Hacker Lexicon: What Is Sinkholing?

What's one good way to bring down a botnet? Send that traffic to a sinkhole.
Image may contain Pattern

When you have tons of leftovers you put them in Tupperware. When you have an excess of phone calls, you send them to voicemail. And when you have a deluge of junk from a botnet attacking your network, you put all that malicious traffic into a sinkhole.

Sinkholing is a technique for manipulating data flow in a network; you redirect traffic from its intended destination to the server of your choosing. It can be used maliciously, to steer legitimate traffic away from its intended recipient, but security professionals more commonly use sinkholing as a tool for research and reacting to attacks.

When bots in a botnet phone home to their command and control server, for instance, you might sinkhole the domain they reach out to, diverting the requests so that you can monitor activity on the botnet, track the IP addresses contacting the domain, or neuter it so the bots can't receive commands. Law enforcement also uses the technique in investigations and large-scale criminal infrastructure takedowns. More broadly, internet infrastructure companies like ISPs and content delivery networks use sinkholes every day to defend their networks and customers, and manage traffic flow.

"Let’s say you want to visit WIRED’s website on your computer," says Darien Huss, a senior security research engineer at the security intelligence firm Proofpoint. "You first open a web browser and type the domain name, wired.com, into the address bar and press Enter. Typically, the Domain Name System server would respond with the IP address where wired.com is hosted; however, if the domain was sinkholed, your browser would be redirected to an IP address other than WIRED’s."

Many sinkholes rely on changes to the DNS system (essentially the phonebook lookup of the internet) to route traffic where they want it to go. It requires taking over the domain name you want to monitor, which can be tricky, but law enforcement can get court orders to transfer ownership, or researchers sometimes set up automated systems to quickly take control of malicious domains when their registry expires. You can also create other types of sinkholes that reroute traffic from the original target IP address to the sinkhole address, using a mechanism like a firewall or a router.

Sinkholes are workhorse tools used in day-to-day network management, research, and threat analysis, but they occasionally play a crucial role in containing dramatic threats. Security researcher Marcus Hutchins, who goes by MalwareTech, famously set up a sinkhole that halted the massive May WannaCry ransomware outbreak. As WannaCry spread, Hutchins and security researchers around the world worked to reverse-engineer samples of it, looking for flaws or weaknesses. Hutchins noticed that the ransomware was programmed to check whether a certain nonsense URL led to a live web page, but the domain wasn't owned by anyone. So he did what any good, but confused security researcher would do: He spent $10.69 to register the domain himself.

It turned out that the ransomware was checking to ensure that the domain was inactive, and had been programmed to shut down if it found the domain was live. The mechanism was basically acting as a kill switch, but the North Korean developers behind WannaCry made the mistake of pointing the check to a static domain instead of one that randomly changed.

As a result, Hutchins was able to set up the domain and point it to his own sinkhole servers to contain and study WannaCry queries. "A sinkhole is a server designed to capture malicious traffic and prevent control of infected computers by the criminals who infected them," Hutchins wrote in a postmortem of the WannaCry episode. He notes that after he registered the domain, "the sinkhole servers were coming dangerously close to their maximum load ... due to a very large botnet we had sinkholed the previous week eating up all the bandwidth."

Hutchins's sinkhole didn't decrypt computers that were already infected with WannaCry, and it couldn't block the malware from being rewritten without the crippling domain check. But it did buy time for the security and internet infrastructure community to get control of the situation, and for administrators to patch their systems against the ransomware.

Though sinkholes don't usually have such an outwardly exciting role in network security, they are an important tool. And in security, it's a satisfying feeling knowing you have malicious traffic trapped in your sinkhole, and not out wreaking havoc in the world.