“Sinkholing” is a technique that intercepts botnet traffic on its way to a Command and Control (C&C or C2) server. It redirects the traffic from its original destination to one specified by the sinkhole owner. We use this technique to observe events. The listed IP addresses are not malicious and do not belong to groups running the botnets. There is no security benefit from blocking these IP addresses in a firewall rule.
In most cases, the destination IP for Compromised System findings on your company is fully visible in the Findings page. In a small number of cases, we are unable to provide destination IP addresses to our sinkhole due to agreements with Bitsight data partners.
- May 11, 2021: To allow for faster identification of infected machines, destination IP addresses of Compromised System findings for your organization are now unmasked.
Feedback
0 comments
Please sign in to leave a comment.