Over the years, cybersecurity has evolved tremendously — for both white hat hackers and threat actors. Botnets have also gained good traction. Botnets are nothing but compromised computer systems that are managed by third parties. These computers are used to carry out different types of attacks such as deploying malware, stealing data, DDoS attack etc.
The major challenge for white hats is to figure out the main culprit behind the attack as the identity of the botnet manager gets difficult to find. This is where Sinkholing comes into the picture.
What Is Sinkholing?
Sinkholing is a way of manipulating the flow of data from one point to another in a network. Simply put, it is basically a method of preventing some specific traffic to reach the desired server. This is done by simply rerouting or redirecting the traffic in a network from its original to an altered server (called as Sinkhole) which is also owned by the same owner as the main server.
Sinkholing is that cybersecurity technique that is nothing less than a double-edged sword. This implies that it can have adversarial uses such as steering legit traffic away from its intended recipient. However, over the years, this method has gained significant traction when it comes to fighting malware as it is mostly used by anti-malware researchers to collect information about a botnet. The alternate server poses as one of the C2 (command-and-control) servers in the botnet. And once the malicious traffic lands to the sinkhole server, they are then analysed by researchers to understand the source of attacks and prevention methods as well.
At the enterprise level, this technique of sinkholing is also used to restrict access to any website. For example, if someone is trying to violate corporate policies by accessing web pages that are not allowed in the corporate world, they end up landing to a customised page (this page can be created with information about the corporate policy restriction) and their data gets stored there that the firm can be used to take further action.
When it comes to tracking down criminals, government bodies responsible for maintaining safe cyberspace uses this to carry out investigations and criminal infrastructure takedowns.
Furthermore, Sinkholing has become so popular that today, even ISPs are using it to defend their networks and customers, and manage traffic flow.
Types Of Sinkholing And Challenges
Internal Sinkholing: This sinkholing is focused on an organisations network. It is basically used to figure out which all systems are infected and can cause an adversarial effect on the network. Once the machines are identified, organisations take back control of the machines.
External Sinkholing: Despite its effectiveness, it is considered to be one of the controversial methods. The main reason behind this is that any machine on the internet can be manipulated, registering known malicious domains (usually the ones which expires).
Despite the fact that sinkholing is one of the effective methods to fight against malware, there are some significant challenges. One of the major challenges is with the external sinkholing, and that is the legal issues. For example, if a victim who is not from your organisation is trying to access a sinkholed URL by your company, and if you take control of that victim machine (even if it is just for research purposes), it goes against the protocols in many regions.
Many malware that is deployed using sinkholing has the option of self-destruction, but that doesn’t mean you can take control of any machine that lands on the sinkhole. However, there is a solution to this that is also becoming really popular. By using the reverse DNS, many sinkholes nowadays first identify whether the machine is infected or malicious.
Over the past few years, Sinkholing has been used in several malware campaigns — as defender and attacker. However, the defence side is much more effective. Also, there were times when Sinkholes techniques couldn’t succeed but managed to thwart malware from spreading.
While many believe Sinkholes are not as significant as other cybersecurity strategies, one cannot deny the fact that they play a major role in network security. After all, who would want to invite infectious traffic to their website?