Sinkholing: An effective way to defend your network from malicious traffic

• A honeynet is usually used as a sinkhole decoy server to neutralize botnets.
• A honeynet is a simulated computer network whose purpose is to invite attacks so that attackers’ activities and methods can be studied.

Sinkholing is a technique used to redirect malicious traffic from its original destination to a server under the control of a defender, thus protecting your network from being disrupted by DDoS attacks or botnets. The server which acts as the C&C (Command & Control) of this traffic is called a sinkhole. Thus, in other words, it can be described as "When you have plenty of malicious traffic on your network, you direct it to a sinkhole."

Types of Sinkholing

Generally, sinkholing can be used in two forms:

• Internal Sinkholing - Where machines can be manipulated within the organization. It can be useful to identify infected machines on the network and remove the adversarial controls from them.
• External Sinkholing - Where machines can be manipulated on the internet. It is quite a controversial option and involves blocking the malicious URL by adding a false entry in the DNS (Domain Name System).

Usually, sinkhole owners deploy the technique to redirect zombies in a botnet -- a collection of internet connected-devices -- to a specified research machine, which is an altered server. These machines are then analyzed by network administrators to understand the source of attacks and prevention methods as well. A honeynet is usually used as a sinkhole decoy server to neutralize botnets.

What is a honeypot?

A honeynet is a simulated computer network whose purpose is to invite attacks so that attackers’ activities and methods can be studied and the details are used to improve the security of networks. Multiple virtual honeypot servers form a honeynet.

How are sinkholes created?

To establish sinkholes, owners of the DNS (Domain Name System) -- it translates internet domain and hostnames to IP addresses and vice versa -- need to take the help of researchers. The researchers first understand the nature of DNS used by the botnet and create a fake C&C server accordingly.