Sinkhole

“Sinkholing” is a technique that is commonly used by security professionals for research purposes.

The method intercepts botnet traffic on its way to a Command and Control (C&C or C2) server. By proactively taking ownership of domain names that are associated with botnets and “listening” to the inbound communication, we are able to divert and monitor some of the network traffic that would otherwise be sent to a C&C server, and then track the IP addresses that are contacting the sinkhole domain.

We operate some of these sinkholes ourselves via AnubisNetworks (one of the largest sinkhole networks in the world), while others are operated by our partners.

Limitations

When communication occurs, the received packet often has a host/DNS reference. Some malware, such as Conficker, do not send an HTTP Host-header. Therefore, the responsible domain cannot be associated with the event. In these situations, the host domain/DNS information may be substituted with the sinkhole information instead.

Findings

Well-known and trusted web gateways (web proxies) of notable security organizations, such as Symantec and Zscaler, are observed. This allows us to detect the origin of malware (IP address) that are communicating with our sinkholes. Trusted web proxies:

• Cisco
• Forcepoint
• Symantec
• Zscaler

We have high confidence in our findings through sinkholing since:

• Sinkhole traffic is mostly TCP-based and is only registered once a 3-way handshake has occurred between the infected machine and the Bitsight sinkhole.
• The communication is automatically parsed for the tell-tale signs of the infection using a rules engine that’s based on the work of our threat intelligence team.

Associated Risk Vectors

• Botnet Infections
• Spam Propagation
• Potentially Exploited
• Insecure Systems