technique for neutralizing botnets. When a botnet is discovered, one could analyze the traffic coming from the bots and determine which server is controlling them. Once this so-called Command and Control (C&C) server is discovered, its publicly-listed address can be changed in the relevant DNS server(s), redirecting the traffic it would normally receive to the sinkhole.

 

Controlling the Command and Control Server

As mentioned above, entire huge botnets can be effectively neutralized by changing their given DNS entries. Obviously now we’re talking about changing entries in public DNS servers. Generally speaking, DNS organizations are happy to modify their listings for the purpose of taking down botnets, but there have also been examples of law enforcement agencies obtaining court orders to change public DNS listings for this purpose.

By changing this one address, gigantic botnets of even hundreds of thousands of infected hosts are effectively neutralized. Not only that, but the traffic of all the infected hosts (zombies) can be analyzed to discover the methods employed by the attackers, and possibly even the identity of the attackers. An especially devious tactic is to mimic the control interface of the real C&C server and wait for the botnet owner to try and log in, thus revealing him or herself.

 

Further Reading

These are just a few specific examples of the many ways that sinkholes can be used to defend networks and fight back against criminal hackers. For those interested, there is a wealth of information with more technical depth available on the internet.

Here are a few references with some more in-depth technical information:

• DNS Sinkhole, Guy Bruneau, SANS Institute 2010
• Sink Holes : A Swiss Army Knife ISP Security Tool v1.5, Danny McPherson and Barry Raveendran Greene, from North American Network Operators Group