What is Sinkholing?
Sinkholing is a technique for manipulating data flow in a network. You redirect traffic from its intended destination to the server of your choosing. It can be used maliciously, to steer legitimate traffic away from its intended recipient. But security professionals more commonly use sinkholing as a tool for research and reacting to attacks.
When bots in a botnet phone home to their command and control server, for instance, you might sinkhole the domain they reach out to. It diverts the requests so that you can monitor activity on the botnet, track the IP addresses contacting the domain. So the bots can’t receive commands. Law enforcement also uses the technique in investigations and large-scale criminal infrastructure takedowns. More broadly, internet infrastructure companies like ISPs and content delivery networks use sinkholes every day to defend their networks and customers and manage traffic flow.
Many sinkholes rely on changes to the DNS system to route traffic where they want it to go. It requires taking over the domain name you want to monitor, which can be tricky. But law enforcement can get court orders to transfer ownership or researchers. It sometimes set up automated systems to quickly take control of malicious domains when their registry expires. You can also create other types of sinkholes that reroute traffic from the original target IP address to the sinkhole address using a mechanism like a firewall or a router.
Sinkholes are workhorse tools used in day-to-day network management, research, and threat analysis.They occasionally play a crucial role in containing dramatic threats. Security researcher Marcus Hutchins famously set up a sinkhole that halted the massive May WannaCry ransomware outbreak. As WannaCry spread, Hutchins and security researchers around the world worked to reverse-engineer samples of it, looking for flaws or weaknesses. Hutchins noticed that the ransomware was programmed to check whether a certain nonsense URL led to a live web page. But the domain wasn’t owned by anyone. So he did what any good, but confused security researcher spent $10.69 to register the domain himself.