Protect your network from malicious traffic – Sinkholing

Sharing is caring!

  • A honeynet is usually used as a sinkhole decoy server used to neutralize botnets Honeynets are used.
  • A honeynet is a simulated computer network whose purpose is to invite attacks so that attackers’ activities and methods can be studied.

Sinkholing is a technique used to redirect malicious traffic from its original destination to a server under the control of a defender, thus protecting your network from being disrupted by DDoS attacks or botnets. The server which acts as the C&C (Command & Control) of this traffic is called a sinkhole. Thus, in other words, it can be described as “When you have plenty of malicious traffic on your network, you direct it to a sinkhole.”

Types of Sinkholing

Generally, sinkholing can be used in two forms:

  • Internal Sinkholing – Where machines can be manipulated within the organization. It can be useful to identify infected machines on the network and remove the adversarial controls from them.
  • External Sinkholing – Where machines can be manipulated on the internet. It is quite a controversial option and involves blocking the malicious URL by adding a false entry in the DNS (Domain Name System).

Usually, sinkhole owners deploy the technique to redirect zombies in a botnet . It is a collection of internet connected-devices — to a specified research machine, which is an altered server. These machines are then analyzed by network administrators to understand the source of attacks and prevention methods as well. A honeynet is usually used as a sinkhole decoy server to neutralize botnets.

In What Settings Does Sinkholing Work?

As with other hacker tools, there are specific situations for certain tools. Sinkholing works no differently and can be used for malicious or beneficial intent.

Darien Huss, a Proofpoint senior security research engineer, told WIRED just how sinkholing operates.

“Let’s say you want to visit WIRED’s website on your computer . . . You first open a web browser and type the domain name,, into the address bar and press Enter. Typically, the Domain Name System server would respond with the IP address where is hosted; however, if the domain was sinkholed, your browser would be redirected to an IP address other than WIRED’s.”

What is a honeypot?

A honeynet is a simulated computer network whose purpose is to invite attacks. By which attackers’ activities and methods can be studied and the details are used to improve the security of networks. Multiple virtual honeypot servers form a honeynet.

Creation of sinkholes

To establish sinkholes, owners of the DNS (Domain Name System) — it translates the internet domain and hostnames. The researchers first understand the nature of DNS used by the botnet and create a fake C&C server accordingly.

Reward: Valuable Threat Intelligence

Valuable intelligence can be gained from running an external sinkhole even during inherent risks. Just victim counts and geographic distribution alone can be enough to get law enforcement engaged in a particular threat. The ability to see how traffic communicates to a potential controller is also useful for crafting defenses.

Additionally, this information can be important to the security community at large. Organizations generally all face the same threats, and by sharing information gleaned from it. A certain economy of scale can be realized without the need for all organizations to do same research. Instead, they can rely on privately shared information to deal with common threats.

Ultimately, sinkholing is an important tool to have in your arsenal when dealing with emerging threats.

Leave a Reply

Your email address will not be published. Required fields are marked *

6 + 12 =